Secure your api - from basics to beyond
Report
Alexandre FariaFollow
Sep. 11, 2019•0 likes•1,547 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Check these out next
Secure your api - from basics to beyond
Sep. 11, 2019•0 likes•1,547 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Report
Software
In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
Alexandre FariaFollow
Recommended
Securing APIs with oAuth2Michae Blakeney
O auth2.0 20141003Syed Ali Raza
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...Eric Shupps
API Security Webinar - Hendra TantoDevOps Indonesia
Spring4 security oauth2axykim00
How to authenticate users in your apps using FI-WARE Account - IntroductionJavier Cerviño
Secure your api - from basics to beyond
- Secure your API From basics to beyond 2019 September
- Alexandre Faria @lusoalex @lusoalex_ https://alexandrefaria.net
- API everywhere
- Paradigm shift
- API as hacking target
- Risk exposure
- Identity thief
- Service unavailable
- Embarrassing media coverage
- Legal penalties
- Basics actions...
- HTTPS
- Header
- Source code
- TOP 10
- Identity Providers Web Application Firewall API Management
- Authentication Vs Authorization 401 403
- FIDO
- captcha
- Oauth2 Openid connect
- Token
- #1 : Client
- #2 Resource Server
- #3 Resource Owner
- #4 Authorization Server
- Authorization Server 1: authorization code request 2: login form 3: code 4: Code 5: Code + client_secret 6: Token & Refresh Token 7: sessionId Server Side: Code
- Authorization Server 1: authorization code request + PKCE 2: login form 3: code 5: Code + PKCE + client_secret 6: Token & Refresh Token Native: Code + PKCE
- Authorization Server 1: authorization request 2: login form 3: token SPA: Implicit DEPRECATED
- Authorization Server 1: authorization code request 2: login form 3: code + token 4: Code 5: Code + client_secret 6: Token & id_token & Refresh Token 7: sessionId Hybrid: Code & Implicit
- Authorization Server 1: authorization request 2: token Server to Server: Client Credentials
- Authorization Server 1: authorization request 2: token Highly trusted app: Resource Owner Password Credential
- Authorization Server 1: authorization request 2: verifier code 5: poll 4: Authenticate + Code 3: Code Device
- Authorization Server 1: authorization request 2: User validation 3: Polling token Client Initiated Backchannel Authentication DRAFT openid
- Authorization Server 1: code+PKCE flow (device_sso scope) 2: login form 3: code 5: Code + PKCE + client_secret 6: Tokens & device_secret Native SSO DRAFT openid 7: id_token + client_id + device_secret
- Weak link?
- Symetric vs Asymetric HS vs RSA
- redirect_uri
- state
- logout
- How to improve?
- Issuer
- scope
- audience
- API Management
- 1 2 3 4 5 6 Authorization Server API Management
- API Key
- Limit (rate/quota)
- CORS
- Circuit Breaker
- A/B Testing
- Measure
- Take away
- ➢ https://jwt.io/ ➢ https://www.owasp.org ➢ https://github.com/lusoalex/talk-api-security ➢ https://github.com/brendan-rius/c-jwt-cracker ➢ https://github.com/ojensen5115/jwtcrack ➢ https://medium.com/decathlondevelopers/api-security-e48 00de36ce
- QUESTIONS?
- Photos coming from https://unsplash.com/