SlideShare una empresa de Scribd logo

CIS14: Protecting Your APIs from Threats and Hacks

CloudIDSummit
CloudIDSummit

Sachin Agarwal, SOA Software Overview of common API security hacks and threats and best practices to secure your APIs against these threats such as detection and prevention of Denial of Service (DoS) attacks, malformed messages or excessive XML/JSON depth and breadth, message Encryption and rate limiting, and development and governance methodologies that need to be adopted to ensure security compliance.

Tecnología
1 de 24
Descargar para leer sin conexión
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security: Securing Digital Channels and Mobile Apps Against Hacks! Sachin Agarwal! @sachinagarwal!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. What is an API?! Your Application!Your API!Your Customers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. APIs – Extend the Reach of your Business!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Client-Server/ Web Applications! •  No Programmatic Access! •  Security through network isolation! •  Limited Users! Access locations and variability of operations were limited
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Web Services! The enterprise opened slightly with Web Services/SOAP •  SSL/TLS, Certificate based, PKI, WS-Trust! •  Some B2B and Partners applications! •  Complex, but quite secure and flexible!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. And then came APIs! Disrupting how and where information is accessed •  Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.! •  Focus on human readability, developer adoption!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Realizing End-to-End Security! Managing the User Experience! Securing the App - PII, PHI! Enabling Easy Developer Access ! Securing the Channel! Securing the Backend!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding the Security Landscape! •  Protocol specific threats! •  Key Management! •  OAuth! •  Monitoring! •  Licensing! •  Security Token Mediation! API Specific Security! Single Sign On! MDM! ATP, Firewall, VPN etc.!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. UNDERSTANDING API SECURITY!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The API Lifecycle! Transform & Secure! Publish! Monetize! Dev. Adoption! API! SOAP to REST! Mobile- Optimization! OAuth! Mediation! Analytics! API Documentation! Applications and Services! Apps! API Producers! API Consumers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security! 1 Authentication & Authorization! 2 App Key Validation/! Licensing! 3 Message Security! 4 Threat Protection! 5 Content Filtering! 6 Rate Limiting! Developers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO! Control and restrict access to your APIs! Make it easy yet secure!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding OAuth! OAuth lets a person delegate constrained access from one app to another! User! Resource Owner! Client App! Resource Server!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth Flow!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth – You need! •  OAuth Clients! •  Provisioning! •  Approval Flow! •  OAuth Server! •  Identity Integration! •  Token Validation! •  Token Issue/refresh! •  Token Mediation (SAML, LDAP etc)! •  QoS, Monitoring! •  Policy Management! •  API Proxying! •  Reporting! •  Analytics! OAuth is hard and complicated!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing! Package your APIs in different ways! Use API keys to restrict what the App can access! The licenses control:! –  OAuth Authorization Scopes! –  Document visibility! –  Quota policies!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Message and Parameter Security! HTTP Parameter! •  http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey! •  Protect API Keys with HMAC – Hash-based Message Authentication Code! ! Message Security! •  Implement HTTPS! •  For XML payloads encrypt specific parts of the message!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Threat Protection! •  Denial of Service! •  Injection Attacks! –  Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks ! •  Cross Site Scripting! •  Network address and range blacklists/whitelists ! •  HTTP Parameter Stuffing! !
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Content Filtering! •  Provide a content firewall, protecting against malicious content! •  Validate message content including message headers, form and query parameters, XML and JSON data structures. ! •  Policies for XML and JSON DoS ! •  Protection against viruses in attachments and other binary content via ICAP integration with leading anti- virus engines!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management/Rate Limiting! Restrict the number of calls an App can make! Apply controls based on context, affinity, segmentation etc.!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Gateway! Gateway! Security! Authentication! Protection! IAM Integration! Encryption! Mediation! Quality of Service! Paging/Caching! Orchestration! Scripting!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Resources and API University! •  Resource Center! –  http://resource.soa.com/! •  Webinar Recording! –  http://resource.soa.com/resource/webinars! •  Follow us on:! ! ! www.facebook.com/soaso-ware   www.linkedin.com/company/soaso-ware   @soaso-wareinc    
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Questions! •  @sachinagarwal!

