Eduards Salnikovs, profile picture
Uploaded byEduards Salnikovs
PPTX, PDF140 views

API security

An API security expert presented on common API security risks and best practices. The document discussed an API bug at Google that may have exposed over 500,000 user profiles since 2015. It then covered common causes of data breaches and costs associated with them. The rest of the document outlined strategies for securing APIs, including using standards like OAuth for authentication and authorization, and implementing controls like access logging and monitoring, and input validation. It stressed the importance of limiting data exposure and enforcing access policies and permissions.

Embed presentation

Download to read offline
API security Do I expose more than I should? Eduards Salnikovs Group IT Security Day 11.10.2018
October 8, 2018 "Google announced it is shutting down the Google+ social network after its engineers found an API bug that might have exposed private profile data for more than 500,000 users. Google said it couldn't determine which users were impacted by this bug because the API was designed to keep logs for only two weeks. Bug might have leaked user data since 2015."
Breach causes 47% planned attack 28% system fault 25% human factor Data breach trends 279 days average time to identify breach 67% of costs occur in the 1st year from breach Response team formation reduces costs on average by $360K $3.9 million average cost of data breach * Source: IBM/Ponemon Cost Of Data Breach Report 2018
* Growing digitalization demands, via ProgrammableWeb Changing landscape of data protection… • 1994: Get me a domain and a page • 2000: Make my pages interactive • 2006: Facebook goes public • 2008: Whatsapp • 2010: Integrate APIs with developers • 2018: PSD2 and GDPR
5 ...and shifting boundaries in architecture Data owners Data consumers Machine users and data consumers Private or Public Authorization and data segregation Authentication Authentication Future state Local Applications Global API Platform
API common threats and security risk exposure Broken function level authorization Excessive data exposure Lack of resources and rate limiting Broken object level authorization Broken user authentication Mass assignment Security misconfiguration Injection Improper assets managmeent Insufficient logging and monitoring * Source: OWASP Ten Most Critical API Security Risks in 2019
Traditional four lines of API defence 7 Do I expose more than I should?
Federation:  Authentication layer on top of OAuth  Open industry standard: OpenID Connect  Separation of user from the system requiring access  Allowing userstobeauthenticatedbyrelying parties  Eliminating theneedforlocalapploginfunctionality  Allowing userstologintomultiplesiteswithoutseparateidentityforeach
Authentication:  Answering and verifying ‘Who you are’  Open industry standard: OpenID Connect  Identity validation as presented in:  TYPE IAcceptingproofofidentitygiven byacredibleperson/entity  TYPE IIComparingtheattributesoftheobjecttowhatisknownaboutit  TYPE IIIRelianceonanymiscexternalaffirmations
Authorization:  Answering and verifying ‘What can you access’  Open industry standard: OAuth  With fine grained segregation of rights as:  XACML modelorsimilarimplementationi.e.OracleEntitlementsServer  Databaseobjectlevelaccesssegregationi.e.OracleVirtualPrivateDatabase  Anyothercustomsolution
Delegation:  Open industry standard: OAuth  With access delegation problems solved:  Reductionofpasswordsharingbetweenusersandthird-parties  Easinessofaccessrevocation
OAuth access control in a nutshell 12 Resource owner End user Client Mobile app, Web site... Resource Server Service that exposes data through API Authorization server OAuth Security Token Service Access token Refresh token
13 Reference architecture helper assets Access Control Translation Traffic Management Security and Encryption Logging and Monitoring API Catalogue Automatic Build and Test Artifact Repository Runtime Management API Management Key, Token and Certificate Management Design Center Security threat protection DevOps and Discovery Runtime Developers Apps
Related activities to development lifecycle 14 Design Development Testing Maintenance • Sensitive data handling* • Least priviledge principle • Encryption and signatures • Best practices • Static analisys • Data input validation • Error handling • Type checking • Security testing • Dynamic analisys • Penetration testing • Data segregation • OWASP • Logging and auditing • Custom error messages • Quotas and throttling • IP Whitelisting • One-way, two-way TLS * See next slide
What should be considered as sensitive data • Identification data: personal identifiers, etc. • Personal characteristics: personal details, habits, personality, character, race,.. • Family circumstances: family details, current marriage, marital history,.. • Social circumstances: accommodation, professions, immigration, lifestyle,.. • Employment details: currently employment, employment history,.. • Health: physical & mental health record, disabilities, sexual life,.. • Financial details: income, debts, loans, property,.. • Other data: reference to records or manual files, criminal records,.. 15
API Implementation security checklist Create API key for data consumer Enable logging and auditing with sensitive data scrambling Apply IP whitelisting and throttling where applicable Enforce developer role and permission policy Ensure use of one-way/two-way TLS Mask and encrypt data at-rest and in-transit Inform data owners of new data consumers and exposure
API security

