CIS14: Protecting Your APIs from Threats and Hacks
-
Upload
cloudidsummit -
Category
Technology
-
view
166 -
download
1
description
Transcript of CIS14: Protecting Your APIs from Threats and Hacks
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security: Securing Digital Channels and Mobile Apps Against
Hacks!
Sachin Agarwal!@sachinagarwal!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?!
Your Application!Your API!Your Customers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
EVOLUTION OF DIGITAL CHANNELS!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications!
• No Programmatic Access!
• Security through network isolation!
• Limited Users!
Access locations and variability of operations were limited
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services!
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust!
• Some B2B and Partners applications!
• Complex, but quite secure and flexible!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs!
Disrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.!
• Focus on human readability, developer adoption!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security!
Managing the User Experience!
Securing the App - PII, PHI!
Enabling Easy Developer Access !
Securing the Channel!
Securing the Backend!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape!
• Protocol specific threats!• Key Management!• OAuth!• Monitoring!• Licensing!• Security Token Mediation!
API Specific Security!
Single Sign On! MDM!
ATP, Firewall, VPN etc.!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
UNDERSTANDING API SECURITY!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle!
Transform & Secure! Publish! Monetize!Dev.
Adoption!API!
SOAP to REST!Mobile- Optimization!
OAuth!Mediation!
Analytics! API Documentation!
Applications and Services! Apps!
API Producers! API Consumers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security!
1 Authentication & Authorization!
2 App Key Validation/!Licensing!
3 Message Security!
4 Threat Protection!
5 Content Filtering!
6 Rate Limiting!
Developers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO!Control and restrict access to your APIs!Make it easy yet secure!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth!
OAuth lets a person delegate constrained access from one app to another!
User!
Resource Owner!
Client App!
Resource Server!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth Flow!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need!
• OAuth Clients!• Provisioning!• Approval Flow!
• OAuth Server!• Identity Integration!• Token Validation!• Token Issue/refresh!
• Token Mediation (SAML, LDAP etc)!• QoS, Monitoring!• Policy Management!• API Proxying!• Reporting!• Analytics!
OAuth is hard and complicated!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing!
Package your APIs in different ways!Use API keys to restrict what the App can access!
The licenses control:!– OAuth Authorization Scopes!– Document visibility!– Quota policies!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security!
HTTP Parameter!• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey!• Protect API Keys with HMAC – Hash-based Message Authentication Code!!Message Security!• Implement HTTPS!• For XML payloads encrypt specific parts of the message!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection!
• Denial of Service!• Injection Attacks!
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks !
• Cross Site Scripting!• Network address and range
blacklists/whitelists !• HTTP Parameter Stuffing!
!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering!
• Provide a content firewall, protecting against malicious content!• Validate message content
including message headers, form and query parameters, XML and JSON data structures. !
• Policies for XML and JSON DoS !
• Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting!Restrict the number of calls an App can make!Apply controls based on context, affinity, segmentation etc.!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Gateway!
Gateway!
Security!
Authentication!
Protection!
IAM Integration!
Encryption!
Mediation!
Quality of Service!
Paging/Caching!
Orchestration!
Scripting!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Resources and API University!
• Resource Center!– http://resource.soa.com/!
• Webinar Recording!– http://resource.soa.com/resource/webinars!
• Follow us on:!!!
www.facebook.com/soaso-ware
www.linkedin.com/company/soaso-ware
@soaso-wareinc
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Questions!
• @sachinagarwal!