SlideShare a Scribd company logo

API Security and OAuth for the Enterprise

CA API Management
CA API Management

I this presentation enterprises will get a practical overview of what they need to know when approaching APIs and technologies like OAuth. Mobile and Cloud initiatives are driving enterprises to expose data and applications to the outside world. Whether SOAP, REST or JSON, these APIs give enterprises an efficient way to open up information to services running in the Cloud and apps running on mobile devices like the iPad. However, securing and governing the lifecycle and operation of these APIs is not straightforward. It requires new approaches to access, protection and management. This invariably requires adoption of new technologies such as OAuth, which are not yet well understood.

Technology
1 of 34
Download to read offline
A Practical Guide to API Security and OAuth for the Enterprise  K. Scott Morrison  Eve Maler CTO and Chief Architect Principal Analyst Layer 7 Technologies, Inc. Forrester Research, Inc.
Housekeeping  Questions - Chat any questions you have and we’ll answer them at the end of this call  Twitter facebook.com/layer7 - Today’s event hashtag: layer7.com/linkedin - #L7webinar layer7.com/blogs - Follow us on Twitter as well: - @KScottMorrison - @xmlgrrl - @layer7 - @forrester Layer 7 Confidential 2
Layer 7 Confidential 3
OAuth As A Serious API Security Tool For Enterprises: A Practical Overview Eve Maler, Principal Analyst © 2009 Forrester Research, Inc. Reproduction Prohibited Layer 7 Confidential 4
“API economy” technologies and habits are trickling down into the enterprise. Leverage OAuth’s strengths for modern service and app security scenarios while steering clear of its dangers. Layer 7 Confidential 5
Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 6
Web APIs aren’t toys; they’re business-enabling tools for retail, content delivery, financial transactions . . . Layer 7 Confidential 7
Security pros’ control over developers diminishes with distance Layer 7 Confidential 8
A variety of pressures make traditional security and access control methods less viable Layer 7 Confidential 9
Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 10
Web 2.0 players originally invented OAuth simply to solve the ―password antipattern‖ Layer 7 Confidential 11
At base, OAuth lets a person delegate constrained access from one app to another Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 12
Using the OAuth approach helps manage risk, cost, and complexity in environments that need Zero Trust  Gets client apps out of the business of storing passwords  Allows for a variety of user authentication methods  Allows app access to be tracked and revoked on a per-client basis  Allows for least-privilege access to API features  Can capture explicit user authorization for access  Lowers the cost of secure app development  Bonus: solves a much larger class of needs around security, identity, access, and privacy Layer 7 Confidential 13
In consumer-facing scenarios, services can audit who made each API call on whose behalf  Third parties offer productivity apps to eBay sellers that list items and do other tasks through the eBay API  These apps never see the seller’s eBay credentials  They don’t merely “impersonate” the seller Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 14
In extranet and SaaS integration scenarios, services can consume SAML  Partner apps integrate with the construction firm’s valve-design service  On-site partner engineers log in to their home systems through a tablet  They can then use apps that call the valve-design service through SAML SSO Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 15
OAuth-native SSO is ―off label‖ but popular for unifying user-present and user-absent experiences Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 16
―Two-legged‖ userless A2A scenarios enable uniform auditing and compliance for low-level services  Including services such as: - Calculating sales tax - Formatting shipping labels - Verifying credit card numbers - Performing HTML code checking  Most scenarios separate these two server functions Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 17
Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 18
Simplicity doesn’t have to equal insecurity — if you use and insist on good OAuth practices Server-side Client-side Establish UX standards Store OAuth tokens for users’ “consent and other secrets ceremonies.” securely. Use the strongest Fully protect the use of protocol options your your callback endpoint. ecosystem will tolerate. If your use of OAuth If you depend on involves cryptographic password algorithms, reuse a authentication, well-tested library. remember you’re not immune from user credential-stealing risks such as phishing. Layer 7 Confidential 19
So how can you maximize value in an OAuth-enabled future?  Determine which scenarios resonate with your organization’s needs.  Ask which SaaS providers are in a position to force your hand.  If you will be publishing your own web APIs, catalog your client app requirements and constraints.  Partner with enterprise architects to plan how OAuth token handling and your current SOA infrastructure need to interact.  Accept some volatility around OAuth’s evolution — and even embrace it. Layer 7 Confidential 20
In particular, keep an eye on OAuth’s SSO futures Layer 7 Confidential 21
Thank you Eve Maler +1 425.345.6756 emaler@forrester.com Twitter: @xmlgrrl www.forrester.com © 2009 Forrester Research, Inc. Reproduction Prohibited
A Practical Guide to API Security and OAuth for the Enterprise  K. Scott Morrison CTO and Chief Architect
First Let’s Nail the Terminology… Client Resource Owner (RO) Authorization Server (AS) Resource Server (RS) (a.k.a., the User) Layer 7 Confidential 24
Request Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 25
Authorization Grant – Twitter (Client), Facebook (AS) Finger of Resource Owner Layer 7 Confidential 26
Authorization Granted – Twitter (Client), Facebook (AS) Layer 7 Confidential 27
API Call (request for Protected Resource) from Twitter (Client) to Facebook (RS) Layer 7 Confidential 28
Manage Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 29
Manage Flipboard (Client) Access – Facebook (AS) Layer 7 Confidential 30
Comprehensive REST Access Control Needs: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Layer 7 Confidential 31
The Layer 7 OAuth Toolkit Provides: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Omg, it’s full of win Layer 7 Confidential 32
Today’s Demo Client Resource Owner (RO) Authorization Server (AS) Resource Server (RS) Get Recipe (a.k.a., the User) Layer 7 Confidential 33
Demo To View the Demo, Download a Recording of This Webinar in Layer 7 Resource Library Layer7.com/library Layer 7 Confidential 34

