API Security and Management Best Practices

A look at the high-level considerations for controlling, metering and monitoring APIs from test through to production.

Technology

API Security and Management
Best Practices
K Scott Morrison
CTO & Chief Architect

Feb 26, 2012

Researchers have discovered
that the national divorce rate
has been falling since 2006…

2007: 3.6 divorces per 1000 people
2008: 3.5 divorces per 1000 people
2009: 3.4 divorces per 1000 people

So, does this mean people are getting better at relationships?

Source: Slate http://slate.me/wGf9et

They require
^
maintenance.
very high
high

This talk is about how to
have a successful
API relationship.

Best Practice #1

It takes two to tango.

Successful
relationships
are built on
trust and
equality

BP #2

Understand and
respect the cultural
differences.

The New Identity Management

API Users API Developers
External Internal

APIs change composition
of internal teams
Product API
CFO
Manager Developer
Business Security
Manager Officer

BP #4

Take security away
from developers.

Separation of
Concerns
API
Server

API
Expert
API
Proxy
Security
Expert

SQL Injection (courtesy
XKCD)
Exploits of a Mom

Source: https://xkcd.com/327/

BP #7

It’s still all about
access control.

BP #9

Manage
misconfiguration risk
with appliances.

Protect the
Servers API
Client

Firewall

API
Proxy

DMZ

API
Server Secure
Zone Enterprise
Network

The New Governance
Old New
Documentation WSDL Wiki/Blog
Discovery Reg/Rep Search
Approval G10 Platform Email
Enforcement Gateway Gateway
User Provisioning IAM Portal
Community What’s that? Forum

The Layer 7 API
Developer Portal
API
Client

Firewall

iPhone
API
Developer
Proxy

API API
Server Portal

Enterprise
Network

To Summarize:
 The game has changed
Clients need attention

 The security problems are the same
But the names have changed

 Don’t just build APIs
Build secure and managed APIs

Don’t Miss @RSA Conference
2012
 ASEC-402: Hacking’s Gilded Age: How APIs Will
Increase IT Risk
K. Scott Morrison
Friday, March 02 10:10 a.m.
Room 302

 STAR-402: Enterprise Access Control Patterns for
REST and Web API
Francois Lascelles
Friday, March 02 10:10 a.m.
Room 304

Yes, they are at the same time. You
must choose…

Picture Credits
 Antelope Canyon 4 by klsmith– stock.exchg
 Band silhouettes by mr_basmt– stock.exchg

For further information:

K. Scott Morrison
Chief Technology Officer & Chief Architect
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377

smorrison@layer7tech.com
http://www.layer7tech.com

February 2012

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: · What makes API Security different from web application security · The top 10 common API security vulnerabilities · Examples and mitigation strategies for each of the risks

API Security from the DevOps and CSO Perspectives (Webcast)

APIs accelerate agility, empower developers, and enable innovative business strategies. But how do you ensure the security of your API architecture as you expose your corporate data to mobile apps, developers, and partners? Does your API security framework enable DevOps agility and a scalable security model for IT? Join Apigee’s Tim Mather and Subra Kumaraswamy as they discuss API security considerations for DevOps, CSOs, and security professionals. Learn about API security, threat protection, identity capabilities, infrastructure security, and compliance.

OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud

APISecurity_OWASP_MitigationGuide

Isabelle Mauny

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Akana

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

Checkmarx meetup API Security - API Security in depth - Inon Shkedy

Adar Weidman

What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management? Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can - provide visibility for all security threats targeting their backend services - control access to sensitive data - end-to-end - enable developers to build secure apps with secure APIs - facilitate secure access with partners and developers

Guidelines to protect your APIs from threats

Isabelle Mauny

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn: • The top ways hackers exploit APIs in the wild • Common identity pitfalls and how to avoid them • Why OAuth scopes are essential to master • How to keep web developers from bringing bad habits with them

API Security In Cloud Native Era

WSO2

The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome. In this deck, we discuss: - The need for API/Microservices Security - The importance of delegating security enforcement to an API Gateway - API Authentication and Authorization methodologies - OAuth2 - The de-facto standard of API Authentication - Protection against cyber attacks and anomalies - Security aspects to consider when designing Single Page Applications (SPAs) Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/

42crunch-API-security-workshop

If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as: - Transport and message encryption. - Digital Signatures - Auditing and non-repudiation - SecDevOps and security as code - Coding best practices and how to enforce them - Infrastructure Best Practices

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...

