The document discusses the need for enterprise API security solutions to manage API security. It covers the top 10 security risks for APIs according to OWASP, including injection, improper authentication, exposure of sensitive data, and lack of access control. It then demonstrates how an API gateway can help address these risks by providing features like OAuth protection, throttling, input validation, logging, and access control at the function level without requiring code changes to the APIs. The API gateway allows APIs to be securely exposed while blocking hidden endpoints and enabling strong authentication and authorization for internal services using JSON web tokens.
[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...Rakuten Group, Inc.
Rakuten Technology Conference 2014
"Security checking which is as a part of Continuous Integration"
Masanori Fujisaki (HEARTBEATS Corporation / Walti, Inc.)
Each week, Schneider Associates analyzes the most significant brand, product, campaign or idea launch of the week. Learn more about launch at www.schneiderpr.com or email launch@schneiderpr.com.
Apps for Science - Elsevier Developer Network Workshop 201102remko caprio
This presentation is an introduction into programming OpenSocial Gadgets for Science.
1. overview of apps
2. social networks
3. opensocial
4. SciVerse Platform
5. SciVerse APIs
6. Coding OpenSocial Gadgets for SciVerse
7. Resources
A Device API Safari - Web Directions Code 2014Andrew Fisher
The Device API is what enables web browsers to appear more "native", giving the browser access to new hardware components that are being created primarily in phones and tablets but on some desktops too. Motion and Orientation are well known features of the API, however there are a plethora of others to play with too. Let's take a tour through the jungle that is the Device API spec and go looking for some new, interesting features of the API. We'll focus on the ones that will be landing in mainstream browsers soon and that you can play with now in order to explore new interaction methods.
Delivered at Web Directions Code 2014 - this presentation has all the notes from the session as well as links to videos of the demos.
More information like code can be found at github.com/ajfisher/wdc
[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...Rakuten Group, Inc.
Rakuten Technology Conference 2014
"Security checking which is as a part of Continuous Integration"
Masanori Fujisaki (HEARTBEATS Corporation / Walti, Inc.)
Each week, Schneider Associates analyzes the most significant brand, product, campaign or idea launch of the week. Learn more about launch at www.schneiderpr.com or email launch@schneiderpr.com.
Apps for Science - Elsevier Developer Network Workshop 201102remko caprio
This presentation is an introduction into programming OpenSocial Gadgets for Science.
1. overview of apps
2. social networks
3. opensocial
4. SciVerse Platform
5. SciVerse APIs
6. Coding OpenSocial Gadgets for SciVerse
7. Resources
A Device API Safari - Web Directions Code 2014Andrew Fisher
The Device API is what enables web browsers to appear more "native", giving the browser access to new hardware components that are being created primarily in phones and tablets but on some desktops too. Motion and Orientation are well known features of the API, however there are a plethora of others to play with too. Let's take a tour through the jungle that is the Device API spec and go looking for some new, interesting features of the API. We'll focus on the ones that will be landing in mainstream browsers soon and that you can play with now in order to explore new interaction methods.
Delivered at Web Directions Code 2014 - this presentation has all the notes from the session as well as links to videos of the demos.
More information like code can be found at github.com/ajfisher/wdc
How to hack a node app? @ GDG DevFest Ukraine 2017Asim Hussain
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! We’ll investigate a series of hacking stories and break them down step-by-step to see exactly how they did it. By the end you’ll walk away a little bit more scared and a lot more prepared with some great practices you can apply immediately to your own applications.
Have you ever wanted to immerse yourself in the world of Android instrumentation? You're in luck because this presentation is jam-packed with all kinds of Android instrumentation goodness. It'll teach you the ins and outs of Android instrumentation and test automation. Learn how to effectively use the Monkey, MonkeyRunner and Robotium test-automation tools to better exercise your Android apps.
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. I’ll take the user through a series of hacking stories, we’ll break down the hack together and see exactly how they did it. By the end you’ll will walk away a little bit more scared than the start, but armed with some good practices you can start applying immediately to your applications.
It could happen to anyone - FrontEnd Connect 2017Asim Hussain
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. In this talk we’ll go through a series of hacking stories and breakdown the hack together to see exactly how they did it. By the end you’ll walk away perhaps a little bit more scared, but definitely armed with some great practices you can apply immediately to your own applications.
Writing an app for Android takes a lot of work. One of the greatest pains developers suffer from is the testing process, which many do badly or not at all. Why? Testing sucks - but it's a necessary evil.
In this class, you'll learn about test methods available to developers today, in particular Monkey, the user interface testing tool. You'll learn why Monkey is such an effective tool, and how to use it to test your own apps. You'll also learn about the limitations of Monkey, especially when it comes to making sure your app runs on any Android device. Finally, you'll learn about Apkudo, a testing solution that lets developers see how their apps install, execute, and perform on every (yes, every) Android device, assuring interoperability and customer satisfaction.
Testing doesn't have to suck. We'll show you why.
Quick lightning talk that I gave at a Women Who Code Mobile Study Group meetup on how we continuously ship mobile releases monthly here at PagerDuty.
