This document discusses developing reusable security APIs to improve application security. It proposes APIs for authentication, cryptography, and preventing cross-site request forgery (CSRF) attacks. The APIs should make security easier for developers and be designed based on developer needs and feedback. Maintaining the APIs involves refactoring for extensibility, using semantic versioning, and quickly addressing issues and requests from developers using the APIs. The goal is to create APIs that developers want to use by simplifying integration and security tasks.

1. Enterprise Security APIs
DEVELOPMENT IN SUPPORT OF APPLICATION SECURITY

2. Enterprise Security APIs
We can further improve application security by
developing reusable software that provides security
centric functionality, makes it easier to develop
secure software or both.

3. Vulnerability Management Lifecycle
Prevent
Detect
Remediate
Prevent
Best practices and testing
Detect
Discover, assess and rank
Remediate
Catalog, prioritize and fix

4. Application Security
•Policy enforcement and trainingPrevent
•Monitor, scan and reviewDetect
•Management and resourcingRemediate

5. Development happens
…AND SECURITY TOO

6. Authentication API
Loosen coupling to the system
Enforce policy
More control and granularity
Standardize across applications
Consistent user experience

7. Cryptography API
Ensure that best practices are followed
Standardize key management
Stop storing secrets in configuration

8. CSRF Encrypted Token
Detect and remediate as a separated concern
Use the Cryptography API

9. API backed Application Security
•Security built-in by expertsPrevent
•Purpose built monitoringDetect
•The fix is the APIRemediate

10. Creating an API
…THAT DEVELOPERS WANT TO USE (THAT’S THE HARD PART)

11. Getting started
Derive from existing use-cases
Get input from the application developers
Start with simple but extensible (SOLID)
Beware of anti-patterns!
Abstraction Inversion
Bullet-point engineering

12. Maintenance
Refactor for extensibility
Use Semantic Versioning
Support the developers who use it
Help developers proactively
Implement fixes and extensions quickly
Triage issues quickly

13. Other concerns
Use a façade to abstract third-party components
Simplify and constrain
Use open source
Modularity is key so choose and integrate carefully
Use OpenID Connect or SAML at the boundaries

14. What’s important
Ease of use
Developers have to want to use it
So make the developer’s life easier
Modularity and portability
Low barrier to integration

15. Remember to…
Create APIs to address application security concerns
Make them easy for developers to use
Make them easy to integrate

16. Thanks!
Adam Migus: www.migusgroup.com/adam
Email: adam@migusgroup.com
Twitter: @amigus
Links:
http://en.wikipedia.org/wiki/Solid_(object-oriented_design)
http://semver.org/
http://openid.net/connect/