The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations. Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied. This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.

Data-driven Security: Protect APIs from Adaptive Threats

The Inconvenient Truth About API Security

Distil Networks

The notion of API security & management in which enterprise architects, app developers and IT security experts work in harmony is great in theory. The reality, according to new research from Ovum, is much more scattered. Watch Ovum IT Security Analyst Rik Turner as he dives into new primary research on how companies are really managing API security. Then watch the lively conversation as Rami Essaid, CEO of Distil Networks, explains why APIs are becoming such an increasingly attractive target for hackers. Lastly, Shane Ward, Senior Director of Technology at GuideStar, will share best practices and pitfalls to avoid when managing both free and paid access to your APIs. Key takeaways will include: - How to benchmark your organization's API security and internal processes against your peers - Why CIO and/or CISO visibility into how API security is managed across the enterprise is so critical - How to map your business requirements to your API security strategy - A primer on API security controls, including geo/org fencing, token governance, dynamic access control lists and advanced rate limiting - Why heavy "application services governance" software suites are the wrong approach Learn more about Distil Networks API Security http://www.distilnetworks.com/api-security/

Protecting Your APIs Against Attack & Hijack

Secure Enterprise APIs for Mobile, Cloud & Open Web APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed. By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data. You Will Learn How APIs increase the attack surface What key types of risk are introduced by APIs How enterprises can mitigate each of these risks Why it is crucial to separate API implementation and security into distinct tiers Presented By Scott Morrison, CTO, Layer 7 Technologies

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered. Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).

SecDevOps for API Security

apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...

Gateway/APIC security

Shiu-Fun Poon

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported. Tizen IVI (in-vehicle infotainment) Tizen Mobile Tizen TV, and Tizen Wearable Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained. The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen. For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc. Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.

Security in microservices architectures

inovia

DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud

Deep-Dive: Secure API Management

Threat protection and application access controls are key security mechanisms that protect APIs when exposed to internal or external users and developers. In this technical deep-dive webcast, Apigee's security team, led by Subra Kumaraswamy, will discuss API threats and the protection mechanisms that every API and app developer must implement for safe and secure API management. This webcast will cover: - the API threat model - how to design and implement appropriate guardrails for API security using build-in policies and configuration - a demo of Apigee Edge threat protection features, including TLS encryption, XML/JSON/SQL injection attacks, and rate limiting Whether you're an IT security architect or an API or app developer, this webcast will help you understand secure API management. Download Podcast: http://bit.ly/1biiJQS Watch Video: http://youtu.be/ffs35w1RYRI

Secure Your REST API (The Right Way)

Stormpath

What's hot

Api security

teodorcotruta

Security components in mule esb

himajareddys

Security in mulesoft

akshay yeluru

Deep-Dive: API Security in the Digital Age

Guidelines to protect your APIs from threats

Isabelle Mauny

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

API Security In Cloud Native Era

WSO2

42crunch-API-security-workshop

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...

Data-driven Security: Protect APIs from Adaptive Threats

The Inconvenient Truth About API Security

Distil Networks

Protecting Your APIs Against Attack & Hijack

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

SecDevOps for API Security

apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...

Gateway/APIC security

Shiu-Fun Poon

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Security in microservices architectures

inovia

DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud

What's hot (20)

Api security

Security components in mule esb

Security in mulesoft

Deep-Dive: API Security in the Digital Age

Guidelines to protect your APIs from threats

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

API Security In Cloud Native Era

42crunch-API-security-workshop

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...

Data-driven Security: Protect APIs from Adaptive Threats

The Inconvenient Truth About API Security

Protecting Your APIs Against Attack & Hijack

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

SecDevOps for API Security

apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...

Gateway/APIC security

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Security in microservices architectures

DevOps & Apps - Building and Operating Successful Mobile Apps

Viewers also liked

Deep-Dive: Secure API Management

Secure Your REST API (The Right Way)

Stormpath

API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...

At some point, we all need to design and implement APIs for the Web. What makes Web APIs different than typical component APIs? How can you leverage the power of the Internet when creating your Web API? What characteristics to many "great" Web APIs share? Is there a consistent process you can use to make sure you design a Web API that best fits your needs both now and in the future? In this session Mike Amundsen describes a clear methodology for designing Web APIs (based on the book "RESTful Web APIs" by Richardson and Amundsen) that allows you to map key aspects of your business into a usable, scalable, and flexible interface that will reach your goals while creating a compelling API for both server and client developers. Whether you are looking to implement a private, partner, or public API, these principles will help you focus on the right metrics and design goals to create a successful API.

