Successfully reported this slideshow.

Secure your api - from basics to beyond

0

Share

Sep. 11, 2019
0 likes 1,540 views
Upcoming SlideShare
Secure your api from basics to beyond
Secure your api from basics to beyond
Loading in …3
×
1 of 56
1 of 56

Secure your api - from basics to beyond

Sep. 11, 2019
0 likes 1,540 views

0

Share

Software

In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.

In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.

Software

Recommended

More Related Content

Featured

The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
Shorter ER Wait Times
Knowledge@Wharton
Asia's Artificial Intelligence Agenda. MIT Technology Review
Alexander Jarvis
Martin Luther King's Pearl Of Wisdom!
SurveyCrest
Teaching Students with Emojis, Emoticons, & Textspeak
Shelly Sanchez Terrell
Inaugural Addresses
Booz Allen Hamilton
How to think like a startup
Loic Le Meur
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman
How to Fix the Internet
LinkedIn Editors' Picks

Related Books

Free with a 14 day trial from Scribd

See all
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
From Counterculture to Cyberculture: Stewart Brand, the Whole Earth Network, and the Rise of Digital Utopianism Fred Turner
(2.5/5)
Free
101 Awesome Builds: Minecraft®™ Secrets from the World's Greatest Crafters Triumph Books
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
Platform: Get Noticed in a Noisy World Michael Hyatt
(4.5/5)
Free

Secure your api - from basics to beyond

  1. 1. Secure your API From basics to beyond 2019 September
  2. 2. Alexandre Faria @lusoalex @lusoalex_ https://alexandrefaria.net
  3. 3. API everywhere
  4. 4. Paradigm shift
  5. 5. API as hacking target
  6. 6. Risk exposure
  7. 7. Identity thief
  8. 8. Service unavailable
  9. 9. Embarrassing media coverage
  10. 10. Legal penalties
  11. 11. Basics actions...
  12. 12. HTTPS
  13. 13. Header
  14. 14. Source code
  15. 15. TOP 10
  16. 16. Identity Providers Web Application Firewall API Management
  17. 17. Authentication Vs Authorization 401 403
  18. 18. FIDO
  19. 19. captcha
  20. 20. Oauth2 Openid connect
  21. 21. Token
  22. 22. #1 : Client
  23. 23. #2 Resource Server
  24. 24. #3 Resource Owner
  25. 25. #4 Authorization Server
  26. 26. Authorization Server 1: authorization code request 2: login form 3: code 4: Code 5: Code + client_secret 6: Token & Refresh Token 7: sessionId Server Side: Code
  27. 27. Authorization Server 1: authorization code request + PKCE 2: login form 3: code 5: Code + PKCE + client_secret 6: Token & Refresh Token Native: Code + PKCE
  28. 28. Authorization Server 1: authorization request 2: login form 3: token SPA: Implicit DEPRECATED
  29. 29. Authorization Server 1: authorization code request 2: login form 3: code + token 4: Code 5: Code + client_secret 6: Token & id_token & Refresh Token 7: sessionId Hybrid: Code & Implicit
  30. 30. Authorization Server 1: authorization request 2: token Server to Server: Client Credentials
  31. 31. Authorization Server 1: authorization request 2: token Highly trusted app: Resource Owner Password Credential
  32. 32. Authorization Server 1: authorization request 2: verifier code 5: poll 4: Authenticate + Code 3: Code Device
  33. 33. Authorization Server 1: authorization request 2: User validation 3: Polling token Client Initiated Backchannel Authentication DRAFT openid
  34. 34. Authorization Server 1: code+PKCE flow (device_sso scope) 2: login form 3: code 5: Code + PKCE + client_secret 6: Tokens & device_secret Native SSO DRAFT openid 7: id_token + client_id + device_secret
  35. 35. Weak link?
  36. 36. Symetric vs Asymetric HS vs RSA
  37. 37. redirect_uri
  38. 38. state
  39. 39. logout
  40. 40. How to improve?
  41. 41. Issuer
  42. 42. scope
  43. 43. audience
  44. 44. API Management
  45. 45. 1 2 3 4 5 6 Authorization Server API Management
  46. 46. API Key
  47. 47. Limit (rate/quota)
  48. 48. CORS
  49. 49. Circuit Breaker
  50. 50. A/B Testing
  51. 51. Measure
  52. 52. Take away
  53. 53. ➢ https://jwt.io/ ➢ https://www.owasp.org ➢ https://github.com/lusoalex/talk-api-security ➢ https://github.com/brendan-rius/c-jwt-cracker ➢ https://github.com/ojensen5115/jwtcrack ➢ https://medium.com/decathlondevelopers/api-security-e48 00de36ce
  54. 54. QUESTIONS?
  55. 55. Photos coming from https://unsplash.com/

×