Open APIs: Security for Mobile and the Cloud Caleb Sima EIR, Andreessen HorowitzFebruary 27, 2012
My Perspective Entrepreneur in Residence, Andreessen Horowitz CEO Armorize Technologies CTO Application Security HP CT...
API Growth: The VC Perspective
What’s Driving API Growth?                             APIs are often driven                             by business inter...
The Emergence of Legacy Systems on the Internet                                        Introduces new                     ...
Four Major Issues Credentials and Authentication Access Control and Authorization Validation of Inputs Misconfiguration
Overly Granular Application API InsecureMore secure
Normal WebApp: One Request - One API                         Post to Register.aspx with the the                          f...
With Ajax multiple requests = Multiple Inputs = Bigger  Attack Surface                                 CheckUsername(csima...
Exposed Administrative APIIntended useMalicious use
What is wrong with this code? Real world application using Microsoft’s framework
A Best Practice—Decouple Security from App                                 Separation of concerns                         ...
For further information:February 2012
Upcoming SlideShare
Loading in …5
×

Open APIs: Security for Mobile and the Cloud

1,635 views

Published on

A look at what’s driving new Internet-facing organizations to open up information through APIs and the implications for application security.

2 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,635
On SlideShare
0
From Embeds
0
Number of Embeds
712
Actions
Shares
0
Downloads
8
Comments
2
Likes
0
Embeds 0
No embeds

No notes for slide

Open APIs: Security for Mobile and the Cloud

  1. 1. Open APIs: Security for Mobile and the Cloud Caleb Sima EIR, Andreessen HorowitzFebruary 27, 2012
  2. 2. My Perspective Entrepreneur in Residence, Andreessen Horowitz CEO Armorize Technologies CTO Application Security HP CTO & Co-Founder of SPI Dynamics Internet Security Systems
  3. 3. API Growth: The VC Perspective
  4. 4. What’s Driving API Growth? APIs are often driven by business interests instead of by IT
  5. 5. The Emergence of Legacy Systems on the Internet Introduces new risk profiles
  6. 6. Four Major Issues Credentials and Authentication Access Control and Authorization Validation of Inputs Misconfiguration
  7. 7. Overly Granular Application API InsecureMore secure
  8. 8. Normal WebApp: One Request - One API Post to Register.aspx with the the following data: Email=csima%40a16z.com&User Name=csima&Password=reallyha rdpassword&ConfirmPassword=re allyhardpassword&Captcha=hatm als
  9. 9. With Ajax multiple requests = Multiple Inputs = Bigger Attack Surface CheckUsername(csima) ValidateEmail(csima@a16z.com) CheckCaptcha(hatmals)*Demo Search Final Submission of all data to server
  10. 10. Exposed Administrative APIIntended useMalicious use
  11. 11. What is wrong with this code? Real world application using Microsoft’s framework
  12. 12. A Best Practice—Decouple Security from App Separation of concerns between developer and security admin
  13. 13. For further information:February 2012

×