Note: An older version of this talk was created and given by Clay Smith, one of our mobile engineers at the time, at TwilioConf 2015, so some slides here are shared with that.
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Securing APIs with Open Standards
Tips for makingandbreaking APIs that scale from theSynack Red Team
Ryan Rutan, Sr. Director of Community at Synack Red Team
Vitthal Shinde, Security Engineer at FICO & Synack Red Team
Axway's Emmelyn Wang was the featured speaker at the Women Who Code Dallas/Ft. Worth Meetup at the stunning Alkami Technology Headquarters in Plano, TX.
The most important thing about API Design is for API developers (and product managers, additional stakeholders) to have empathy for API consumers to create the best Developer Experience possible which is technically critical and key to adoption as a business driver.
This approach means that the API specification, the contract between the API provider and API consumer, serves as the core of the design and experience.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
Developing a Custom Video Solution with the 3Play Media API3Play Media
Are you looking to build an application that incorporates video captioning or transcription? This webinar will provide you with an introduction to the 3Play Media API and how it can be used to quickly develop different types of solutions for captioning, transcription, video search, and metadata extraction. Topics covered include:
- 3Play Media API features
- Use cases for captioning, transcription, video search, metadata extraction
- Live demo by Penn State University showing automated captioning workflow
- Live demo showing how to add video search to a website
Serverless is new trend in software development. It’s confusing many developers around the world. In this talk I’ll explain how to build not only crop images or select data from DynamoDB, but build real application, what kind of troubles are we should expect, how to make decision is your task fit into serverless architecture in Python or may be you should use, general approach. How fast serverless applications and more important how to scale it.
Architect's Guide to Building an API Programclatimer
This talk explores the motivation for creating APIs, common approaches organizations take when building an API program, the types of standards that architects should strive to put in place, and common pitfalls that organizations encounter.
Details of the Open PHACTS API. Description of the parameters. How to use the filters to fine tune your results. How to use the API and the OPS.js library in your own applications. An introduction to the Open PHACTS Biojs widgets.
How to hack a node app? @ GDG DevFest Ukraine 2017Asim Hussain
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! We’ll investigate a series of hacking stories and break them down step-by-step to see exactly how they did it. By the end you’ll walk away a little bit more scared and a lot more prepared with some great practices you can apply immediately to your own applications.
Have you ever wanted to immerse yourself in the world of Android instrumentation? You're in luck because this presentation is jam-packed with all kinds of Android instrumentation goodness. It'll teach you the ins and outs of Android instrumentation and test automation. Learn how to effectively use the Monkey, MonkeyRunner and Robotium test-automation tools to better exercise your Android apps.
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. I’ll take the user through a series of hacking stories, we’ll break down the hack together and see exactly how they did it. By the end you’ll will walk away a little bit more scared than the start, but armed with some good practices you can start applying immediately to your applications.
It could happen to anyone - FrontEnd Connect 2017Asim Hussain
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. In this talk we’ll go through a series of hacking stories and breakdown the hack together to see exactly how they did it. By the end you’ll walk away perhaps a little bit more scared, but definitely armed with some great practices you can apply immediately to your own applications.
Writing an app for Android takes a lot of work. One of the greatest pains developers suffer from is the testing process, which many do badly or not at all. Why? Testing sucks - but it's a necessary evil.
In this class, you'll learn about test methods available to developers today, in particular Monkey, the user interface testing tool. You'll learn why Monkey is such an effective tool, and how to use it to test your own apps. You'll also learn about the limitations of Monkey, especially when it comes to making sure your app runs on any Android device. Finally, you'll learn about Apkudo, a testing solution that lets developers see how their apps install, execute, and perform on every (yes, every) Android device, assuring interoperability and customer satisfaction.
Testing doesn't have to suck. We'll show you why.
Quick lightning talk that I gave at a Women Who Code Mobile Study Group meetup on how we continuously ship mobile releases monthly here at PagerDuty.
Note: An older version of this talk was created and given by Clay Smith, one of our mobile engineers at the time, at TwilioConf 2015, so some slides here are shared with that.
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Securing APIs with Open Standards
Tips for makingandbreaking APIs that scale from theSynack Red Team
Ryan Rutan, Sr. Director of Community at Synack Red Team
Vitthal Shinde, Security Engineer at FICO & Synack Red Team
Axway's Emmelyn Wang was the featured speaker at the Women Who Code Dallas/Ft. Worth Meetup at the stunning Alkami Technology Headquarters in Plano, TX.
The most important thing about API Design is for API developers (and product managers, additional stakeholders) to have empathy for API consumers to create the best Developer Experience possible which is technically critical and key to adoption as a business driver.
