API Security in a Microservices World

•

3 recomendaciones•1,035 vistas

A microservice architecture brings new challenges to API Security and careful design needs to be applied at operations and development level to ensure corporate data is properly protected from unwanted access. In this session we explain what API security encompasses, why API security needs to be considered as early as possible in the lifecycle of the microservices, how known standards such as OAuth and OpenID Connect can be leveraged to authenticate and authorize access to microservices and give practical examples and recommendations for the design and deployment of microservice architectures.

Software

6/20/191
API Security in a micro-services world

6/20/19
I.1. Micro-services concepts: what is it?
Microservices-based application system:
Ú Multiple components (microservices) that communicate with each other using
RPC (synchronous ) or messaging system (asynchronous).
Ú Each microservice implements one distinct business process or functionality.
Ú Each microservice is a mini-application
– implements its own business logic
– various adapters for carrying out functions such as database access and messaging
Ú Most microservices expose a RESTful API
Ú Often cloud native (Kubernetes like infrastructures) and deployed in the cloud
Ú DevOps processes -> SECDevOps

6/20/19
I.2. Micro-services concepts: design goals
Each micro-service:
Ú Is developed, secured, deployed by a single SecDevOps team.
Ú Is operated (managed, replicated, scaled, upgraded, …) independently of other
microservices.
Ú Exposes a single function.
Ú Are as stateless as possible.
Which provides:
Ú Autonomy
Ú No coupling
Ú Composability
Ú Alignment with business processes

6/20/19
I.3. Micro-services concepts: architecture
Two main architectural frameworks:
Ú API Gateway based
Ú Service mesh based (Istio like infrastructures)
– Data plane with side-car proxies
– Control plane (monitoring, key service, routing, service registration etc)
We advise to use both!
Ú An API Gateway to act as the Ingress controller
– Using opaque access tokens for external consumption
– Exchanging opaque tokens against JWTs for internal services consumption
Ú Micro API Firewalls as last mile security PEPs -> Defense in-depth is key!!!

6/20/19
I.4. Advised architecture
A
P
I
G
a
t
e
w
a
y
µAPIFW
µAPIFW

6/20/19
II.1 Micro-services : Security challenges
“I have SSL/TLS and OAuth in place, isn't that enough ??! “
Too many customers…

II.2. Micro-services Security: Security challenges
Authentication
(Validation and OIDC
Flows)
Integrity
Data has not been
tampered with
Audit
(Forensics)
Confidentiality
Data can’t be seen in
flight
Availability
(Rate Limiting)
Authorization
(Access Control
and OAuth
flows)
Non Repudiation
(Legal Compliance)
Traffic Validation
(Attacks Protection)
6/20/19

6/20/19
III.1. From DevOps to SecDevOps
Monitor
Develop
Monitor Security
Vulnerabilities and
runtime behaviour
Scan
Continuous API hardening
including API fuzzing
Deploy
Deploy to containerised
PEP
Protect
Configure and apply
security policies from
assessed risk
Audit
Assess API description
and evaluate risk level
Develop and document API
with OpenAPI/Swagger

6/20/19
IV.1. Good papers on micro-services security
Ú NIST Draft on Security Strategies to secure Microservices-based Application
Systems (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204-
draft.pdf).
Ú CA Securing Microservices APIs document
(https://www.ca.com/content/dam/ca/us/files/ebook/securing-microservice-
apis-sustainable-and-scalable-access-control.pdf)

Más contenido relacionado

La actualidad más candente

WATCH WEBINAR: https://youtu.be/LLVOouA4pbs Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. "This is an eye opener" is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar. Through a mix of slides and demos, we will describe the top 5 issues our security audit reports, what they are and why they matter, including: - Potentials attacks linked to each issue - How they can be remediated - Example request/response and reports

Top API Security Issues Found During POCs

42Crunch

Guidelines to protect your APIs from threats

Isabelle Mauny

The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect. Downside: The more APIs, the higher the security risk! API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs. Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language. In this presentation you will learn: Security risks at each stage of the API lifecycle, and how to mitigate them. How to implement an end-to-end automated API security model that development, security and operations teams will love. How to think positive! Why a positive security model works.

The Dev, Sec and Ops of API Security - NordicAPIs

42Crunch

In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We’ll use a mix of slides and demos to present: (1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security) (2) Which threat protections must be put in place in a microservices architecture, and where (3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time (4) How to automate threat protection deployment

Protecting Microservices APIs with 42Crunch API Firewall

42Crunch

API Security Guidelines: Beyond SSL and OAuth.

Isabelle Mauny

Security in microservices architectures

inovia

Checkmarx meetup API Security - API Security top 10 - Erez Yalon

Adar Weidman

Five Principles to API Security

Isabelle Mauny

API Security and Management Best Practices

CA API Management

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

OWASP API Security Top 10 - Austin DevSecOps Days

42Crunch

OWASP API Security Top 10 Examples

42Crunch

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: · What makes API Security different from web application security · The top 10 common API security vulnerabilities · Examples and mitigation strategies for each of the risks

OWASP API Security Top 10 - API World

42Crunch

APISecurity_OWASP_MitigationGuide

Isabelle Mauny

The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome. In this deck, we discuss: - The need for API/Microservices Security - The importance of delegating security enforcement to an API Gateway - API Authentication and Authorization methodologies - OAuth2 - The de-facto standard of API Authentication - Protection against cyber attacks and anomalies - Security aspects to consider when designing Single Page Applications (SPAs) Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/

API Security In Cloud Native Era

WSO2

WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

WEBINAR: OWASP API Security Top 10

42Crunch

OWASP API Security TOP 10 - 2019

Miguel Angel Falcón Muñoz

WATCH WEBINAR: https://youtu.be/558MFgH1t9g JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation. This session focuses on best practices and real world examples of JWT usage, where we cover: - Typical scenarios where using JWT is a good idea - Typical scenarios where using JWT is a bad idea! - Principles of Zero trust architecture and why you should always validate - Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t. - Use cases when encryption may be required for JWT

Are You Properly Using JWTs?

42Crunch

WATCH WEBINAR: https://youtu.be/SywcVCvgXP0 Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or o¬utput validation. Here are a few illustrative real-life examples on this: • Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated. • Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email. • CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value. • Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication. To protect APIs from such issues, an API-native, positive security approach is required: we create a whitelist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above? What you’ll learn: • Why WAFs fail in protecting APIs • How a whitelist protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples) • How to build a proper whitelist for API security

WEBINAR: Positive Security for APIs: What it is and why you need it!

42Crunch

Checkmarx meetup API Security - API Security in depth - Inon Shkedy

Adar Weidman

Better API Security with Automation

42Crunch

La actualidad más candente (20)

Top API Security Issues Found During POCs

Guidelines to protect your APIs from threats

The Dev, Sec and Ops of API Security - NordicAPIs

Protecting Microservices APIs with 42Crunch API Firewall

API Security Guidelines: Beyond SSL and OAuth.

Security in microservices architectures

Checkmarx meetup API Security - API Security top 10 - Erez Yalon

Five Principles to API Security

API Security and Management Best Practices

OWASP API Security Top 10 - Austin DevSecOps Days

OWASP API Security Top 10 Examples

OWASP API Security Top 10 - API World

APISecurity_OWASP_MitigationGuide

API Security In Cloud Native Era

WEBINAR: OWASP API Security Top 10

OWASP API Security TOP 10 - 2019

Are You Properly Using JWTs?

WEBINAR: Positive Security for APIs: What it is and why you need it!

Checkmarx meetup API Security - API Security in depth - Inon Shkedy

Better API Security with Automation

Similar a API Security in a Microservices World

APIdays Helsinki 2019 - Impact of Microservices Architecture on API Managemen...

apidays

[WSO2 API Day Dallas 2019] Extending Service Mesh with API Management

WSO2

[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...

WSO2

Uncover the Flex Gateway with a Demonstration (1).pdf

Pankaj Goyal

Uncover the Flex Gateway with a Demonstration (1).pdf

PankajGoyal164048

Developing and managing hundreds (or maybe thousands) of microservices at scale is a challenge for both development and operations teams. We have seen over the last years the appearance of new frameworks dedicated to deliver ‘Cloud Native’ applications by providing a set of (out of box) building blocks. Most of these frameworks integrate microservices concerns at the code level. Recently, we have seen the emerging of a new pattern known as sidecar or proxy promoting to push all these common concerns outside of the business code and provides them on the edge by integrate a new layer to the underlying platform called Service Mesh. Istio is one of the leading Service Mesh implementing sidecar pattern. We will go during the presentation throw the core concepts behind Istio, the capabilities that provides to manage, secure and observe microservices and how it gives a new breath for both developers and operations. The presentation will be guided by a sequence of demo exposing Istio capabilities.