More Related Content

PPTX
MCAS High Level Architecture May 2021
byMatt Soseman
 
PPTX
20181213 - wazug protecting your data with azure ad
byArjan Cornelissen
 
PPTX
Cloud App Security
byAlvaro Rezende
 
PDF
Microsoft Cloud App Security CASB
byAmmar Hasayen
 
PDF
Decriminalize Your Colleagues - How to Address Shadow IT in the Enterprise
byBoxHQ
 
PDF
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
byNCCOMMS
 
PPTX
Secure File Sharing Basics - What Every File Sharing Provider Should Have
byBoxHQ
 
PDF
Bhadale group of companies it cloud security catalogue
byVijayananda Mohire
 
MCAS High Level Architecture May 2021
byMatt Soseman
 
20181213 - wazug protecting your data with azure ad
byArjan Cornelissen
 
Cloud App Security
byAlvaro Rezende
 
Microsoft Cloud App Security CASB
byAmmar Hasayen
 
Decriminalize Your Colleagues - How to Address Shadow IT in the Enterprise
byBoxHQ
 
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
byNCCOMMS
 
Secure File Sharing Basics - What Every File Sharing Provider Should Have
byBoxHQ
 
Bhadale group of companies it cloud security catalogue
byVijayananda Mohire
 

What's hot

PDF
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
byPatrick Guimonet
 
PDF
Protect your business with identity and access management in the cloud
byMicrosoft
 
PPTX
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
byapidays
 
PPTX
Webinar Express: What is a CASB?
byBitglass
 
PDF
Protect customer's personal information eng 191018
bysang yoo
 
PPTX
Microsoft Cloud Application Security Overview
bySyed Sabhi Haider
 
PDF
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
PDF
Microsoft Cloud App Security
byMicrosoft
 
PPTX
Codeless Security for the Apps You Buy & Build on AWS
byCloudLock
 
PDF
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
byCloudLock
 
PDF
Stefan van der Wiele | Protect users identities and control access to valuabl...
byMicrosoft Österreich
 
PDF
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
byCloudIDSummit
 
PPTX
Microsoft Cloud App Security Demo
byCheah Eng Soon
 
PDF
Box Security Whitepaper
byBoxHQ
 
PPTX
2 Modern Security - Microsoft Information Protection
byAndrew Bettany
 
PPTX
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
byBitglass
 
PDF
Introduction to Microsoft Enterprise Mobility + Security
byAntonioMaio2
 
PDF
Stop Hackers with Integrated CASB & IDaaS Security
byCloudLock
 
PDF
Msft cloud architecture_security_commonattacks
byAkram Qureshi
 
PPTX
1 Modern Security - Keynote
byAndrew Bettany
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
byPatrick Guimonet
 
Protect your business with identity and access management in the cloud
byMicrosoft
 
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
byapidays
 
Webinar Express: What is a CASB?
byBitglass
 
Protect customer's personal information eng 191018
bysang yoo
 
Microsoft Cloud Application Security Overview
bySyed Sabhi Haider
 
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
Microsoft Cloud App Security
byMicrosoft
 
Codeless Security for the Apps You Buy & Build on AWS
byCloudLock
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
byCloudLock
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
byMicrosoft Österreich
 
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
byCloudIDSummit
 
Microsoft Cloud App Security Demo
byCheah Eng Soon
 
Box Security Whitepaper
byBoxHQ
 
2 Modern Security - Microsoft Information Protection
byAndrew Bettany
 
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
byBitglass
 
Introduction to Microsoft Enterprise Mobility + Security
byAntonioMaio2
 
Stop Hackers with Integrated CASB & IDaaS Security
byCloudLock
 
Msft cloud architecture_security_commonattacks
byAkram Qureshi
 
1 Modern Security - Keynote
byAndrew Bettany
 

Similar to API security

PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
byapidays
 
PDF
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
byapidays
 
PPTX
apidays LIVE India 2022 - The Future of API’s Security.pptx
byapidays
 
PDF
2022 APIsecure_Shift Left API Security - The Right Way
byAPIsecure_ Official
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
PDF
How to Achieve Agile API Security
byApigee | Google Cloud
 