Recomendados

The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
Distil Networks
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 

Recomendados

The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
Distil Networks
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}
Sachin Agarwal
 
A Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health CareA Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health Care
Akana
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
Ping Identity
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
ForgeRock
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
Ping Identity
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CloudIDSummit
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...
ForgeRock
 
CIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina Ehrensvard
CIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina EhrensvardCIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina Ehrensvard
CIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina Ehrensvard
CloudIDSummit
 
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CloudIDSummit
 
CIS14: Identity in OpenStack Icehouse
CIS14: Identity in OpenStack IcehouseCIS14: Identity in OpenStack Icehouse
CIS14: Identity in OpenStack Icehouse
CloudIDSummit
 

Más contenido relacionado

La actualidad más candente

DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}
Sachin Agarwal
 
A Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health CareA Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health Care
Akana
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 

La actualidad más candente (19)

DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
 
Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}
 
A Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health CareA Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health Care
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...
 

Destacado

CIS14: NIST and NSTIC (New Directions in Identity)
CIS14: NIST and NSTIC (New Directions in Identity)CIS14: NIST and NSTIC (New Directions in Identity)
CIS14: NIST and NSTIC (New Directions in Identity)
CloudIDSummit
 

Destacado (19)

CIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina Ehrensvard
CIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina EhrensvardCIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina Ehrensvard
CIS 2015-Can Hardware MFA Move from Meh to Aha?- Stina Ehrensvard
 
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
 
CIS14: Identity in OpenStack Icehouse
CIS14: Identity in OpenStack IcehouseCIS14: Identity in OpenStack Icehouse
CIS14: Identity in OpenStack Icehouse
 
CIS14: Lean In: Enterprise Cloud Identity
CIS14: Lean In: Enterprise Cloud IdentityCIS14: Lean In: Enterprise Cloud Identity
CIS14: Lean In: Enterprise Cloud Identity
 
CIS14: Kantara Open Stand Overview
CIS14: Kantara Open Stand OverviewCIS14: Kantara Open Stand Overview
CIS14: Kantara Open Stand Overview
 
CIS14: Persistent Trusted Identity
CIS14: Persistent Trusted IdentityCIS14: Persistent Trusted Identity
CIS14: Persistent Trusted Identity
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
CIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation Architectures
 
CIS14: Creating a Federated Identity Service for ABAC and WebAccess Managemen...
CIS14: Creating a Federated Identity Service for ABAC and WebAccess Managemen...CIS14: Creating a Federated Identity Service for ABAC and WebAccess Managemen...
CIS14: Creating a Federated Identity Service for ABAC and WebAccess Managemen...
 
CIS14: Kantara Briefing on ID.me
CIS14: Kantara Briefing on ID.meCIS14: Kantara Briefing on ID.me
CIS14: Kantara Briefing on ID.me
 
CIS14: Providing Business with NextGen Identity Solutions in a Legacy World
CIS14: Providing Business with NextGen Identity Solutions in a Legacy WorldCIS14: Providing Business with NextGen Identity Solutions in a Legacy World
CIS14: Providing Business with NextGen Identity Solutions in a Legacy World
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIs
 
CIS14: API Security for the Cloud: Tales from the Trenches
CIS14: API Security for the Cloud: Tales from the TrenchesCIS14: API Security for the Cloud: Tales from the Trenches
CIS14: API Security for the Cloud: Tales from the Trenches
 
CIS14: Human Identity and the IoT “Jungle”
CIS14: Human Identity and the IoT “Jungle”CIS14: Human Identity and the IoT “Jungle”
CIS14: Human Identity and the IoT “Jungle”
 
CIS14: NIST and NSTIC (New Directions in Identity)
CIS14: NIST and NSTIC (New Directions in Identity)CIS14: NIST and NSTIC (New Directions in Identity)
CIS14: NIST and NSTIC (New Directions in Identity)
 
CIS14: Identity at Scale: Bridging Gaps between Physical and Logical, Token a...
CIS14: Identity at Scale: Bridging Gaps between Physical and Logical, Token a...CIS14: Identity at Scale: Bridging Gaps between Physical and Logical, Token a...
CIS14: Identity at Scale: Bridging Gaps between Physical and Logical, Token a...
 