Managing microservices with Istio Service Mesh

Rafik HARABI

Virtual Meetup - API Security Best Practices

Jimmy Attia

APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...

apidays

[WSO2 API Day Toronto 2019] Extending Service Mesh with API Management

WSO2

Istio a service mesh

Chandresh Pancholi

Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...

Ricardo Rodríguez

Microservice architecture-api-gateway-considerations

Imam Uddin Ahamed - PRINCE2 ® , ITIL ®

apidays Hong Kong 2022 - API-First Digital Transformation & Platform Economy August 24 & 25, 2022 Why is API Gateway essential to business Zhiyuan Ju, Head of Global at API7.ai ------------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

apidays Hong Kong - Why is API Gateway essential to business, Zhiyuan Ju, API...

apidays

Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront

Ory Segal

Building APIs in a Cloud Native Era

Nuwan Dias

apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias

apidays

APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...

apidays

Microservice - Intro and Discussion

SagarDevkota8

O'Reilly Software Architecture Conference 2018 (London) Continuous delivery for 12-factor Microservices works because it’s by design. When you can architect a solution for continuous delivery, you control all the angles but what do you do when you don’t have that luxury? This session will highlight how modernizing existing IT infrastructure with containers enables you to manage change through continuous delivery and reduce ongoing operational costs. Abstract While the industry has promoted a dramatic trend to build new, improved styles of architecture; there remains a gap in how to address the ongoing and continuous improvement and operation of existing enterprise IT systems alongside these new 12-factor apps. In this session, we will review why 12-factor apps are a natural fit for Kubernetes by design. We will demonstrate how Kubernetes addresses virtually all of the 12 factors for scalable web apps. Then we will take a step back and consider the important question: how well will stateful and transactional workloads that were not designed for 12-factor be able to run within Kubernetes? Even with purist gaps from 12-factor for traditional enterprise workloads, there are real benefits to velocity and cost management to move stateful and transactional workloads to containers. With a container based orchestrator like Kubernetes, all workload types can take advantage of automated DevOps release pipelines, provide rich feedback loops with canary testing, leverage better automated failure recovery in production, and provide easier visibility into the operational health of services running within Kubernetes. Leveraging a standard platform for a blend of architectural types enables an enterprise to standardize operational practices for across the board. The end result might be the right path for your enterprise to drive your digital transformation.

An architect’s guide to leveraging your incumbency

Michael Elder

KubeConRecap_nakamura.pdf

Hitachi, Ltd. OSS Solution Center.

Similar a API Security in a Microservices World (20)

APIdays Helsinki 2019 - Impact of Microservices Architecture on API Managemen...

[WSO2 API Day Dallas 2019] Extending Service Mesh with API Management

[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...

Uncover the Flex Gateway with a Demonstration (1).pdf

Managing microservices with Istio Service Mesh

Virtual Meetup - API Security Best Practices

APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...

[WSO2 API Day Toronto 2019] Extending Service Mesh with API Management

Istio a service mesh

Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...

Microservice architecture-api-gateway-considerations

apidays Hong Kong - Why is API Gateway essential to business, Zhiyuan Ju, API...

Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront

Building APIs in a Cloud Native Era

apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias

APIdays Paris 2019 - Delivering the Modern API: Know What it Takes by Nuwan D...

Microservice - Intro and Discussion

An architect’s guide to leveraging your incumbency

KubeConRecap_nakamura.pdf

Último

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

InShot proinshot.com stands tall among its peers as the ultimate video editing app, offering simplicity, versatility, and power in one package. With its intuitive interface and comprehensive feature set, InShot caters to both beginners and seasoned editors alike. Whether you're creating content for social media, YouTube, or personal projects, InShot empowers you to unleash your creativity and transform your videos into captivating masterpieces. Join the millions of users who trust InShot https://www.proinshot.com/ for all their video editing needs and discover the difference for yourself!

