Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure your api from basics to beyond

472 views

Published on

In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Secure your api from basics to beyond

  1. 1. Secure your API From basics to beyond
  2. 2. Alexandre Faria @lusoalex @lusoalex_ https://alexandrefaria.net
  3. 3. API everywhere
  4. 4. Paradigm shift
  5. 5. API as hacking target
  6. 6. Risk exposure
  7. 7. Identity thief
  8. 8. Service unavailable
  9. 9. Embarrassing media coverage
  10. 10. Legal penalties
  11. 11. Basics actions...
  12. 12. HTTPS
  13. 13. TOP 10
  14. 14. Oauth2 Openid connect
  15. 15. Authentication Vs Authorization 401 403
  16. 16. Token
  17. 17. #1 : Client
  18. 18. #2 Resource Owner
  19. 19. #3 Authorization Server
  20. 20. #4 Resource Server
  21. 21. Authorization Server 1: authorization code request 2: login form 3: code 4: Code 5: Code + client_secret 6: Token & Refresh Token 7: sessionId Server Side: Code
  22. 22. Authorization Server 1: authorization request 2: login form 3: token SPA: Implicit
  23. 23. Authorization Server 1: authorization code request 2: login form 3: code + token 4: Code 5: Code + client_secret 6: Token & id_token & Refresh Token 7: sessionId Hybrid: Code & Implicit
  24. 24. Authorization Server 1: authorization code request + PKCE 2: login form 3: code 5: Code + PKCE + client_secret 6: Token & Refresh Token Native: Code + PKCE
  25. 25. Authorization Server 1: authorization request 2: token Server to Server: Client Credentials
  26. 26. Authorization Server 1: authorization request 2: token Highly trusted app: Resource Owner Password Credential
  27. 27. Authorization Server 1: authorization request 2: verifier code 5: poll 4: Authenticate + Code 3: Code Device
  28. 28. Authorization Server 1: authorization request 2: User validation 3: Polling token Client Initiated Backchannel Authentication
  29. 29. Weak link?
  30. 30. Symetric vs Asymetric HS vs RSA
  31. 31. redirect_uri
  32. 32. state
  33. 33. logout
  34. 34. How to improve?
  35. 35. API Management
  36. 36. 1 2 3 4 5 6 Authorization Server API Management
  37. 37. API Key
  38. 38. Limit (rate/quota)
  39. 39. CORS
  40. 40. Circuit Breaker
  41. 41. A/B Testing
  42. 42. Measure
  43. 43. Take away
  44. 44. ➢ https://jwt.io/ ➢ https://www.owasp.org ➢ https://github.com/lusoalex/talk-api-security ➢ https://github.com/brendan-rius/c-jwt-cracker ➢ https://github.com/ojensen5115/jwtcrack
  45. 45. QUESTIONS?
  46. 46. Photos coming from https://unsplash.com/

×