SlideShare a Scribd company logo
1 of 32
Download to read offline
Best Practices You Must Apply to
Secure Your APIs
K. Scott Morrison
SVP and Distinguished Engineer
© 2014 CA. ALL RIGHTS RESERVED.
Here Is What This Talk Is About:
 The new API threat
– …and the potential rise of the hacker-robber-baron
 Are APIs just like the Web? Or are they different?
– Look at three important areas:
1. Parameterization
2. Identity
3. Cryptography
 How to apply the lessons of this talk
© 2014 CA. ALL RIGHTS RESERVED.
What is an API?
Web App
API Server
Web Client
Mobile App
An API is a RESTful
service
© 2014 CA. ALL RIGHTS RESERVED.
For Example:
GET http://services.layer7.com/staff/Scott
© 2014 CA. ALL RIGHTS RESERVED.
For Example:
{
"firstName": ”Scott",
"lastName" : ”Morrison",
”title" : “CTO”,
"address" :
{
"streetAddress": ”405-1100 Melville",
"city" : ”Vancouver",
”prov" : ”BC",
"postalCode" : ”V6E 4A6"
},
"phoneNumber":
[
{
"type" : ”office",
"number": ”605 681-9377"
},
{
"type" : ”home",
"number": ”604 555-4567"
}
]
}
http://services.layer7.com/staff/Scott
© 2014 CA. ALL RIGHTS RESERVED.
“Sounds great. So what’s the problem?”
API Development !=
Web Development
In Particular:
We need to be wary of bad web
development practices migrating
to APIs…
© 2014 CA. ALL RIGHTS RESERVED.
Problem Area #1: API Parameterization
 In the traditional web world, parameterization was limited
and indirect
– Subject to the capabilities of URLs and forms
 APIs in contrast and offer much more explicit
parameterization
– The full power of RESTful design: GET, POST, PUT, DELETE
 (And don’t stop there… what about effects of HEAD, etc)?
 This creates a greater potential attack surface
– Injection, bounds, correlation, and so on
© 2014 CA. ALL RIGHTS RESERVED.
Good Web Apps Constrain
HTTP Server
App Server
Database
Web Client
Objects
Pages
Constraint
Space
Records
© 2014 CA. ALL RIGHTS RESERVED.
APIs Are A More Direct Conduit
HTTP Server
App Server
Database
App
Objects
Often:
• Self-documenting
• Closely mapped to object space,
data structure, etc
APIs can leak
information
© 2014 CA. ALL RIGHTS RESERVED.
APIs Also Increase
Attack Surface
© 2014 CA. ALL RIGHTS RESERVED.
Attacker
Web App Server
(browser+APIs)
Victim: Web
Browser
Client
<SCRIPT …>
1. API injects
script in
3. Browser loads
content with
embedded script
2. Server fails to
perform FIEO: Filter
Input, Escape Output
API
Script Insertion is Just One Potential Exploit
© 2014 CA. ALL RIGHTS RESERVED.
SQL Injection is Another
Source: https://xkcd.com/327/
Exploits of a Mom
© 2014 CA. ALL RIGHTS RESERVED.
Mitigation Strategy
 Rigorous validation of consumer supplied inputs – and API
output!
– Stronger typing
– Sets and ranges
– Avoid auto-generated schemas that make everything a string
 Use schema validation
– XML Schema, RELAX-NG, Schematron – Pick your poison
 Please no DTDs!
– JSON schema validation
– Return of IDLs: WADL, RAML, Swagger, etc
 Be strict with handling Content-Type and Accept headers
Constrain by Default
© 2014 CA. ALL RIGHTS RESERVED.
Mitigation Strategy (cont.)
 Regex scanning for signatures
 Tune patterns for the API
– Sometimes SELECT is OK
 Virus scanning of attachments
– Don’t forget B64’d message content
 Constrain HTTP methods
– Does your API need HEAD?
 Constrain URI context
– Don’t let people get creative and fuzz URIs
– Authorize templates
 Don’t treat APIs in isolation
– HTTP may be stateless, but your call sequence may not be
 Beware of dangerous hidden shortcuts in the later
© 2014 CA. ALL RIGHTS RESERVED.
Mitigation Strategy (cont.)
 Whitelist tags if you can (i.e. where the validation space is
small and concise)
– Not always practical
– (Note that I’m referring to whitelisting tags not IPs.)
 Blacklist dangerous tags like <SCRIPT>
 Always perform FIEO (Filter Input, Escape Output)
 Watch for generalized parameter fuzzing
– This is a trend—not an event!
 Be careful with error messages and leakage
– Don’t reveal too much info
© 2014 CA. ALL RIGHTS RESERVED.
Problem Area #2: Identity
 We had it surprisingly good in the Web world
– Browser session usually tied to human
– Dealing with one identity is not so tough
 Security tokens abound, but solutions are mature
– Username/pass, x.509 certs, multi-factor, Kerberos, SAML, etc
– APIs rapidly becoming more difficult