Exploring the Best Video Editing App.pdf

proinshot.com

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified

Delhi Call girls

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

KiaraTiradoMicha

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In Chinsurah ❤Personal Whatsapp Number Chinsurah Call Girls 8617697112 💦✅. Chinsurah escorts we are avaliable for our all types budget customers with offer great deals in Chinsurah.Call Now our Chinsurah escort service & call girls ... Independent call girls in Chinsurah escorts available 24 hours a day for discreet incall and outcall bookings from trusted call girls - Elis.in. Nitya salvi Chinsurah escorts service agency # Are you looking for sexy call girls ? Call our agency to get you dream independent call girl, ... One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Flexibility Choices and options Lists of many beauty fantasies Turn your dream into reality Perfect companionship Cheap and convenient In-call and Out-call services And many more. WhatsApp Chat: 📞 8617697112 Visit The Website : https://www.nityasalvi.com/

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...

Nitya salvi

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

ManageIQ - Sprint 236 Review - Slide Deck

ManageIQ

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

API Security in a Microservices World

1. 6/20/191 API Security in a micro-services world

2. 6/20/19 I. Micro-services concepts

3. 6/20/19 I.1. Micro-services concepts: what is it? Microservices-based application system: Ú Multiple components (microservices) that communicate with each other using RPC (synchronous ) or messaging system (asynchronous). Ú Each microservice implements one distinct business process or functionality. Ú Each microservice is a mini-application – implements its own business logic – various adapters for carrying out functions such as database access and messaging Ú Most microservices expose a RESTful API Ú Often cloud native (Kubernetes like infrastructures) and deployed in the cloud Ú DevOps processes -> SECDevOps

4. 6/20/19 I.2. Micro-services concepts: design goals Each micro-service: Ú Is developed, secured, deployed by a single SecDevOps team. Ú Is operated (managed, replicated, scaled, upgraded, …) independently of other microservices. Ú Exposes a single function. Ú Are as stateless as possible. Which provides: Ú Autonomy Ú No coupling Ú Composability Ú Alignment with business processes

5. 6/20/19 I.3. Micro-services concepts: architecture Two main architectural frameworks: Ú API Gateway based Ú Service mesh based (Istio like infrastructures) – Data plane with side-car proxies – Control plane (monitoring, key service, routing, service registration etc) We advise to use both! Ú An API Gateway to act as the Ingress controller – Using opaque access tokens for external consumption – Exchanging opaque tokens against JWTs for internal services consumption Ú Micro API Firewalls as last mile security PEPs -> Defense in-depth is key!!!

6. 6/20/19 I.4. Advised architecture A P I G a t e w a y µAPIFW µAPIFW

7. 6/20/19 II. Security Challenges

8. 6/20/19 II.1 Micro-services : Security challenges “I have SSL/TLS and OAuth in place, isn't that enough ??! “ Too many customers…

9. II.2. Micro-services Security: Security challenges Authentication (Validation and OIDC Flows) Integrity Data has not been tampered with Audit (Forensics) Confidentiality Data can’t be seen in flight Availability (Rate Limiting) Authorization (Access Control and OAuth flows) Non Repudiation (Legal Compliance) Traffic Validation (Attacks Protection) 6/20/19

10. II.3. Real-life example: FAPI Financial APIS Security Profile Auth Grant Types OpenID Connect Flows TLS Settings Message Confidentiality Non-Repudiation Message Integrity 6/20/19

11. 6/20/19 III. Organisational Challenges

12. 6/20/19 III.1. From DevOps to SecDevOps Monitor Develop Monitor Security Vulnerabilities and runtime behaviour Scan Continuous API hardening including API fuzzing Deploy Deploy to containerised PEP Protect Configure and apply security policies from assessed risk Audit Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger

13. 6/20/19 IV. Food for thoughts

14. 6/20/19 IV.1. Good papers on micro-services security Ú NIST Draft on Security Strategies to secure Microservices-based Application Systems (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204- draft.pdf). Ú CA Securing Microservices APIs document (https://www.ca.com/content/dam/ca/us/files/ebook/securing-microservice- apis-sustainable-and-scalable-access-control.pdf)

API Security in a Microservices World

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a API Security in a Microservices World

Similar a API Security in a Microservices World (20)

Último

Último (20)

API Security in a Microservices World