Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

API Security Lifecycle

712 views

Published on

Apigee engineers on the API Lifecycle and API Security at I Love APIs 2015. The role of Apigee Sense in API Security

Published in: Software

API Security Lifecycle

  1. 1. 1 API Security Lifecycle Joel D’sa Product Security Engineering at Apigee Chris Von See Global Architect at Apigee
  2. 2. Agenda 2 Secure API design Secure API implementation Demo Facilitating Security for API Consumers Operationalizing API Security and Mitigating Threats Mitigating Security Breaches ©2015 Apigee. All Rights Reserved.
  3. 3. Apigee Sense 3©2015 Apigee. All Rights Reserved.
  4. 4. API Security Lifecycle Lifecycle Design Implement Run-time Security Access managemen t Audit Monitor/Re sponse 4 Design Design for secure exposure of private and public APIs Implementation Out of the box policies in edge to improve API security Run-time Security Threat protection policies and token management Access management RBAC for API team, deployment environments, logging, secure debugging Audit Secure logging and forwarding events Monitoring & Response Breach detection & Mitigation
  5. 5. Leveraging API Façades 5 • Hide API back-end implementation details • Configure security constraints and other processing based on API consumer • Carefully manage return of sensitive, inappropriate or unauthorized data by APIs • track device usage info and correlation to specific users API Façade http://www.theage.com.au/ffximage/2008/01/03/rg_sewage_wideweb__470x335,0.jpg
  6. 6. Design considerations • Classify your APIs – use API products • Classify your resources – use OAuth2 scopes – Restricted Resources – Private Resources – Public Resources • Establish and enforce SLAs – Quota and Spike Arrest – Prevent Application denial of service – Edge out of the box security policies – Prevent injection attacks, data leaks • Inbound and Outbound communications security – Edge SSL APIs – Manage your transport security • Logging and Auditing – Log access – Edge message logging – Follow through with an audit policy 6
  7. 7. Security policies in Apigee Edge 7 Secure APIs and protect back-end systems from attack Secure interactions with API consumers and optimize performance
  8. 8. Securing the API – Run-time 8
  9. 9. Threat Protection – Best practices • Use Conditionals and Fault Rules to reject input before it reaches the southbound service • Use the Extract Variables policy so that JSON and XML variables are parsed and made available using secure parsers already built into Edge • Use the JSON and XML Threat protection policies to establish content-level limits on JSON and XML structures. • Use the Regular Expression Protection policy to protect against SQL Injection, Cross site and reflected cross site scripting attacks • Use the SOAP Message Validation policy to validate a SOAP message against a schema or WSDL 9
  10. 10. SSL 10©2015 Apigee. All Rights Reserved. • Ensure that certificates are setup correctly – Signed by a trusted CA – Certificate key sizes must be 2048 bits or higher • Follow NIST recommendations for protocol and cipher configurations • Run SSL scans from nessus or qualys to ensure that your configuration is secure • Apigee EDGE helps – API to configure certificates and trust for incoming and outgoing TLS – Configuration options for choosing the correct protocols and algorithms
  11. 11. Demo 11©2015 Apigee. All Rights Reserved.
  12. 12. Securing the Edge instance 12©2015 Apigee. All Rights Reserved. Organization Trust Boundary Environment Trust Boundary
  13. 13. Mitigating risks from compromised applications – Monitor for unusual activity (traffic volume/source, excessive authentication calls, etc.) – Revoke/re-approve/delete an API key – Regenerate API keys and secrets – Revoke/re-approve/delete some or all active OAuth access and refresh tokens – Dynamic invalidation via code in API proxies, based on user IDs, device identifiers or other criteria 13 When this happens… What do you do?
  14. 14. Questions? 14©2015 Apigee. All Rights Reserved.
  15. 15. Thank you 15©2015 Apigee. All Rights Reserved.

×