 Non-human entities
 Multiple layers of relevant identities
– Me, my attributes, my phone, my developer, my provider…
© 2014 CA. ALL RIGHTS RESERVED.
API Keys
“An application programing interface key (API key) is a code
generated by websites that allow users to access their
application programming interface. API keys are used to track
how the API is being used in order to prevent malicious use or
abuse of the terms of service.
API keys are based on the UUID system to ensure they will be
unique to each user.”
(Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
© 2014 CA. ALL RIGHTS RESERVED.
For Example:
GET http://example.layer7.com/services/staff
?APIKey=15458617-7813-4a37-94ac-a8e6da6f6405
Seriously? WTF.
© 2014 CA. ALL RIGHTS RESERVED.
How Does An API Key Map To Identity?
15458617-7813-4a37-94ac-a8e6da6f6405
A
A person?
Or an app?
It is entirely inconsistent
© 2014 CA. ALL RIGHTS RESERVED.
Bottom Line: The API Key Was Never Meant To Be
Authoritative
 Strange hybrid of HTTP’s USER-AGENT and session continuity
 OK only for general tracking
 Anything that matters should use real security tokens
– Anywhere where identity is important:
 APIs that provide access to sensitive data
 APIs that change things that matter
 APIs that charge for use
 etc.
© 2014 CA. ALL RIGHTS RESERVED.
Mitigation
© 2014 CA. ALL RIGHTS RESERVED.
The Identity Profile
Increasingly we need to move toward large number of claims
(multiple identity profile)
• appID
• userID
• deviceID
• User attributes
• Roles
• Geo location
• IP
• User agent
• Time of day
• etc
© 2014 CA. ALL RIGHTS RESERVED.
Mitigation (cont.)
 Protect the tokens!
 HTTPS everywhere
– This is another web design cultural issue
– It’s just not that expensive any more
 OAuth for people
 APIKeys for apps
– Assume this is non-authoritative
 Consider behavioral identification of apps
– Apps are rigid in their API flow
Important!
© 2014 CA. ALL RIGHTS RESERVED.
Problem Area #3: Cryptography and PKI
 Cryptography is reasonably mature on the web
– Surprisingly limited use patterns
– SSL/TLS
– Very little tough PKI (like client-side)
 So what’s wrong with APIs?
© 2014 CA. ALL RIGHTS RESERVED.
It’s Like We Forgot Everything We Knew
 Emailing keys
– API, shared secrets, etc.
 Bad storage schemes
– Security through obscurity
– Toy ciphers
 No life cycle management
– Limits on use
– Time limits
– Revocation
– Audit
© 2014 CA. ALL RIGHTS RESERVED.
The Issues
 Key management
– Across server farms, across client devices
 Nobody takes web PKI seriously
– CRLs and OCSP aren’t much good in the browser world
 Fail open—seriously
 CA trust breakdown
– Indian NIC issue July 2014
 Subordinate CA issued fraudulent Google and Yahoo certs
© 2014 CA. ALL RIGHTS RESERVED.
The Issues (cont.)
 Cipher suite restrictions
– Avoiding downgrades
 Client-side certificate authentication is hard
 The alternatives for parameter confidentiality and/or integrity
are hard:
– XML encryption is still there
 Not for the faint of heart
– OAuth 1.0 gave you parameter signing
 Only optional in 2.0
– JWT signing and encryption emerging
© 2014 CA. ALL RIGHTS RESERVED.
SSL Everywhere
(it’s cheap)
© 2014 CA. ALL RIGHTS RESERVED.
Mitigations
 Use real PKI
– I know it’s painful
 Use HSMs to protect keys that really matter
 Recognize OAuth limitations in browser-resident JavaScript
apps
– No shared secrets
– Stuck with OAuth 2.0 implicit grant
 Otherwise use real key material protection schemes
– PKCS #12, etc
– Libraries abound
 You must do CRLs and OCSP for APIs
© 2014 CA. ALL RIGHTS RESERVED.
Where Does This All Leave Us?
 SOAP, the WS-* stack dealt with much of this very rigorously
– But it was just too hard.
 We need to learn from this, but make it easier to implement
 Here’s how…
© 2014 CA. ALL RIGHTS RESERVED.
How Do I Apply This Today?
 Use SSL for all API transactions
– Hides many sins
 Confidentiality, integrity, replay, binding token+message, server
authentication, etc.
 Use real PKI
– Yes, it’s hard
– But you can’t skimp here
 Use OAuth for distributed authentication
 Validate all data going in and out of an API
 Use real frameworks, don’t reinvent
SVP and Distinguished Engineer
Scott.Morrison@ca.com
@KScottMorrison
http://KScottMorrison.com
linkedin.com/KScottMorrison
ca.com
K. Scott Morrison

