Be the first to like this
This presentation was given by Layer 7 CTO K. Scott Morrison at RSA Conference and explores why APIs (which are largely RESTful services) are fundamentally different than conventional Web sites, despite the fact that they share common elements such as the HTTP protocol. Web sites abstract back-end applications behind a veneer of HTML that should — if it is well-designed — constrain capability and thus limit an organization’s security exposure. APIs, in contrast, represent a more explicit interface leading directly into applications. These often self-document their intent and thus provide a hacker with important clues that may reveal potential attack vectors — from penetration to denial-of-service. Because of this, APIs require a much more sophisticated model for access control, confidentiality around parameters, integrity of transactions, attack detection, throttling and auditing.