API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Transcript of API Security: Securing Digital Channels and Mobile Apps Against Hacks
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security:
Securing Digital
Channels and Mobile
Apps Against Hacks
Sachin AgarwalVP, Product Marketing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center– http://resource.soa.com/
• Webinar Recording– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?
Your ApplicationYour APIYour Customers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
EVOLUTION OF DIGITAL CHANNELS
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network isolation
• Limited Users
Access locations and variability of operations were limited
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust
• Some B2B and Partners applications
• Complex, but quite secure and flexible
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs
Disrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.
• Focus on human readability, developer adoption
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security
Managing the User Experience
Securing the App - PII, PHI
Enabling Easy Developer Access
Securing the Channel
Securing the Backend
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape
• Protocol specific threats
• Key Management• OAuth• Monitoring• Licensing• Security Token
Mediation
API Specific Security
Single Sign On MDM
ATP, Firewall, VPN etc.
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
UNDERSTANDING API SECURITY
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle
Transform & Secure
Publish
Monetize
Dev. Adoptio
nAPI
SOAP to RESTMobile- Optimization
OAuthMediation
Analytics API Documentation
Applications and
ServicesApps
API Producers
API Consumers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security
1Authentication & Authorization
2 App Key Validation/Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO
Control and restrict access to your APIsMake it easy yet secure
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth
OAuth lets a person delegate constrained access from one app to another
User
Resource Owner
Client App
Resource Server
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth Flow
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need
• OAuth Clients• Provisioning• Approval Flow
• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics
OAuth is hard and complicated
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing
Package your APIs in different waysUse API keys to restrict what the App can access
The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security
HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=
mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security• Implement HTTPS• For XML payloads encrypt specific parts of the message
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection
• Denial of Service• Injection Attacks
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks
• Cross Site Scripting• Network address and range
blacklists/whitelists • HTTP Parameter Stuffing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering
• Provide a content firewall,
protecting against malicious
content
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures.
• Policies for XML and JSON
DoS
• Protection against viruses in
attachments and other binary
content via ICAP integration
with leading anti-virus
engines
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting
Restrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Gateway
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The SOA Software API Platform
Analytics
Developer Engagement
Gateway Services
Service Integration
Lifecycle Management
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Flexible Deployment Model
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Platform Capabilities
Platform
Licensing
Quota Mgmt.
Partner Mgmt.
PCI Compliance
Provisioning
Policy Mgmt.
Monitoring
OAuth
Federation
Analytics
Lifecycle
API/Services
Application
User
Compliance
Integrations
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
API Portal
Search
Documentation
Groups
Social
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Questions
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center– http://resource.soa.com/
• Webinar Recording– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc