Your SlideShare is downloading. ×

Open APIs: Security for Mobile and the Cloud

1,431
views

Published on

A look at what’s driving new Internet-facing organizations to open up information through APIs and the implications for application security.

A look at what’s driving new Internet-facing organizations to open up information through APIs and the implications for application security.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,431
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Open APIs: Security for Mobile and the Cloud Caleb Sima EIR, Andreessen HorowitzFebruary 27, 2012
  • 2. My Perspective Entrepreneur in Residence, Andreessen Horowitz CEO Armorize Technologies CTO Application Security HP CTO & Co-Founder of SPI Dynamics Internet Security Systems
  • 3. API Growth: The VC Perspective
  • 4. What’s Driving API Growth? APIs are often driven by business interests instead of by IT
  • 5. The Emergence of Legacy Systems on the Internet Introduces new risk profiles
  • 6. Four Major Issues Credentials and Authentication Access Control and Authorization Validation of Inputs Misconfiguration
  • 7. Overly Granular Application API InsecureMore secure
  • 8. Normal WebApp: One Request - One API Post to Register.aspx with the the following data: Email=csima%40a16z.com&User Name=csima&Password=reallyha rdpassword&ConfirmPassword=re allyhardpassword&Captcha=hatm als
  • 9. With Ajax multiple requests = Multiple Inputs = Bigger Attack Surface CheckUsername(csima) ValidateEmail(csima@a16z.com) CheckCaptcha(hatmals)*Demo Search Final Submission of all data to server
  • 10. Exposed Administrative APIIntended useMalicious use
  • 11. What is wrong with this code? Real world application using Microsoft’s framework
  • 12. A Best Practice—Decouple Security from App Separation of concerns between developer and security admin
  • 13. For further information:February 2012