Api architectures for the modern enterprise

Extend your legacy SOA/ESB infrastructure to Mobile & IoT This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps. Watch this webinar recording to learn about: - Strengths and weaknesses of your existing ESB/SOA infrastructure - Architecture strategy: extend and add value to legacy middleware with APIs - Integration / API use cases in Retail, Manufacturing and Telecom - The API360 approach to digital strategy

Best Practices for API Management

WSO2

Architecting &Building Scalable Secure Web API

SHAKIL AKHTAR

Zentral presentation MacAdmins meetup Univ. Utah

Henry Stamerjohann

Secure and Govern Integration between the Enterprise & the Cloud

Secure, govern and mediate integrations between enterprise applications and Cloud services Overview For Best Buy, the public Cloud provides a strategic way to dynamically scale consumer and partner-facing Web and API assets. The Cloud lets Best Buy accommodate peaks in demand without overbuilding, while isolating sensitive data from the public. Best Buy also needs a consistent way to control what information is shared with applications in the Cloud, while simultaneously insulating development teams from the vagaries of security, management and mediation challenges that arise when implementing a hybrid Cloud solution. This Webinar, presented by Best Buy, Amazon Web Services and Layer 7 Technologies, looks at a specific example of the Best Buy API Developer Portal and share best practices for security, governance and mediation of enterprise services with applications in the Cloud.

Incorporating OAuth: How to integrate OAuth into your mobile app

Nordic APIs

Security Best Practices

Clint Edmonson

Designing & Implementing Hypermedia APIs – Mike Amundsen, Principal API Archi...

Principal API Architect Mike Amundsen presented this talk at QConn New York 2013. Hypermedia APIs are getting some buzz. But what are they, really? What is the difference between common URI-based CRUD API designs and hypermedia-style APIs? How do you implement a hypermedia API and when does it make sense to use a hypermedia design instead of a CRUD-based approach? Based on the Mike Amundsen's multi-part InfoQ article series of the same name, this fast paced, hands-on four-hour workshop shows attendees how to design a hypermedia style API, how to implement a server that supports varying hypermedia responses, and how to build clients that can take advantage of hypermedia. Additional time will be spent exploring when clients break and how reliance on hypermedia can reduce the need for re-coding and re-deploying client applications while still supporting new features in the API. Hands-on labs include authoring a hypermedia format for your API, designing server-side components that can emit hypermedia responses, and deciding on which client-side style of hypermedia fits best for your needs. A final challenge will be to update the server-side responses with new features that do not break existing hypermedia clients.

Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security

Diogo Mónica

Apiworld

Owen Rubel

The API pattern was created in the 1970's when 'distributed architectures' didn't even exist and was established mainly for 'centralized architectures' as it bound the communication data/logic to the business logic. In a modern world, we have moved to distributed architectures where we now have to share the I/O... but that communication logic still remains bound in the application due to an old API pattern. This makes it so that the IO data and functionality related to a request/response cannot be shared with our edge services without duplication/entanglement. This in turn means the data/functionality in our services then cannot be synchronized. This leads to dropped threads, poor security, bad data, bad user experience, broken application, etc. This can ALL be fixed and improved and even lead to better speed, scalability and automation through a new API Pattern.

Towards a Federated Cloud Ecosystem

Clovis Chapman

MTLS in a Microservices World

Diogo Mónica

One obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment. The perfect example of this steep increase in deployment difficulty is the creation and management of Public-Key-Infrastructures (PKI). Even though the use of TLS Certificates for service to service communication is known as a best-practice, very few companies actually deploy their systems using mutually-authenticated TLS connections. In this talk I will go over why TLS is the right solution for service to service communication, describe ways to automate the creation and management of your PKI, and present in detail how Docker's swarm orchestration system bootstraps and manages individual node certificates.

Reusable APIs

APIs for biz dev 2.0 - Which business model to win in the API Economy?