PPTX
API Security from the DevOps and CSO Perspectives (Webcast)
byApigee | Google Cloud
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
PPTX
Executing on API Developer Experience
bySmartBear
 
PDF
apidays LIVE London 2021 - Moving from a Product as API to API as a Product b...
byapidays
 
PDF
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PDF
2022 APIsecure_Harnessing the Speed of Innovation
byAPIsecure_ Official
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
PPTX
2022 APIsecure_Securing APIs with Open Standards
byAPIsecure_ Official
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
byapidays
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
byapidays
 
apidays LIVE India 2022 - The Future of API’s Security.pptx
byapidays
 
2022 APIsecure_Shift Left API Security - The Right Way
byAPIsecure_ Official
 
API Security Best Practices and Guidelines
byWSO2
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
How to Achieve Agile API Security
byApigee | Google Cloud
 
API Security from the DevOps and CSO Perspectives (Webcast)
byApigee | Google Cloud
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
Executing on API Developer Experience
bySmartBear
 
apidays LIVE London 2021 - Moving from a Product as API to API as a Product b...
byapidays
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
2022 APIsecure_Harnessing the Speed of Innovation
byAPIsecure_ Official
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
2022 APIsecure_Securing APIs with Open Standards
byAPIsecure_ Official
 

Recently uploaded

PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 

API security

  • 1.
    API security Do Iexpose more than I should? Eduards Salnikovs Group IT Security Day 11.10.2018
  • 2.
    October 8, 2018 "Googleannounced it is shutting down the Google+ social network after its engineers found an API bug that might have exposed private profile data for more than 500,000 users. Google said it couldn't determine which users were impacted by this bug because the API was designed to keep logs for only two weeks. Bug might have leaked user data since 2015."
  • 3.
    Breach causes 47% plannedattack 28% system fault 25% human factor Data breach trends 279 days average time to identify breach 67% of costs occur in the 1st year from breach Response team formation reduces costs on average by $360K $3.9 million average cost of data breach * Source: IBM/Ponemon Cost Of Data Breach Report 2018
  • 4.
    * Growing digitalizationdemands, via ProgrammableWeb Changing landscape of data protection… • 1994: Get me a domain and a page • 2000: Make my pages interactive • 2006: Facebook goes public • 2008: Whatsapp • 2010: Integrate APIs with developers • 2018: PSD2 and GDPR
  • 5.
    5 ...and shifting boundariesin architecture Data owners Data consumers Machine users and data consumers Private or Public Authorization and data segregation Authentication Authentication Future state Local Applications Global API Platform
  • 6.
    API common threatsand security risk exposure Broken function level authorization Excessive data exposure Lack of resources and rate limiting Broken object level authorization Broken user authentication Mass assignment Security misconfiguration Injection Improper assets managmeent Insufficient logging and monitoring * Source: OWASP Ten Most Critical API Security Risks in 2019
  • 7.
    Traditional four linesof API defence 7 Do I expose more than I should?
  • 8.
    Federation:  Authentication layeron top of OAuth  Open industry standard: OpenID Connect  Separation of user from the system requiring access  Allowing userstobeauthenticatedbyrelying parties  Eliminating theneedforlocalapploginfunctionality  Allowing userstologintomultiplesiteswithoutseparateidentityforeach
  • 9.
    Authentication:  Answering andverifying ‘Who you are’  Open industry standard: OpenID Connect  Identity validation as presented in:  TYPE IAcceptingproofofidentitygiven byacredibleperson/entity  TYPE IIComparingtheattributesoftheobjecttowhatisknownaboutit  TYPE IIIRelianceonanymiscexternalaffirmations
  • 10.
    Authorization:  Answering andverifying ‘What can you access’  Open industry standard: OAuth  With fine grained segregation of rights as:  XACML modelorsimilarimplementationi.e.OracleEntitlementsServer  Databaseobjectlevelaccesssegregationi.e.OracleVirtualPrivateDatabase  Anyothercustomsolution
  • 11.
    Delegation:  Open industrystandard: OAuth  With access delegation problems solved:  Reductionofpasswordsharingbetweenusersandthird-parties  Easinessofaccessrevocation
  • 12.
    OAuth access controlin a nutshell 12 Resource owner End user Client Mobile app, Web site... Resource Server Service that exposes data through API Authorization server OAuth Security Token Service Access token Refresh token
  • 13.
    13 Reference architecture helperassets Access Control Translation Traffic Management Security and Encryption Logging and Monitoring API Catalogue Automatic Build and Test Artifact Repository Runtime Management API Management Key, Token and Certificate Management Design Center Security threat protection DevOps and Discovery Runtime Developers Apps
  • 14.
    Related activities todevelopment lifecycle 14 Design Development Testing Maintenance • Sensitive data handling* • Least priviledge principle • Encryption and signatures • Best practices • Static analisys • Data input validation • Error handling • Type checking • Security testing • Dynamic analisys • Penetration testing • Data segregation • OWASP • Logging and auditing • Custom error messages • Quotas and throttling • IP Whitelisting • One-way, two-way TLS * See next slide
  • 15.
    What should beconsidered as sensitive data • Identification data: personal identifiers, etc. • Personal characteristics: personal details, habits, personality, character, race,.. • Family circumstances: family details, current marriage, marital history,.. • Social circumstances: accommodation, professions, immigration, lifestyle,.. • Employment details: currently employment, employment history,.. • Health: physical & mental health record, disabilities, sexual life,.. • Financial details: income, debts, loans, property,.. • Other data: reference to records or manual files, criminal records,.. 15
  • 16.
    API Implementation securitychecklist Create API key for data consumer Enable logging and auditing with sensitive data scrambling Apply IP whitelisting and throttling where applicable Enforce developer role and permission policy Ensure use of one-way/two-way TLS Mask and encrypt data at-rest and in-transit Inform data owners of new data consumers and exposure