Recommended

Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuthApigee | Google Cloud
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...MuleSoft
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your APISmartBear
 

Recommended

Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuthApigee | Google Cloud
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...MuleSoft
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your APISmartBear
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API SecurityApigee | Google Cloud
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API SecurityApigee | Google Cloud
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementEldert Grootenboer
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API SecurityAkana
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoftakshay yeluru
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven SecurityApigee | Google Cloud
 
OAuth: The API Gatekeeper
OAuth: The API GatekeeperOAuth: The API Gatekeeper
OAuth: The API GatekeeperApigee | Google Cloud
 

More Related Content

What's hot

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementEldert Grootenboer
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API SecurityAkana
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoftakshay yeluru
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 

What's hot (20)

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 

Viewers also liked

Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Andrew Badera
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudCA API Management
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 

Viewers also liked (11)

Data Driven Security
Data Driven SecurityData Driven Security
Data Driven Security
 
OAuth: The API Gatekeeper
OAuth: The API GatekeeperOAuth: The API Gatekeeper
OAuth: The API Gatekeeper
 
Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the Cloud
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 

Similar to API Security and OAuth for the Enterprise

Cross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCA API Management
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Savannah Cole
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API ManagementRich Graham
 
Accenture Computing In A Cloud
Accenture Computing In A CloudAccenture Computing In A Cloud
Accenture Computing In A Cloudchzesin
 
Edwin Vd Sanden Composite Applications For Users
Edwin Vd Sanden Composite Applications For UsersEdwin Vd Sanden Composite Applications For Users
Edwin Vd Sanden Composite Applications For UsersSOA Symposium
 
BrownResearch_CV
BrownResearch_CVBrownResearch_CV
BrownResearch_CVAbby Brown
 
AppViewX and Ansible
AppViewX and AnsibleAppViewX and Ansible
AppViewX and AnsibleAppViewX
 
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management poc17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management pocGluu
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftJitendra Bafna
 
IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015Sreeni Pamidala
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseThe Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseForgeRock
 

Similar to API Security and OAuth for the Enterprise (20)

Cross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San Francisco
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
Accenture Computing In A Cloud
Accenture Computing In A CloudAccenture Computing In A Cloud
Accenture Computing In A Cloud
 
Edwin Vd Sanden Composite Applications For Users
Edwin Vd Sanden Composite Applications For UsersEdwin Vd Sanden Composite Applications For Users
Edwin Vd Sanden Composite Applications For Users
 
BrownResearch_CV
BrownResearch_CVBrownResearch_CV
BrownResearch_CV
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
 
AppViewX and Ansible
AppViewX and AnsibleAppViewX and Ansible
AppViewX and Ansible
 
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
oAuth presentation
oAuth presentationoAuth presentation
oAuth presentation
 
17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management poc17 recommended requirements for an identity and access management poc
17 recommended requirements for an identity and access management poc
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
 
IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseThe Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?CA API Management
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs CA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