3scale

Introducing Swagger

Tony Tam

RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7

Based on the upcoming O'Reilly book "RESTful Web APIs" by Leonard Richardson and Mike Amundsen, this 1/2 day workshop covers the basics of Fielding's REST style, HTTP standards, and common practices for APIs for Web. Key topics such as how how use hypermedia to increase API flexibility and how application profiles can improve API interoperability are also covered. In addition, a wide range of existing message formats and semantic vocabularies are reviewed along with a procedure for selecting and applying these existing standards to your own implementations. Other subjects will be covered such as caching, versioning, and supporting RESTful APIs on protocols other an HTTP.Throughout the workshop, attendees will be able to apply step-by-step guidance on how to create their own RESTful Web API and share these designs with the group at the end of the session.

Daum APIs: A to Z - API Meetup 2014Channy Yun

Viewers also liked (20)

Deep-Dive: Secure API Management

Secure Your REST API (The Right Way)

API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...

Api architectures for the modern enterprise

Best Practices for API Management

Architecting &Building Scalable Secure Web API

Zentral presentation MacAdmins meetup Univ. Utah

Secure and Govern Integration between the Enterprise & the Cloud

Incorporating OAuth: How to integrate OAuth into your mobile app

Security Best Practices

Designing & Implementing Hypermedia APIs – Mike Amundsen, Principal API Archi...

Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security

Apiworld

Towards a Federated Cloud Ecosystem

MTLS in a Microservices World

Reusable APIs

APIs for biz dev 2.0 - Which business model to win in the API Economy?

Introducing Swagger

RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7

Daum APIs: A to Z - API Meetup 2014

Similar to API Security and Management Best Practices

How to Build a Successful API Program: Best Practices For the Carrier

More and more carriers are looking to API publishing as a way of offering new services to developers building mobile apps and cloud services. But launching an API publishing program inevitably raises questions about: • How to maintain security when exposing internal systems and processes to external developers • How to manage developers, weeding out the bad and rewarding the good • How carriers can monetize their APIs • How existing IT investments can be leveraged to maximize performance and ROI • How building community among developers can drive revenue and minimize operating costs This talk will give carriers the critical guidance they need to build a successful API strategy.

Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise

Take a fresh approach to IT security and management, designed specifically for mobile Overview Twenty years ago, laptops revolutionized how the enterprise conducted business. But with the laptop came a host of new security and manageability challenges that we are arguably still trying to work out. Now, mobile computing promises to be exponentially more disruptive. It is a mistake to think you can apply yesterday’s laptop thinking to today’s mobile devices and still maintain a secure infrastructure. Mobile devices are radically different from laptops and they are evolving at a completely different pace, so they demand a fresh approach.

Cross Platform Mobile Apps with APIs from Qcon San Francisco

Managing API Security in SaaS and Cloud

Managing API Security in SaaS and Cloud

Opening SaaS applications and cloud services to outside developers is becoming critical to achieve cloud-enterprise integrations, information sharing across affiliate Web sites and enabling mobile / tablet access to data. Controlling how API's get securely exposed to different consumers requires a simple, scalable way to manage API security, address versioning and meter consumption without burdening either application developers or application consumers. Join eBay's Chief Security Strategies Liam Lynch and Layer 7's CTO Scott Morrison for this informative presentation.

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs October 11 & 12, 2023 https://www.apidays.global/australia/ API Security Breach Analysis & Empowering Devs to Make Secure APIs Jeremy Snyder, Founder and CEO of FireTail ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

5 Ways to Get Top Mobile App Developer Talent for Your Open APIs

Opening APIs to developers outside the enterprise can enable the creation of apps that add value to existing information assets in innovative and often unexpected ways – without the need for direct investment in app development. However, this will only happen if the enterprise can grow an ecosystem of talented developers creating cutting-edge apps that give consumers something of real value. This webinar hosted by Layer 7 Technologies featuring Alex Don, Head of Hackathons at AT&T, will examine five keys ways that you can attract and nurture top third-party developer talent for your APIs.

OWASPAPISecurity

Jie Liau

ROI for APIs: Using Hackathons to Evaluate Your API Program

Use hackathons to gather data on the value of your API publishing program APIs are quickly becoming brands of their own and requiring product management strategies and marketing campaigns to be built around them to ensure they are effective. Hackathons provide a great way to grow developer awareness of APIs and attract the attention of thought leaders and influencers. But how do you demonstrate quantifiable ROI? Join this webinar with AT&T's Developer Evangelist, Alex Donn, TechCrunch's Hackathon Events Manager Leslie Hitchcock and Layer 7's API Evangelist, Alex Gaber to learn how you can get feedback and data from hackathons that will help you prove the value of your API program. You Will Learn Which ROI metrics business managers want to see What types of product research and testing you can conduct at a hackathon How to collect feedback and data at the event Presented by: Leslie Hitchcock Hackathon Events Manager TechCrunch Alex Donn Developer Evangelist AT&T Alex Gaber API Evangelist Layer 7

2022 APIsecure_Shift Left API Security - The Right Way

APIsecure_ Official

API Testing and Hacking (1).pdf

Vishwas N

API Testing and Hacking.pdf

Vishwas N

API Testing and Hacking.pdf

VishwasN6

A great api is hard to findDan Diephouse

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...