Editor's Notes

  • #4 SPEAKER: As many of you have pointed out – our values provide us with a kind of internal compass that helps us understand how to behave in different situations and make decisions, both internally and externally.
  • #5 SPEAKER: Welcome to the workshop! Introduce yourself and all other facilitators. If the participants do not know each other, provide some extra time for brief introductions. Before we get started, we like to take a few minutes and set the stage by listening to a short message from our CEO, Mikael Ericsson. Then show the short film from Michael.
  • #7 API Security Chapter 12, IT Security Instruction: Strong authentication (two-factor-authentication) shall be used to access confidential and restricted data if these are made available through a web interface or API over an open network. Chapter 31, IT Security Instruction: For externally accessible services, secure communication channels based on strong ciphers suites as defined by NIST shall always be used. Use of weak ciphers is prohibited, to ensure high resistance to cryptanalysis by unauthorized parties. An Application Programming Interface (API) is basically a set of requirements that govern how applications can interact with each other. In the 24/7 connected world that we live in API’s have become a major component in Intrum’s business strategy. Unfortunately the number of reported breaches in various industries through insecure API’s are plenty and new ones are reported almost weekly. Required Security controls depend on several parameters and may not be the same for all API’s. An API that is used to provide stock prices may not require the same level of security as and API that is used for uploading or modifying debtor information. The starting point for each API assessment should however be the expectation that EVERYONE WANTS OUR DATA. This guideline document is not meant to provide a mandatory level of security for all API’s, it does however provide a list of components that should be considered. See the IT Security instructions for more details about each item to determine under which circumstances a control is mandatory. Authentication (who?) and Authorization (What): The API must have a way to authenticate and authorize the client. The client in this context is the user, service, script or similar which initiates the API Call). For web authentication this is commonly done through a dialog which asks the user to submit a username and password and additional factors are required (Multi-Factor-Authentication). API’s often use some sort of access token (preferred method). Authorization should be based on the least privilege principle (e.g. if the client is only authorized to perform a get request it should not be able to perform a POST). Stick to best practices and recognized standards like, OAuth 2.0, JSON Web Tokens. (NOTE: if OAuth 1.0 is currently in use this is not a problem but since OAuth 2.0 is easier to implement and less error prone this is considered to be a better option moving forward). Several large cloud providers have stopped supporting version 1.0 already. Basic authentication is strongly discouraged but if it must be used and the previous options are not possible then it should be used together with Hash-based Message Authentication Code (HMAC) and an arbitrary number (nonce) to reduce the risk from a Replay Attack. The nonce can for instance be a timestamp which also provides the ability to ignore any messages older than a predefined time window. Set expiration periods on tokens. Expiration periods depend on several factors but should be as small as possible. Whitelisting and filtering Consider IP whitelisting if this is possible. IP whitelisting would only allow connections from trusted IP’s and rejecting all others. Use robot.txt file to avoid indexing by search engines like google and Bing. Data Validation Input validation. All input should be validated based on string, length, content. Invalid input should be logged and be rejected for processing on the back-end server Output validation. Any output should be validated based on string, length, content. Invalid output should be logged and dropped. HTTP Security Headers Use HTTP Security headers to prevent common attacks like clickjacking, cross-site-scripting. Best practices and options are explained here. Error messages Use customized error messages and avoid leaking of technical or other information that can be used by an attacker to prepare a more sophisticated attack. Encryption and signatures. At a minimum the transport layer should be encrypted for any information that may be considered as sensitive (PII, credentials, etc.). Only use strong cryptographic controls (Strong TLS and strong ciphers). Encryption and Signatures are often used in conjunction; the signature could be encrypted to only allow certain parties to validate if a signature is valid - or the encrypted data could be signed to further ensure that data is neither