This approach means that the API specification, the contract between the API provider and API consumer, serves as the core of the design and experience.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
Developing a Custom Video Solution with the 3Play Media API3Play Media
Are you looking to build an application that incorporates video captioning or transcription? This webinar will provide you with an introduction to the 3Play Media API and how it can be used to quickly develop different types of solutions for captioning, transcription, video search, and metadata extraction. Topics covered include:
- 3Play Media API features
- Use cases for captioning, transcription, video search, metadata extraction
- Live demo by Penn State University showing automated captioning workflow
- Live demo showing how to add video search to a website
Serverless is new trend in software development. It’s confusing many developers around the world. In this talk I’ll explain how to build not only crop images or select data from DynamoDB, but build real application, what kind of troubles are we should expect, how to make decision is your task fit into serverless architecture in Python or may be you should use, general approach. How fast serverless applications and more important how to scale it.
Architect's Guide to Building an API Programclatimer
This talk explores the motivation for creating APIs, common approaches organizations take when building an API program, the types of standards that architects should strive to put in place, and common pitfalls that organizations encounter.
Details of the Open PHACTS API. Description of the parameters. How to use the filters to fine tune your results. How to use the API and the OPS.js library in your own applications. An introduction to the Open PHACTS Biojs widgets.
Construye tu stack de ciberseguridad con open sourceSoftware Guru
Construir software de forma ágil pero segura no es trivial. En esta sesión compartiré algunas recomendaciones de cómo construir un stack para desarrollar aplicaciones de forma segura utilizando herramientas open source en un stack de integración continua.
Presentado por Eryx Paredes en SG Virtual Conference 2020
"APIs as a growth tool of your startup" par Nicolas Grenié TheFamily
Par Nicolas Grenié de 3scale.
Inscrivez-vous au prochain meetup!
http://www.meetup.com/StartupWorkshop
Inscrivez-vous à la newsletter pour ne pas rater les prochains évènements !
http://www.thefamily.co/events/
On adorerait votre feedback & suggestion !
https://thefamily.typeform.com/to/KlGLnM?date=16/04/2015
PyCon Canada 2015 - Is your python application secureIMMUNIO
In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.
Security testing is a huge topic. In this talk, Ken will discuss his experience working for small companies where security testing is a requirement, but often gets overlooked. Ken will explore some of the basic things a tester should know about web application security, such as the resources available from OWASP. As part of this talk, Ken will live demo the following tools:
OWASP Zed Attack Proxy
Microsoft Thread Modeling tool
Wireshark / tcpdump
sqlmap (SQL exploitation tool)
Attendees will take away:
A quick overview of some tools that you can use on a daily basis today
Resources to learn more about security testing
Ways of practicing it in a safe environment
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Owasp API Security top 10 - The need of enterprise solutions for managing API security
1. API Security
The Need of
Enterprise Solutions
for
Managing API Security
Tharindu Edirisinghehttps://www.meetup.com/colombo-security-meetup/events/266658163/
9. A Quick Look into OAuth 2.0 Framework
Source: https://www.slideshare.net/thariyarox/api-security-with-oauth
RFC : https://tools.ietf.org/html/rfc6749
10. Protecting API
View User
Add User
Update User
Delete User
http://localhost:8081/api
/user
GET
POST
PUT
DELETE
Unprotected Service
Managed API
API Gateway
https://…..
Key Manager
11. Authentication in Chained APIs
Authorization Server / Key Manager
Add Product
Send Notification
App
User
Service 1
Service 2
Request Token
Token
Token
1
2
3
Validate Token Signed JWT with User Data
4
5
6
Signed JWT
Validate JWT
7
13. Function Level Access Control
View User
Add User
Update User
Delete User
http://localhost:8081/api
/user
GET
POST
PUT
DELETE
Unprotected Service
Managed API
API Gateway
Key Manager
View User
Add User
Update User
Delete User
GET
POST
PUT
DELETE
Assistant
Manager
14. API 4
Good Read: https://apim.docs.wso2.com/en/latest/Learn/RateLimiting/introducing-throttling-use-cases/
Source: https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Main
15. API 7
HTTP Header Mediation: https://docs.wso2.com/display/ESB500/Header+Mediator
Source: https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Main
17. API 8
Demo Documentation: https://docs.wso2.com/display/AM260/Regular+Expression+Threat+Protection+for+API+Gateway
Source: https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Main
18. Message Mediation in API Gateway
Source: https://wso2.com/blogs/cloud/the-power-of-mediators-api-call-transformation-and-orchestration/
19. API 6
Demo Documentation: https://docs.wso2.com/display/AM260/JSON+Threat+Protection+for+API+Gateway
: https://docs.wso2.com/display/AM260/XML+Threat+Protection+for+API+Gateway
Source: https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Main
20. API 10
WSO2 Log Mediator : https://docs.wso2.com/display/ESB500/Log+Mediator
Source: https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Main
21. Summary
Source: https://www.owasp.org/index.php/OWASP_API_Security_Project#tab=Main
● Exposed the resource securely to the audience
● Blocked hidden endpoints/resources
● Enabled OAuth/JWT protection for the services with different OAuth scopes and user roles
● Enabled multi factor authentication for browser based flows
● Enabled passing through a JWT for backend services for authenticating chained APIs
● Enabled CORS headers
● Defined throttling limits
● Configured SQL Injection/ XSS etc. protection
● Configured XML/JSON exploit protection
● Enabled logging for better monitoring
More importantly, we did all above with zero code change !!!
