Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure your api - from basics to beyond

738 views

Published on

In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Secure your api - from basics to beyond

  1. 1. Secure your API From basics to beyond 2019 September
  2. 2. Alexandre Faria @lusoalex @lusoalex_ https://alexandrefaria.net
  3. 3. API everywhere
  4. 4. Paradigm shift
  5. 5. API as hacking target
  6. 6. Risk exposure
  7. 7. Identity thief
  8. 8. Service unavailable
  9. 9. Embarrassing media coverage
  10. 10. Legal penalties
  11. 11. Basics actions...
  12. 12. HTTPS
  13. 13. Header
  14. 14. Source code
  15. 15. TOP 10
  16. 16. Identity Providers Web Application Firewall API Management
  17. 17. Authentication Vs Authorization 401 403
  18. 18. FIDO
  19. 19. captcha
  20. 20. Oauth2 Openid connect
  21. 21. Token
  22. 22. #1 : Client
  23. 23. #2 Resource Server
  24. 24. #3 Resource Owner
  25. 25. #4 Authorization Server
  26. 26. Authorization Server 1: authorization code request 2: login form 3: code 4: Code 5: Code + client_secret 6: Token & Refresh Token 7: sessionId Server Side: Code
  27. 27. Authorization Server 1: authorization code request + PKCE 2: login form 3: code 5: Code + PKCE + client_secret 6: Token & Refresh Token Native: Code + PKCE
  28. 28. Authorization Server 1: authorization request 2: login form 3: token SPA: Implicit DEPRECATED
  29. 29. Authorization Server 1: authorization code request 2: login form 3: code + token 4: Code 5: Code + client_secret 6: Token & id_token & Refresh Token 7: sessionId Hybrid: Code & Implicit
  30. 30. Authorization Server 1: authorization request 2: token Server to Server: Client Credentials
  31. 31. Authorization Server 1: authorization request 2: token Highly trusted app: Resource Owner Password Credential
  32. 32. Authorization Server 1: authorization request 2: verifier code 5: poll 4: Authenticate + Code 3: Code Device
  33. 33. Authorization Server 1: authorization request 2: User validation 3: Polling token Client Initiated Backchannel Authentication DRAFT openid
  34. 34. Authorization Server 1: code+PKCE flow (device_sso scope) 2: login form 3: code 5: Code + PKCE + client_secret 6: Tokens & device_secret Native SSO DRAFT openid 7: id_token + client_id + device_secret
  35. 35. Weak link?
  36. 36. Symetric vs Asymetric HS vs RSA
  37. 37. redirect_uri
  38. 38. state
  39. 39. logout
  40. 40. How to improve?
  41. 41. Issuer
  42. 42. scope
  43. 43. audience
  44. 44. API Management
  45. 45. 1 2 3 4 5 6 Authorization Server API Management
  46. 46. API Key
  47. 47. Limit (rate/quota)
  48. 48. CORS
  49. 49. Circuit Breaker
  50. 50. A/B Testing
  51. 51. Measure
  52. 52. Take away
  53. 53. ➢ https://jwt.io/ ➢ https://www.owasp.org ➢ https://github.com/lusoalex/talk-api-security ➢ https://github.com/brendan-rius/c-jwt-cracker ➢ https://github.com/ojensen5115/jwtcrack ➢ https://medium.com/decathlondevelopers/api-security-e48 00de36ce
  54. 54. QUESTIONS?
  55. 55. Photos coming from https://unsplash.com/

×