-
Be the first to like this
Upcoming SlideShare
Secure your api - from basics to beyond
- 1. Secure your API From basics to beyond 2019 September
- 2. Alexandre Faria @lusoalex @lusoalex_ https://alexandrefaria.net
- 3. API everywhere
- 4. Paradigm shift
- 5. API as hacking target
- 6. Risk exposure
- 7. Identity thief
- 8. Service unavailable
- 9. Embarrassing media coverage
- 10. Legal penalties
- 11. Basics actions...
- 12. HTTPS
- 13. Header
- 14. Source code
- 15. TOP 10
- 16. Identity Providers Web Application Firewall API Management
- 17. Authentication Vs Authorization 401 403
- 18. FIDO
- 19. captcha
- 20. Oauth2 Openid connect
- 21. Token
- 22. #1 : Client
- 23. #2 Resource Server
- 24. #3 Resource Owner
- 25. #4 Authorization Server
- 26. Authorization Server 1: authorization code request 2: login form 3: code 4: Code 5: Code + client_secret 6: Token & Refresh Token 7: sessionId Server Side: Code
- 27. Authorization Server 1: authorization code request + PKCE 2: login form 3: code 5: Code + PKCE + client_secret 6: Token & Refresh Token Native: Code + PKCE
- 28. Authorization Server 1: authorization request 2: login form 3: token SPA: Implicit DEPRECATED
- 29. Authorization Server 1: authorization code request 2: login form 3: code + token 4: Code 5: Code + client_secret 6: Token & id_token & Refresh Token 7: sessionId Hybrid: Code & Implicit
- 30. Authorization Server 1: authorization request 2: token Server to Server: Client Credentials
- 31. Authorization Server 1: authorization request 2: token Highly trusted app: Resource Owner Password Credential
- 32. Authorization Server 1: authorization request 2: verifier code 5: poll 4: Authenticate + Code 3: Code Device
- 33. Authorization Server 1: authorization request 2: User validation 3: Polling token Client Initiated Backchannel Authentication DRAFT openid
- 34. Authorization Server 1: code+PKCE flow (device_sso scope) 2: login form 3: code 5: Code + PKCE + client_secret 6: Tokens & device_secret Native SSO DRAFT openid 7: id_token + client_id + device_secret
- 35. Weak link?
- 36. Symetric vs Asymetric HS vs RSA
- 37. redirect_uri
- 38. state
- 39. logout
- 40. How to improve?
- 41. Issuer
- 42. scope
- 43. audience
- 44. API Management
- 45. 1 2 3 4 5 6 Authorization Server API Management
- 46. API Key
- 47. Limit (rate/quota)
- 48. CORS
- 49. Circuit Breaker
- 50. A/B Testing
- 51. Measure
- 52. Take away
- 53. ➢ https://jwt.io/ ➢ https://www.owasp.org ➢ https://github.com/lusoalex/talk-api-security ➢ https://github.com/brendan-rius/c-jwt-cracker ➢ https://github.com/ojensen5115/jwtcrack ➢ https://medium.com/decathlondevelopers/api-security-e48 00de36ce
- 54. QUESTIONS?
- 55. Photos coming from https://unsplash.com/
Be the first to comment
In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
Views
Total views
1,450
On Slideshare
0
From embeds
0
Number of embeds
786
Actions
Downloads
0
Shares
0
Comments
0
Likes
0
Be the first to comment