More Related Content

What's hot

Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...apidays
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Nordic APIs
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API CommunitiesAkana
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays
 
What is API - Understanding API Simplified
What is API - Understanding API SimplifiedWhat is API - Understanding API Simplified
What is API - Understanding API SimplifiedJubin Aghara
 
API Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureAPI Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureApigee | Google Cloud
 
The API Facade Pattern: Common Patterns - Episode 2
The API Facade Pattern: Common Patterns - Episode 2The API Facade Pattern: Common Patterns - Episode 2
The API Facade Pattern: Common Patterns - Episode 2Apigee | Google Cloud
 
API 101 - Understanding APIs
API 101 - Understanding APIsAPI 101 - Understanding APIs
API 101 - Understanding APIs3scale
 
Visbility at the Edge - Deep Insights from Your API
 Visbility at the Edge - Deep Insights from Your API Visbility at the Edge - Deep Insights from Your API
Visbility at the Edge - Deep Insights from Your APIApigee | Google Cloud
 
Who Cares About APIs? (NordicAPIS April 2014)
Who Cares About APIs? (NordicAPIS April 2014)Who Cares About APIs? (NordicAPIS April 2014)
Who Cares About APIs? (NordicAPIS April 2014)Nordic APIs
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 

What's hot (20)

Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
Public API
Public APIPublic API
Public API
 
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
 
What is API - Understanding API Simplified
What is API - Understanding API SimplifiedWhat is API - Understanding API Simplified
What is API - Understanding API Simplified
 
API Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureAPI Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise Infrastructure
 
The API Facade Pattern: Common Patterns - Episode 2
The API Facade Pattern: Common Patterns - Episode 2The API Facade Pattern: Common Patterns - Episode 2
The API Facade Pattern: Common Patterns - Episode 2
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
API 101 - Understanding APIs
API 101 - Understanding APIsAPI 101 - Understanding APIs
API 101 - Understanding APIs
 
Visbility at the Edge - Deep Insights from Your API
 Visbility at the Edge - Deep Insights from Your API Visbility at the Edge - Deep Insights from Your API
Visbility at the Edge - Deep Insights from Your API
 
API Trends: What to expect in 2012
API Trends: What to expect in 2012API Trends: What to expect in 2012
API Trends: What to expect in 2012
 
Who Cares About APIs? (NordicAPIS April 2014)
Who Cares About APIs? (NordicAPIS April 2014)Who Cares About APIs? (NordicAPIS April 2014)
Who Cares About APIs? (NordicAPIS April 2014)
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
 

Viewers also liked

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenID Authentication by example
OpenID Authentication by exampleOpenID Authentication by example
OpenID Authentication by exampleChris Vertonghen
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 

Viewers also liked (7)

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenID Authentication by example
OpenID Authentication by exampleOpenID Authentication by example
OpenID Authentication by example
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 

Similar to Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Cloud Identity Summit

CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right WayAPIsecure_ Official
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 

Similar to Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Cloud Identity Summit (20)

CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application Security
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014   Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014   Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014   Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014   Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
 

Recently uploaded

SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 

Recently uploaded (20)

SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Cloud Identity Summit

  • 1. Best Practices You Must Apply to Secure Your APIs K. Scott Morrison SVP and Distinguished Engineer
  • 2. © 2014 CA. ALL RIGHTS RESERVED. Here Is What This Talk Is About:  The new API threat – …and the potential rise of the hacker-robber-baron  Are APIs just like the Web? Or are they different? – Look at three important areas: 1. Parameterization 2. Identity 3. Cryptography  How to apply the lessons of this talk
  • 3. © 2014 CA. ALL RIGHTS RESERVED. What is an API? Web App API Server Web Client Mobile App An API is a RESTful service
  • 4. © 2014 CA. ALL RIGHTS RESERVED. For Example: GET http://services.layer7.com/staff/Scott
  • 5. © 2014 CA. ALL RIGHTS RESERVED. For Example: { "firstName": ”Scott", "lastName" : ”Morrison", ”title" : “CTO”, "address" : { "streetAddress": ”405-1100 Melville", "city" : ”Vancouver", ”prov" : ”BC", "postalCode" : ”V6E 4A6" }, "phoneNumber": [ { "type" : ”office", "number": ”605 681-9377" }, { "type" : ”home", "number": ”604 555-4567" } ] } http://services.layer7.com/staff/Scott
  • 6. © 2014 CA. ALL RIGHTS RESERVED. “Sounds great. So what’s the problem?” API Development != Web Development In Particular: We need to be wary of bad web development practices migrating to APIs…
  • 7. © 2014 CA. ALL RIGHTS RESERVED. Problem Area #1: API Parameterization  In the traditional web world, parameterization was limited and indirect – Subject to the capabilities of URLs and forms  APIs in contrast and offer much more explicit parameterization – The full power of RESTful design: GET, POST, PUT, DELETE  (And don’t stop there… what about effects of HEAD, etc)?  This creates a greater potential attack surface – Injection, bounds, correlation, and so on
  • 8. © 2014 CA. ALL RIGHTS RESERVED. Good Web Apps Constrain HTTP Server App Server Database Web Client Objects Pages Constraint Space Records
  • 9. © 2014 CA. ALL RIGHTS RESERVED. APIs Are A More Direct Conduit HTTP Server App Server Database App Objects Often: • Self-documenting • Closely mapped to object space, data structure, etc APIs can leak information
  • 10. © 2014 CA. ALL RIGHTS RESERVED. APIs Also Increase Attack Surface
  • 11. © 2014 CA. ALL RIGHTS RESERVED. Attacker Web App Server (browser+APIs) Victim: Web Browser Client <SCRIPT …> 1. API injects script in 3. Browser loads content with embedded script 2. Server fails to perform FIEO: Filter Input, Escape Output API Script Insertion is Just One Potential Exploit
  • 12. © 2014 CA. ALL RIGHTS RESERVED. SQL Injection is Another Source: https://xkcd.com/327/ Exploits of a Mom
  • 13. © 2014 CA. ALL RIGHTS RESERVED. Mitigation Strategy  Rigorous validation of consumer supplied inputs – and API output! – Stronger typing – Sets and ranges – Avoid auto-generated schemas that make everything a string  Use schema validation – XML Schema, RELAX-NG, Schematron – Pick your poison  Please no DTDs! – JSON schema validation – Return of IDLs: WADL, RAML, Swagger, etc  Be strict with handling Content-Type and Accept headers Constrain by Default
  • 14. © 2014 CA. ALL RIGHTS RESERVED. Mitigation Strategy (cont.)  Regex scanning for signatures  Tune patterns for the API – Sometimes SELECT is OK  Virus scanning of attachments – Don’t forget B64’d message content  Constrain HTTP methods – Does your API need HEAD?  Constrain URI context – Don’t let people get creative and fuzz URIs – Authorize templates  Don’t treat APIs in isolation – HTTP may be stateless, but your call sequence may not be  Beware of dangerous hidden shortcuts in the later
  • 15. © 2014 CA. ALL RIGHTS RESERVED. Mitigation Strategy (cont.)  Whitelist tags if you can (i.e. where the validation space is small and concise) – Not always practical – (Note that I’m referring to whitelisting tags not IPs.)  Blacklist dangerous tags like <SCRIPT>  Always perform FIEO (Filter Input, Escape Output)  Watch for generalized parameter fuzzing – This is a trend—not an event!  Be careful with error messages and leakage – Don’t reveal too much info
  • 16. © 2014 CA. ALL RIGHTS RESERVED. Problem Area #2: Identity  We had it surprisingly good in the Web world – Browser session usually tied to human – Dealing with one identity is not so tough  Security tokens abound, but solutions are mature – Username/pass, x.509 certs, multi-factor, Kerberos, SAML, etc – APIs rapidly becoming more difficult  Non-human entities  Multiple layers of relevant identities – Me, my attributes, my phone, my developer, my provider…