API Security and OAuth for the Enterprise

  • 1. A Practical Guide to API Security and OAuth for the Enterprise  K. Scott Morrison  Eve Maler CTO and Chief Architect Principal Analyst Layer 7 Technologies, Inc. Forrester Research, Inc.
  • 2. Housekeeping  Questions - Chat any questions you have and we’ll answer them at the end of this call  Twitter facebook.com/layer7 - Today’s event hashtag: layer7.com/linkedin - #L7webinar layer7.com/blogs - Follow us on Twitter as well: - @KScottMorrison - @xmlgrrl - @layer7 - @forrester Layer 7 Confidential 2
  • 4. OAuth As A Serious API Security Tool For Enterprises: A Practical Overview Eve Maler, Principal Analyst © 2009 Forrester Research, Inc. Reproduction Prohibited Layer 7 Confidential 4
  • 5. “API economy” technologies and habits are trickling down into the enterprise. Leverage OAuth’s strengths for modern service and app security scenarios while steering clear of its dangers. Layer 7 Confidential 5
  • 6. Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 6
  • 7. Web APIs aren’t toys; they’re business-enabling tools for retail, content delivery, financial transactions . . . Layer 7 Confidential 7
  • 8. Security pros’ control over developers diminishes with distance Layer 7 Confidential 8
  • 9. A variety of pressures make traditional security and access control methods less viable Layer 7 Confidential 9
  • 10. Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 10
  • 11. Web 2.0 players originally invented OAuth simply to solve the ―password antipattern‖ Layer 7 Confidential 11
  • 12. At base, OAuth lets a person delegate constrained access from one app to another Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 12
  • 13. Using the OAuth approach helps manage risk, cost, and complexity in environments that need Zero Trust  Gets client apps out of the business of storing passwords  Allows for a variety of user authentication methods  Allows app access to be tracked and revoked on a per-client basis  Allows for least-privilege access to API features  Can capture explicit user authorization for access  Lowers the cost of secure app development  Bonus: solves a much larger class of needs around security, identity, access, and privacy Layer 7 Confidential 13
  • 14. In consumer-facing scenarios, services can audit who made each API call on whose behalf  Third parties offer productivity apps to eBay sellers that list items and do other tasks through the eBay API  These apps never see the seller’s eBay credentials  They don’t merely “impersonate” the seller Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 14
  • 15. In extranet and SaaS integration scenarios, services can consume SAML  Partner apps integrate with the construction firm’s valve-design service  On-site partner engineers log in to their home systems through a tablet  They can then use apps that call the valve-design service through SAML SSO Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 15
  • 16. OAuth-native SSO is ―off label‖ but popular for unifying user-present and user-absent experiences Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 16
  • 17. ―Two-legged‖ userless A2A scenarios enable uniform auditing and compliance for low-level services  Including services such as: - Calculating sales tax - Formatting shipping labels - Verifying credit card numbers - Performing HTML code checking  Most scenarios separate these two server functions Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 17
  • 18. Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 18
  • 19. Simplicity doesn’t have to equal insecurity — if you use and insist on good OAuth practices Server-side Client-side Establish UX standards Store OAuth tokens for users’ “consent and other secrets ceremonies.” securely. Use the strongest Fully protect the use of protocol options your your callback endpoint. ecosystem will tolerate. If your use of OAuth If you depend on involves cryptographic password algorithms, reuse a authentication, well-tested library. remember you’re not immune from user credential-stealing risks such as phishing. Layer 7 Confidential 19
  • 20. So how can you maximize value in an OAuth-enabled future?  Determine which scenarios resonate with your organization’s needs.  Ask which SaaS providers are in a position to force your hand.  If you will be publishing your own web APIs, catalog your client app requirements and constraints.  Partner with enterprise architects to plan how OAuth token handling and your current SOA infrastructure need to interact.  Accept some volatility around OAuth’s evolution — and even embrace it. Layer 7 Confidential 20
  • 21. In particular, keep an eye on OAuth’s SSO futures Layer 7 Confidential 21
  • 22. Thank you Eve Maler +1 425.345.6756 emaler@forrester.com Twitter: @xmlgrrl www.forrester.com © 2009 Forrester Research, Inc. Reproduction Prohibited
  • 23. A Practical Guide to API Security and OAuth for the Enterprise  K. Scott Morrison CTO and Chief Architect
  • 24. First Let’s Nail the Terminology… Client Resource Owner (RO) Authorization Server (AS) Resource Server (RS) (a.k.a., the User) Layer 7 Confidential 24
  • 25. Request Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 25
  • 26. Authorization Grant – Twitter (Client), Facebook (AS) Finger of Resource Owner Layer 7 Confidential 26
  • 27. Authorization Granted – Twitter (Client), Facebook (AS) Layer 7 Confidential 27
  • 28. API Call (request for Protected Resource) from Twitter (Client) to Facebook (RS) Layer 7 Confidential 28
  • 29. Manage Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 29
  • 30. Manage Flipboard (Client) Access – Facebook (AS) Layer 7 Confidential 30
  • 31. Comprehensive REST Access Control Needs: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Layer 7 Confidential 31
  • 32. The Layer 7 OAuth Toolkit Provides: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Omg, it’s full of win Layer 7 Confidential 32
  • 33. Today’s Demo Client Resource Owner (RO) Authorization Server (AS) Resource Server (RS) Get Recipe (a.k.a., the User) Layer 7 Confidential 33
  • 34. Demo To View the Demo, Download a Recording of This Webinar in Layer 7 Resource Library Layer7.com/library Layer 7 Confidential 34