APIsecure_ Official

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...

Melbourne API Management Seminar

Cyberlands Sales Deck

Cyberlands B.V.

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...

Similar to API Security and Management Best Practices (20)

How to Build a Successful API Program: Best Practices For the Carrier

Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise

Cross Platform Mobile Apps with APIs from Qcon San Francisco

Managing API Security in SaaS and Cloud

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

5 Ways to Get Top Mobile App Developer Talent for Your Open APIs

OWASPAPISecurity

ROI for APIs: Using Hackathons to Evaluate Your API Program

2022 APIsecure_Shift Left API Security - The Right Way

API Testing and Hacking (1).pdf

API Testing and Hacking.pdf

A great api is hard to find

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...

Melbourne API Management Seminar

Cyberlands Sales Deck

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...

More from CA API Management

Mastering Digital Channels with APIs

Takeaways from API Security Breaches Webinar

Examining today's biggest API breaches to mitigate API security vulnerabilities Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position? This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure. You Will Learn -Recent breaches in the news involving APIs -Top attacks that compromise your business -Mitigating steps to protect your business from attacks and unauthorized access -API Management solutions that both enable and protect your business Learn about API Security at http://www.ca.com/api

Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...

Liberating the API Economy with Scale-Free Networks The Web exhibits a feature found in many complex systems known as "Scale-Free" or "Power-Law" networks, sometimes called the "long tail" Most people think of the "long tail" as an economic and/or social property. However, it also represents physical and informational properties fundamental to the way the Web works. But the steady increase in major service outages indicate that many current Web APIs, services, and even client applications ignore this basic "law of the Web." This talk explores the "Scale-Free" rule of complex systems and offers clear and simple advice to those planning to build and/or consume APIs for the Web. Such as what to avoid, what to plan for, what to build, and how to identify & steer clear of clients and services that fail to abide by the rules and, in the process, are making it harder for all of us to liberate the API Economy.

API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...

APIs are everywhere: powering mobile apps, enabling cloud computing, connecting people through social networks and helping to create the Internet of Things. Organizations of every kind are evaluating how they can leverage APIs and replicate the success of companies like Amazon, Google and Salesforce. Join this webinar to learn about the #API360 model for enterprise API success. This model covers the full spectrum of considerations for companies looking to succeed with APIs for the long haul. You will also hear more about the upcoming #API360 Summit that will take place in Dallas on February 26. You Will Learn • How leading Web companies have used APIs to boost revenues and market share • How to create an enterprise API strategy that will yield real business results • How to institutionalize best practices that will allow your APIs to evolve and grow

API Monetization: Unlock the Value of Your Data

Securely Open data as APIs to internal groups and third parties to generate revenue In today's application economy, organizations are leveraging APIs to create new revenue streams. To monetize its information, the enterprise needs a way to transform data into APIs, enforce SLAs and implement a standardized fulfillment process with flexible and integrated billing systems. This webinar will explored how enterprises can overcome these monetization challenges, using an API management solution that securely opens data to internal groups and third parties as APIs, in order to generate revenue.

Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...

The Information Age, 100 years on The rise of the computer and the digital revolution is responsible for an explosion of devices, data, and connectedness. These are all enabling what is called the dawning of the Information Age. And software designers, developers, and architects all share an important responsibility for shaping and guiding the world’s progress through this axial age into the future. However, more than 100 years ago, the work of organizing the world’s information into a single all-encompassing taxonomy had already begun. Partially influenced by the positivist doctrine of Auguste Comte, leading thinkers of the early 20th century such as the librarian Paul Otlet in Belgium, museum curator Patrick Geddes in Scotland, and educator Melvil Dewey in the US were each working to design universal classification systems that would encompass and coordinate the explosion of information appearing in libraries, museums, newspapers, magazines, and eventually even radio, movies, and television. What did we learn in the last century? What have we forgotten? How does their work affect our current trajectory in transforming the work of software and systems design and development? What can we take from Dewey, Otlet, and Geddes with us in to the next 100 years of the Information Age.