  • 17. © 2014 CA. ALL RIGHTS RESERVED. API Keys “An application programing interface key (API key) is a code generated by websites that allow users to access their application programming interface. API keys are used to track how the API is being used in order to prevent malicious use or abuse of the terms of service. API keys are based on the UUID system to ensure they will be unique to each user.” (Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
  • 18. © 2014 CA. ALL RIGHTS RESERVED. For Example: GET http://example.layer7.com/services/staff ?APIKey=15458617-7813-4a37-94ac-a8e6da6f6405 Seriously? WTF.
  • 19. © 2014 CA. ALL RIGHTS RESERVED. How Does An API Key Map To Identity? 15458617-7813-4a37-94ac-a8e6da6f6405 A A person? Or an app? It is entirely inconsistent
  • 20. © 2014 CA. ALL RIGHTS RESERVED. Bottom Line: The API Key Was Never Meant To Be Authoritative  Strange hybrid of HTTP’s USER-AGENT and session continuity  OK only for general tracking  Anything that matters should use real security tokens – Anywhere where identity is important:  APIs that provide access to sensitive data  APIs that change things that matter  APIs that charge for use  etc.
  • 21. © 2014 CA. ALL RIGHTS RESERVED. Mitigation
  • 22. © 2014 CA. ALL RIGHTS RESERVED. The Identity Profile Increasingly we need to move toward large number of claims (multiple identity profile) • appID • userID • deviceID • User attributes • Roles • Geo location • IP • User agent • Time of day • etc
  • 23. © 2014 CA. ALL RIGHTS RESERVED. Mitigation (cont.)  Protect the tokens!  HTTPS everywhere – This is another web design cultural issue – It’s just not that expensive any more  OAuth for people  APIKeys for apps – Assume this is non-authoritative  Consider behavioral identification of apps – Apps are rigid in their API flow Important!
  • 24. © 2014 CA. ALL RIGHTS RESERVED. Problem Area #3: Cryptography and PKI  Cryptography is reasonably mature on the web – Surprisingly limited use patterns – SSL/TLS – Very little tough PKI (like client-side)  So what’s wrong with APIs?
  • 25. © 2014 CA. ALL RIGHTS RESERVED. It’s Like We Forgot Everything We Knew  Emailing keys – API, shared secrets, etc.  Bad storage schemes – Security through obscurity – Toy ciphers  No life cycle management – Limits on use – Time limits – Revocation – Audit
  • 26. © 2014 CA. ALL RIGHTS RESERVED. The Issues  Key management – Across server farms, across client devices  Nobody takes web PKI seriously – CRLs and OCSP aren’t much good in the browser world  Fail open—seriously  CA trust breakdown – Indian NIC issue July 2014  Subordinate CA issued fraudulent Google and Yahoo certs
  • 27. © 2014 CA. ALL RIGHTS RESERVED. The Issues (cont.)  Cipher suite restrictions – Avoiding downgrades  Client-side certificate authentication is hard  The alternatives for parameter confidentiality and/or integrity are hard: – XML encryption is still there  Not for the faint of heart – OAuth 1.0 gave you parameter signing  Only optional in 2.0 – JWT signing and encryption emerging
  • 28. © 2014 CA. ALL RIGHTS RESERVED. SSL Everywhere (it’s cheap)
  • 29. © 2014 CA. ALL RIGHTS RESERVED. Mitigations  Use real PKI – I know it’s painful  Use HSMs to protect keys that really matter  Recognize OAuth limitations in browser-resident JavaScript apps – No shared secrets – Stuck with OAuth 2.0 implicit grant  Otherwise use real key material protection schemes – PKCS #12, etc – Libraries abound  You must do CRLs and OCSP for APIs
  • 30. © 2014 CA. ALL RIGHTS RESERVED. Where Does This All Leave Us?  SOAP, the WS-* stack dealt with much of this very rigorously – But it was just too hard.  We need to learn from this, but make it easier to implement  Here’s how…
  • 31. © 2014 CA. ALL RIGHTS RESERVED. How Do I Apply This Today?  Use SSL for all API transactions – Hides many sins  Confidentiality, integrity, replay, binding token+message, server authentication, etc.  Use real PKI – Yes, it’s hard – But you can’t skimp here  Use OAuth for distributed authentication  Validate all data going in and out of an API  Use real frameworks, don’t reinvent
  • 32. SVP and Distinguished Engineer Scott.Morrison@ca.com @KScottMorrison http://KScottMorrison.com linkedin.com/KScottMorrison ca.com K. Scott Morrison

Editor's Notes

  1. Spoke with Ramon Kirkan yesterday. Sometimes its OK to not decouple. Ask app what it wants to be
  2. Note use of “users” here