seen nor modified by unwanted parties. See more on HMAC here. Use HTTP Strict Transport Security (HSTS) to force HTTPS. This will force any further communication between the client and the server is requested via HTTPS. Only use certificates from an authorized and recognized Certificate Authority (Internal applications may use certificates from an internal CA, Self-signed certificates are not trusted by default by all clients and should be avoided) Understand which vulnerabilities may be applicable. There are many different attacks with different methods and targets (see threat modeling and OWASP/SANS lists earlier in this document) Network / OS / Driver: issues in the operating system and network components (e.g. buffer overruns, flooding with sockets, DOS attacks) Application layer: issues in the hosting application server and related services (e.g. message parsing, session hijacking or security misconfigurations). API / component: functional issues in the actual API (e.g. injection attacks, sensitive data exposure, incomplete access control). API’s must not be published with known vulnerabilities (See paragraph 6.7 in this document and chapters 17 & 29 of the Group IT Security Instructions) Use Quota’s and Throttling. Quota’s (e.g. 5MB per day or 1 message per day) and throttling (e.g. 5 connections per source IP, or 20 messages per 30 seconds) can be used to protect against (D)DoS attacks and changes is traffic behavior (e.g. thousand instead of the normally observer 5 per minute) may indicate a brute-force attack and require investigation. Violations should result in an automated lockout of the IP/User and should only be allowed again after confirmation. Independent security assessment. Let the API be assessed by a trained resource (internal or external). The resource should use a combination of vulnerability scanning and penetration testing to do an independent security assessment before the API is published. The assessment should include a combination of automated and manual testing against the OWASP top 10 vulnerability list. Use HTTP method whitelisting. Only allow relevant HTTP methods (e.g. if the API should only be used for GET requests then whitelist this methods and use a default deny for all other methods) Logging & auditing. A trace log should be available so access attempts and activities are logged and can be traced back to the source. Available options may differ based on the type of API: Identifier (username, CustomerID, ServiceID, etc.). Source IP Method (get, update, list, etc.). Timestamp Allowed or rejected status Service-type (SOAP, JSON, XML), User Agent. Etc. Consider the use of security tools and API gateways. Using security tools or an API gateway will allow for streamlined API security controls and centralized management of the controls mentioned above (cryptography, throttling, logging, filtering, etc.). Group IT is working on the implementation of an API gateway. The organization should align with the enterprise architect to determine requirements and responsibility boundaries.  
  • #9 SPEAKER: We have three primary objectives today: Firstly, we want to create a shared understanding of our brand identity and how it all fits together. We also want to dig deeper into our values and discover what they mean in our everyday working lives. And finally, we want to inspire and build curiosity in the whole company. This is a long-term engagement process, it’s not over when we are done here today – it’s actually only just begun. But we have to start somewhere!
  • #10 SPEAKER: We have three primary objectives today: Firstly, we want to create a shared understanding of our brand identity and how it all fits together. We also want to dig deeper into our values and discover what they mean in our everyday working lives. And finally, we want to inspire and build curiosity in the whole company. This is a long-term engagement process, it’s not over when we are done here today – it’s actually only just begun. But we have to start somewhere!
  • #11 SPEAKER: We have three primary objectives today: Firstly, we want to create a shared understanding of our brand identity and how it all fits together. We also want to dig deeper into our values and discover what they mean in our everyday working lives. And finally, we want to inspire and build curiosity in the whole company. This is a long-term engagement process, it’s not over when we are done here today – it’s actually only just begun. But we have to start somewhere!
  • #12 SPEAKER: We have three primary objectives today: Firstly, we want to create a shared understanding of our brand identity and how it all fits together. We also want to dig deeper into our values and discover what they mean in our everyday working lives. And finally, we want to inspire and build curiosity in the whole company. This is a long-term engagement process, it’s not over when we are done here today – it’s actually only just begun. But we have to start somewhere!