SlideShare a Scribd company logo

APIs: The New Security Layer - How Well-Defined APIs Can Be Effectively Secured

Download as PPTX, PDF
Apigee | Google Cloud
Apigee | Google Cloud

The document discusses API security fundamentals and how to effectively secure APIs. It notes that many past API breaches were due to a lack of authentication on APIs, no rate limiting of requests, and other basic security issues. It emphasizes that every system with a URI has an API and outlines steps like applying authentication, authorization, rate limiting, validating requests to prevent attacks. The document argues that APIs with well-defined contracts that specify URIs, input/output formats and authentication models are easier to securely implement and test compared to more complex, dynamic APIs.

Technology
1 of 33
APIs: The New Security Layer Greg Brail, Apigee
Slideshare slideshare.com/apigee Apigee Community https://community.apigee.com YouTube youtube.com/apigee
Today’s Speakers: 3©2008-16 Apigee Corp. All rights reserved. Greg Brail Apigee
• What Happens to Insecure APIs • API Security Fundamentals • The Result: Effective API Security Agenda
No API Security? Bad things happen
Let’s make it secure then I have an API!
But I Don’t Have an API!
Everything with a URI has an API Of Course You Have an API! 8 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16
Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere Some API Security Breaches
• No authentication on some APIs – Climate control, battery status – Only VIN number required • User ID leaked by some of those APIs http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html Nissan Leaf
• No rate limit on request to get friends by phone number • Hard-coded encryption key • Weak cipher http://gibsonsec.org/snapchat/ Snapchat
Fundamental API Security What every developer should know
You Have an API
• Prevent unauthorized applications • Prevent unauthorized users • Prevent excessive traffic • Prevent content attacks • Watch for trouble • React to trouble What You Need to Do
What Do Our Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
• Application Authorization is a fundamental part of API security – Best way to stop runaway applications – Only options for certain types of apps (anonymous API access) – Requirement for all forms of OAuth • Best practices – Use different credentials for each version of each app – Makes it easier to pull a bad version – Hide the app credentials as best you can • Realize that they still can be stolen – Have an approval process for apps Prevent Unauthorized Applications
• Authenticate all end users for critical apps – Only way to keep security credentials outside the app – Use OAuth carefully • Use caution around “password” grant type • Only as good as identity management – For instance, dodgy password reset practices – Can you get identity a service? Prevent Unauthorized Users
• Protect APIs that are vulnerable to brute force – Validating password – Validating anything – Anything where the only ID is in a small space • Protect from runaway applications – Denial of service is also an attack – Excessive usage may mean data is being harvested – Not always an attack – developers make mistakes Prevent Excessive Traffic
• Accepting JSON over the Internet? – Excessive identifier length – Excessive nesting – Large arrays and elements • Accepting XML over the Internet? – All that and more • Are you sure there can’t be SQL injection? – Regular expression checks Prevent Content Attacks
• Monitor the API – Usage patterns – Usage patterns by application – Latency – Error rate • Monitor the world too – Unusual tweets? – Other social media? Watch for Trouble
• Traffic comes from unusual places: – iPads in Amazon data centers – US-only retailers with many “customers” in Eastern Europe • Or unusual patterns: – Sequential scans of identifiers – API traffic faster than a human can generate • Identify suspected “bots” – Heuristics, machine learning • Block them by IP or otherwise Example: Bot Detection
• Do you have application-level authentication? – Revoke app credentials – Change rate limit – Redirect app to another URL • No application-level authentication? – Insert additional logic – Worst cast: shut down the API until it’s fixed React to Trouble
API Management Can Help
Effective API Security Api == Contract == security
An API is a Contract What is an API, really?
• Simple • Ubiquitous • Widely-understood • Universally implemented The “API Stack” is Small
• Since API technology is simple, • So is the contract: – URIs – JSON schemas – Query parameters – Authentication • Simpler contracts are: – simpler to validate – simpler to test – simpler to prove API Contracts are Simple
• Don’t agree? Let’s look at web apps: – Cross-site scripting – Insecure URIs in links – Cross-site request forgery – Insecure redirects – Insecure third-party pages – Insecure and malicious JavaScript Simpler Means More Secure
• Well-known URI pattern • Documented schemas • Well-known authentication model • Well-known authorization model • One way to secure all API calls Simpler is Better • Totally dynamic URI pattern is harder to test • Specified inputs and outputs can be tested • Haphazard authentication hard to test • Haphazard authorization hard to test • Multiple implementations hard to test
Summing it Up Back to the original point
• We saw lots of places where APIs were compromised – Many of these had nothing to do with an “API” • Biggest vulnerability is having an API and not realizing it – Everything with a URL has an API • Well-defined APIs can be secured – Lots of widely-known techniques and technology • A properly-secured API is verifiable • Use it! Conclusion
community.apigee.com
Thank you CONFIDENTIAL

