© 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.
-
Upload
noel-daniels -
Category
Documents
-
view
220 -
download
0
Transcript of © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.
![Page 1: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/1.jpg)
© 2015 Akana. All Rights Reserved.
Deconstructing API Security
Ian Goldsmith@apibuilder
![Page 2: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/2.jpg)
© 2015 Akana. All Rights Reserved.
APIs Extend your Digital Ecosystems
![Page 3: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/3.jpg)
© 2015 Akana. All Rights Reserved.
Leverage Developers & Partners Ecosystems
Tap into an extended eco-system of developers with APIs
![Page 4: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/4.jpg)
© 2015 Akana. All Rights Reserved.
Capture new Opportunities with APIs
Drive Innovation
Increase Reach
Support New Devices
Discover New Business Models
Increase Partner Network
![Page 5: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/5.jpg)
© 2015 Akana. All Rights Reserved.
API SECURITY
![Page 6: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/6.jpg)
© 2015 Akana. All Rights Reserved.
API Consumer Security?
![Page 7: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/7.jpg)
© 2015 Akana. All Rights Reserved.
Major API Security Concerns
![Page 8: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/8.jpg)
© 2015 Akana. All Rights Reserved.
EVOLUTION OF SECURITY IN DIGITAL CHANNELS
![Page 9: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/9.jpg)
© 2015 Akana. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network isolation
• Limited Users
Access locations and variability of operations were limited
![Page 10: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/10.jpg)
© 2015 Akana. All Rights Reserved.
Web ServicesThe enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust
• Some B2B and Partners applications
• Complex, but quite secure and flexible
![Page 11: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/11.jpg)
© 2015 Akana. All Rights Reserved.
WS-Security Policy<wsp:Policy wsu:Id="WSS11SamlWithCertificates_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis open.org/ws sx/ws-icy/200702/IncludeToken/Never”>‑ ‑ <wsp:Policy> <sp:RequireThumbprintReference/> <sp:RequireDerivedKeys wsp:Optional="true"/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding>
<sp:SignedSupportingTokens> <wsp:Policy> <sp:SamlToken sp:IncludeToken= "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssSamlV11Token11/> </wsp:Policy> </sp:SamlToken> </wsp:Policy> </sp:SignedSupportingTokens> <sp:EndorsingSupportingTokens> <wsp:Policy> <sp:X509Token sp:IncludeToken=”AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> </wsp:All> </wsp:ExactlyOne></wsp:Policy>
![Page 12: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/12.jpg)
© 2015 Akana. All Rights Reserved.
And then came APIsDisrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.
• Focus on human readability, developer adoption
![Page 13: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/13.jpg)
© 2015 Akana. All Rights Reserved.
OWASP Top Ten
• A1 – Injection• A2 – Broken authentication and session management• A3 – Cross-site scripting (XSS)• A4 – Insecure direct object references• A5 – Security misconfiguration• A6 – Sensitive data exposure• A7 – Missing function-level access control• A8 – Cross-site request forgery (CSRF)• A9 – Using components with known vulnerabilitites• A10 – Unvalidated redirects and forwards
![Page 14: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/14.jpg)
© 2015 Akana. All Rights Reserved.
PCI Compliance
• APIs are now part of e-commerce
• Card payments pass through API
• The infrastructure underlying the API?
![Page 15: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/15.jpg)
© 2015 Akana. All Rights Reserved.
SECURING APIS
![Page 16: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/16.jpg)
© 2015 Akana. All Rights Reserved.
Securing APIs
1 Authentication & Authorization
2 App Key Validation/Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
![Page 17: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/17.jpg)
© 2015 Akana. All Rights Reserved.
Authentication/Authorization/SSOControl and restrict access to your APIsMake it easy yet secure
![Page 18: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/18.jpg)
© 2015 Akana. All Rights Reserved.
Understanding OAuthOAuth lets a person delegate constrained access from one app to another
User
Resource Owner
Client App
Resource Server
![Page 19: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/19.jpg)
© 2015 Akana. All Rights Reserved.
OAuth Flow
![Page 20: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/20.jpg)
© 2015 Akana. All Rights Reserved.
OAuth – You need
• OAuth Clients• Provisioning• Approval Flow
• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics
OAuth has become complex
![Page 21: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/21.jpg)
© 2015 Akana. All Rights Reserved.
Licensing
Package your APIs in different waysUse API keys to restrict what the App can access
The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies
![Page 22: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/22.jpg)
© 2015 Akana. All Rights Reserved.
Message and Parameter Security
HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=
mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security• Implement HTTPS• JWS/JWE, XML Encryption & Signature
![Page 23: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/23.jpg)
© 2015 Akana. All Rights Reserved.
Threat Protection
• Denial of Service• Injection Attacks
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks
• Cross Site Scripting• Network address and range
blacklists/whitelists • HTTP Parameter Stuffing
![Page 24: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/24.jpg)
© 2015 Akana. All Rights Reserved.
Content Threats
• Provide a content firewall,
protecting against malicious
content
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures.
• Policies for XML and JSON
DoS
• Protection against viruses in
attachments and other binary
content via ICAP integration
with leading anti-virus
engines
![Page 25: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/25.jpg)
© 2015 Akana. All Rights Reserved.
Quota Management/Rate Limiting
Restrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.
![Page 26: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/26.jpg)
© 2015 Akana. All Rights Reserved.
API Gateway
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
![Page 27: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/27.jpg)
© 2015 Akana. All Rights Reserved.
MANAGING AND AUTOMATING SECURITY
![Page 28: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/28.jpg)
© 2015 Akana. All Rights Reserved.
Credit : Peter Cheslock
![Page 29: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/29.jpg)
© 2015 Akana. All Rights Reserved.
Govern Manage your Development/Deployment Process
• API Initiatives need to integrated with your DevOps
• Define and track multiple API and versions and the dependencies on those versions throughout the process.
• Integrated with your development tools – IDE, Github, Chef, Puppet
• Integrated with your deployment Tools
APIs
Lifecycle
![Page 30: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/30.jpg)
© 2015 Akana. All Rights Reserved.
Automated Governance of Apps
• User and App onboarding– Configurable forms to gather user/app info, collect agreements, etc.– Configurable role-based notifications and approvals
• Mobile app based API SDLC approvals– Deliver approval requests to stakeholders on their preferred platform
• DevOps automation
![Page 31: © 2015 Akana. All Rights Reserved. Deconstructing API Security Ian Goldsmith @apibuilder.](https://reader036.fdocuments.in/reader036/viewer/2022062305/5697bf9c1a28abf838c933fe/html5/thumbnails/31.jpg)
© 2015 Akana. All Rights Reserved.
API Resources and API University
• Resource Center– http://resource.akana.com/
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc