Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Friends: API Security & API Management.

290 views

Published on

How API Management will be your best friend for securing the API in the future. A presentation from OWASP Helsinki Chapter meetup 12.6. 2018

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Best Friends: API Security & API Management.

  1. 1. Best friends: API Security & API management 12.6. 2018 OWASP Helsinki Chapter Antti.Virtanen@solita.fi Twitter: @Anakondantti
  2. 2. Data Security Dev Design ANTTI VIRTANEN Making things and also breaking things. SOLITA Cloud. On-premises, too. Critical systems and system integrations.
  3. 3. Queen API Economy
  4. 4. The court of Queen API economy Pic: MuleSoft
  5. 5. Open Data Open API Open Data = no problems? Does Open API need security?
  6. 6. If you live there, lucky you!
  7. 7. Recent past: The dark ages
  8. 8. Closed system-to-system API Classic: SSL (HTTPS) + shared secret “API key” Difficult: SSL certificate instead of shared secret. Maybe limit IP address range from the firewall.
  9. 9. Solution 1: What could possibly go wrong? Awesome App Awesome API (Integrations) Awesome API (UI) SSO Request Another App Request Redirect user’s browser to SSO if necessary Front proxy X-Auth: userid API key: lol123
  10. 10. Issues 1. Front-proxy is super critical. The application will trust the HTTP header. 1. Also, network infra is super critical. Request with proper header will go through. 1. Audit-trail: Who is the person using the system-to-system API?
  11. 11. Solution 2: Hmm? Awesome App, auth logic Awesome API (Integrations) Awesome API (UI) SSO Request Another App RequestRedirect user’s browser to SSO if necessary API key: lol123 Auth-token: XLKWK
  12. 12. Issues 1. Application is now super-critical. 2. Audit-trail: Who is the person using the API?
  13. 13. Solution 3: A bit better? Awesome App Awesome API (Integrations) Awesome API (UI) SSO Request Another App Request Redirect user’s browser to SSO if necessary Front proxy AD-token, signed
  14. 14. Still not perfect Good: Session token is signed, can’t be forged. User id can be tracked (audit trail) (Even Azure AD is using JWT tokens. Good Microsoft!) Bad: App developer must write proper auth code. No bugs. API call logging is app developer’s responsibility. Better work. (Monolithic app -> vulnerability impact might be bigger)
  15. 15. Luckily the dark ages are now past us. Not for everyone :(
  16. 16. Modern ages: API Gateways
  17. 17. Amazon AWS
  18. 18. The benefits Authentication responsibility no longer on application developers. Audit-trail and usage logging for all APIs in the organization. Product-based - not 10 different custom implementations. Less bugs Less upfront cost for next App
  19. 19. API management, one step further
  20. 20. Apigee
  21. 21. API management? API gateway is a technical solution. Add tools to smooth the Developer Experience (DX). If you want someone to use your API’s, better think about this. Add tools to handle publishing and management of APIs. A real concern if you have hundreds or thousands of API endpoints. Not quite so common yet. AWS doesn’t have a proper offering at this point.
  22. 22. The Developer Experience in Suomi.fi
  23. 23. Security is not just authentication! Pic: Apigee
  24. 24. Pricing
  25. 25. The Future
  26. 26. Custom auth code is a relic
  27. 27. Tyk.io - one open source alternative
  28. 28. Tyk.io pricing
  29. 29. Don’t roll your own API Management tool! Costs way too much. Is a mission-critical component. It might make sense if you are Facebook. Are you?
  30. 30. Do you want to operate the API management? You could deploy tyk.io for free. But it’s a mission critical component. And quite complex with it’s HA-stuff and clusters and such. It might make sense if you are Facebook. Are you?
  31. 31. Conclusions
  32. 32. Change takes time Many “API key” solutions still deployed. Going to be replaced with API gateways. API gateway/management products rule in the cloud. Will become the norm for on-premises too. Too early to pick the winners yet. Does not magically remove all the worries.

×