Recommended

Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsApigee | Google Cloud
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API SecurityApigee | Google Cloud
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...Apigee | Google Cloud
 
App & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApp & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApigee | Google Cloud
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonApigee | Google Cloud
 
API Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureAPI Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureApigee | Google Cloud
 

Recommended

Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsApigee | Google Cloud
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API SecurityApigee | Google Cloud
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...Apigee | Google Cloud
 
App & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApp & API Monitoring: Building a 5-Star Reputation for your Apps
App & API Monitoring: Building a 5-Star Reputation for your AppsApigee | Google Cloud
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonApigee | Google Cloud
 
API Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureAPI Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureApigee | Google Cloud
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIsApigee | Google Cloud
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
A Checklist for Every API Call
A Checklist for Every API CallA Checklist for Every API Call
A Checklist for Every API CallApigee | Google Cloud
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Apigee | Google Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityApigee | Google Cloud
 
Why APIs are Different Than Integration
Why APIs are Different Than IntegrationWhy APIs are Different Than Integration
Why APIs are Different Than IntegrationApigee | Google Cloud
 
Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Alexandre Roman
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformApigee | Google Cloud
 
What are your APIs Worth?
What are your APIs Worth?What are your APIs Worth?
What are your APIs Worth?Apigee | Google Cloud
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Transforming Your Business Through APIs
Transforming Your Business Through APIsTransforming Your Business Through APIs
Transforming Your Business Through APIsApigee | Google Cloud
 
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAPI Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAnil Sagar
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven SecurityApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 

More Related Content

What's hot

APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Apigee | Google Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays
 
Why APIs are Different Than Integration
Why APIs are Different Than IntegrationWhy APIs are Different Than Integration
Why APIs are Different Than IntegrationApigee | Google Cloud
 
Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Alexandre Roman
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformApigee | Google Cloud
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Transforming Your Business Through APIs
Transforming Your Business Through APIsTransforming Your Business Through APIs
Transforming Your Business Through APIsApigee | Google Cloud
 
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAPI Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAnil Sagar
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 

What's hot (20)

Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft Azure
 
A Checklist for Every API Call
A Checklist for Every API CallA Checklist for Every API Call
A Checklist for Every API Call
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
Why APIs are Different Than Integration
Why APIs are Different Than IntegrationWhy APIs are Different Than Integration
Why APIs are Different Than Integration
 
Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
 
What are your APIs Worth?
What are your APIs Worth?What are your APIs Worth?
What are your APIs Worth?
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Transforming Your Business Through APIs
Transforming Your Business Through APIsTransforming Your Business Through APIs
Transforming Your Business Through APIs
 
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAPI Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven Security
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices World
 

Viewers also liked

Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSApigee | Google Cloud
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSApigee | Google Cloud
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentApigee | Google Cloud
 
How to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructureHow to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructureApigee | Google Cloud
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyApigee | Google Cloud
 
L.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightL.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightApigee | Google Cloud
 
Becoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyBecoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyApigee | Google Cloud
 
Monetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital AssetsMonetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital AssetsApigee | Google Cloud
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 

Viewers also liked (20)

Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
 
API Management and Kubernetes
API Management and KubernetesAPI Management and Kubernetes
API Management and Kubernetes
 
Securing Your API
Securing Your APISecuring Your API
Securing Your API
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
 
Deep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaSDeep Dive: Strategic Importance of BaaS
Deep Dive: Strategic Importance of BaaS
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app development
 
How to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructureHow to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructure
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are Key
 
L.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightL.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done Right
 
Becoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyBecoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital Journey
 
Monetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital AssetsMonetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital Assets
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 

Similar to APIs: The New Security Layer - How Well-Defined APIs Can Be Effectively Secured

2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid CredentialsAPIsecure_ Official
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsAPIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsapidays
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...apidays
 
How APIs are Changing Software Development
How APIs are Changing Software DevelopmentHow APIs are Changing Software Development
How APIs are Changing Software Development3scale
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityAkana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption PatternsAkana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption PatternsAkana
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 

Similar to APIs: The New Security Layer - How Well-Defined APIs Can Be Effectively Secured (20)

2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsAPIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
 
How APIs are Changing Software Development
How APIs are Changing Software DevelopmentHow APIs are Changing Software Development
How APIs are Changing Software Development
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Api security-present
Api security-presentApi security-present
Api security-present
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 