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...

Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves. There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.

Enabling the Multi-Device Universe

Moving beyond conventional single sign-on to seamless cross-device access with APIs People are carrying more devices every day – with the average being 2.9 per person. Meanwhile, multitasking has gone into overdrive, as users quickly move from laptop to phone to tablet, expecting a seamless experience when accessing their favorite apps. And this expectation is not just limited to leisure and personal use – it extends to business applications. Security has broken this seamless workflow and inhibited the mobile “stickiness” businesses are striving to achieve. This webinar with Scott Morrison and Leif Bildoy of CA Technologies will demonstrate how the right combination of identity functionality and secure APIs can help your organization to overcome these challenges and enable the multi-device universe. You Will Learn • What challenges must be overcome when supporting multiple mobile app types • How SSO is evolving past mobile app access to device access • Why the right implementation of identity and APIs will create consumer stickiness • How the Internet of Things (IoT) is creating new business opportunities

Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...

The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...

APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...

Adapting to Digital Change: Use APIs to Delight Customers & Win

Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...

Today’s enterprise mobility solutions emphasize heavy-handed IT governance of devices and applications that impose a burden on developers and/or users. However, managing data and applications using high performance mobile-optimized infrastructure can enable secure, scalable apps while minimizing the effort required by developers and allowing them to focus on their strengths. Come learn how to facilitate the best of both worlds – multi-layer mobile security using modern standards and a fantastic user experience.

5 steps end to end security consumer appsCA API Management

Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...

The Internet of Things (IoT) promises to improve our productivity and day-to-day lives by connecting a vast range of devices – from cell phones, to cars, to domestic appliances and even to drones. APIs represent the key technology that will make it possible to integrate and leverage information from all these “things”. There are obvious security and privacy concerns associated with using APIs to expose data and functionality from one device to many others. So, how can we make sure hackers cannot exploit the unprecedented connectivity created by IoT? This webinar will explore key IoT use cases and explain how to address the API security requirements for these use cases.

Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...

The VIP networking lunch will feature a presentation by Keith Junius, Solution Architect, from Veda on ‘Implementing an API Management Platform’. Attendees will hear about how Veda has modernized their B2B API platform by deploying SOA Gateways. Join Layer 7 at this lunch to learn about: • Design considerations for API management platforms • Technical and business challenges faced across the whole system lifecycle • The soft skills required to achieve a successful outcome • Lessons learned during and after the project • Benefits realized by the new platform

Using APIs to Create an Omni-Channel Retail Experience

Today, tech-savvy consumers are always connected, using their mobile devices to compare prices, read user-generated reviews and pay for products - and many leading e-tailers already connect their customers to this information. The any time, any place connectivity enabled by mobile devices empowers all retailers to offer the kinds of enhanced shopping experiences modern consumers are becoming accustomed to. To truly satisfy the needs of these well-informed, mobile consumers, retail organizations will need ways to create unified shopping experiences across all channels – from brick-and-mortar stores to the Web to mobile. Increasingly, offering a compelling mobile experience will become the cornerstone upon which these omni-channel shopping experiences are built. In this webinar, you will learn how APIs can: • Help deliver a consistent retail experience across multiple channels • Connect retailers with social data • Extend legacy systems to mobile apps • Enable organizations to make real-time use of contextual data and buying patterns

Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...

Cars are already full of sensors and producing gigabytes of data, but they are not connected yet. Connecting them can represent a tremendous opportunity for several industries (insurance companies, repairs, traffic optimization...) but it certainly comes with a lot of challenges. Security and Privacy are the biggest challenges this market have to overcome, especially because it has been completely out of scope for this industry so far.

Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014

As HTTP-based APIs become more common and more standardized, mindshare and momentum is shifting from a service-oriented model to the "client-side" of the application space. It is the client application that users fall in love with and it is the client application developer that holds the keys to this relationship. Client developers pick APIs based not just on ease of use and helpful document. Often they are selecting APIs that make their applications "look good" and APIs that can be easily "mashed up" with other service offerings into new "applications" - ones that don't rely on just one service API. This talk reviews patterns in developer practices and trends in services and libraries -- from the increase in the number of client-side libraries such as EmberJS, Angular, and Bootstrap to the appearance of new "API composition" platforms such as Strong Loop -- that give us a picture of why it's important to identify and leverage the growing sentiment that "Clients Matter, Services Don't.

The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...