More from Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryApigee | Google Cloud
 

More from Apigee | Google Cloud (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

APIs: The New Security Layer - How Well-Defined APIs Can Be Effectively Secured

  • 1. APIs: The New Security Layer Greg Brail, Apigee
  • 3. Today’s Speakers: 3©2008-16 Apigee Corp. All rights reserved. Greg Brail Apigee
  • 4. • What Happens to Insecure APIs • API Security Fundamentals • The Result: Effective API Security Agenda
  • 5. No API Security? Bad things happen
  • 6. Let’s make it secure then I have an API!
  • 7. But I Don’t Have an API!
  • 8. Everything with a URI has an API Of Course You Have an API! 8 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16
  • 9. Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere Some API Security Breaches
  • 10. • No authentication on some APIs – Climate control, battery status – Only VIN number required • User ID leaked by some of those APIs http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html Nissan Leaf
  • 11. • No rate limit on request to get friends by phone number • Hard-coded encryption key • Weak cipher http://gibsonsec.org/snapchat/ Snapchat
  • 12. Fundamental API Security What every developer should know
  • 13. You Have an API
  • 14. • Prevent unauthorized applications • Prevent unauthorized users • Prevent excessive traffic • Prevent content attacks • Watch for trouble • React to trouble What You Need to Do
  • 15. What Do Our Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
  • 16. • Application Authorization is a fundamental part of API security – Best way to stop runaway applications – Only options for certain types of apps (anonymous API access) – Requirement for all forms of OAuth • Best practices – Use different credentials for each version of each app – Makes it easier to pull a bad version – Hide the app credentials as best you can • Realize that they still can be stolen – Have an approval process for apps Prevent Unauthorized Applications
  • 17. • Authenticate all end users for critical apps – Only way to keep security credentials outside the app – Use OAuth carefully • Use caution around “password” grant type • Only as good as identity management – For instance, dodgy password reset practices – Can you get identity a service? Prevent Unauthorized Users
  • 18. • Protect APIs that are vulnerable to brute force – Validating password – Validating anything – Anything where the only ID is in a small space • Protect from runaway applications – Denial of service is also an attack – Excessive usage may mean data is being harvested – Not always an attack – developers make mistakes Prevent Excessive Traffic
  • 19. • Accepting JSON over the Internet? – Excessive identifier length – Excessive nesting – Large arrays and elements • Accepting XML over the Internet? – All that and more • Are you sure there can’t be SQL injection? – Regular expression checks Prevent Content Attacks
  • 20. • Monitor the API – Usage patterns – Usage patterns by application – Latency – Error rate • Monitor the world too – Unusual tweets? – Other social media? Watch for Trouble
  • 21. • Traffic comes from unusual places: – iPads in Amazon data centers – US-only retailers with many “customers” in Eastern Europe • Or unusual patterns: – Sequential scans of identifiers – API traffic faster than a human can generate • Identify suspected “bots” – Heuristics, machine learning • Block them by IP or otherwise Example: Bot Detection
  • 22. • Do you have application-level authentication? – Revoke app credentials – Change rate limit – Redirect app to another URL • No application-level authentication? – Insert additional logic – Worst cast: shut down the API until it’s fixed React to Trouble
  • 24. Effective API Security Api == Contract == security
  • 25. An API is a Contract What is an API, really?
  • 26. • Simple • Ubiquitous • Widely-understood • Universally implemented The “API Stack” is Small
  • 27. • Since API technology is simple, • So is the contract: – URIs – JSON schemas – Query parameters – Authentication • Simpler contracts are: – simpler to validate – simpler to test – simpler to prove API Contracts are Simple
  • 28. • Don’t agree? Let’s look at web apps: – Cross-site scripting – Insecure URIs in links – Cross-site request forgery – Insecure redirects – Insecure third-party pages – Insecure and malicious JavaScript Simpler Means More Secure
  • 29. • Well-known URI pattern • Documented schemas • Well-known authentication model • Well-known authorization model • One way to secure all API calls Simpler is Better • Totally dynamic URI pattern is harder to test • Specified inputs and outputs can be tested • Haphazard authentication hard to test • Haphazard authorization hard to test • Multiple implementations hard to test
  • 30. Summing it Up Back to the original point
  • 31. • We saw lots of places where APIs were compromised – Many of these had nothing to do with an “API” • Biggest vulnerability is having an API and not realizing it – Everything with a URL has an API • Well-defined APIs can be secured – Lots of widely-known techniques and technology • A properly-secured API is verifiable • Use it! Conclusion