Similar a CIS14: Protecting Your APIs from Threats and Hacks

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Are APIs and SOA Converging
Are APIs and SOA ConvergingAre APIs and SOA Converging
Are APIs and SOA Converging
Sachin Agarwal
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
Akana
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
Sachin Agarwal
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
Akana
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
Akana
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
Akana
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Api frenzy june 2013 v2
Api frenzy june 2013 v2Api frenzy june 2013 v2
Api frenzy june 2013 v2
Sachin Agarwal
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
Akana
 

Similar a CIS14: Protecting Your APIs from Threats and Hacks (20)

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
 
Are APIs and SOA Converging
Are APIs and SOA ConvergingAre APIs and SOA Converging
Are APIs and SOA Converging
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
API Frenzy: The Implications and Planning for a Successful API Strategy
API Frenzy: The Implications and Planning for a Successful API StrategyAPI Frenzy: The Implications and Planning for a Successful API Strategy
API Frenzy: The Implications and Planning for a Successful API Strategy
 
Api frenzy june 2013 v2
Api frenzy june 2013 v2Api frenzy june 2013 v2
Api frenzy june 2013 v2
 
The Future is Now: What’s New in ForgeRock Identity Gateway
The Future is Now: What’s New in ForgeRock Identity GatewayThe Future is Now: What’s New in ForgeRock Identity Gateway
The Future is Now: What’s New in ForgeRock Identity Gateway
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIs
 

Más de CloudIDSummit

CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 

Más de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

CIS14: Protecting Your APIs from Threats and Hacks

  • 1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security: Securing Digital Channels and Mobile Apps Against Hacks! Sachin Agarwal! @sachinagarwal!
  • 2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. What is an API?! Your Application!Your API!Your Customers!
  • 3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. APIs – Extend the Reach of your Business!
  • 4. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS!
  • 5. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Client-Server/ Web Applications! •  No Programmatic Access! •  Security through network isolation! •  Limited Users! Access locations and variability of operations were limited
  • 6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Web Services! The enterprise opened slightly with Web Services/SOAP •  SSL/TLS, Certificate based, PKI, WS-Trust! •  Some B2B and Partners applications! •  Complex, but quite secure and flexible!
  • 7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. And then came APIs! Disrupting how and where information is accessed •  Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.! •  Focus on human readability, developer adoption!
  • 8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Realizing End-to-End Security! Managing the User Experience! Securing the App - PII, PHI! Enabling Easy Developer Access ! Securing the Channel! Securing the Backend!
  • 9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding the Security Landscape! •  Protocol specific threats! •  Key Management! •  OAuth! •  Monitoring! •  Licensing! •  Security Token Mediation! API Specific Security! Single Sign On! MDM! ATP, Firewall, VPN etc.!
  • 10. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. UNDERSTANDING API SECURITY!
  • 11. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The API Lifecycle! Transform & Secure! Publish! Monetize! Dev. Adoption! API! SOAP to REST! Mobile- Optimization! OAuth! Mediation! Analytics! API Documentation! Applications and Services! Apps! API Producers! API Consumers!
  • 12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security! 1 Authentication & Authorization! 2 App Key Validation/! Licensing! 3 Message Security! 4 Threat Protection! 5 Content Filtering! 6 Rate Limiting! Developers!
  • 13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO! Control and restrict access to your APIs! Make it easy yet secure!
  • 14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding OAuth! OAuth lets a person delegate constrained access from one app to another! User! Resource Owner! Client App! Resource Server!
  • 15. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth Flow!
  • 16. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth – You need! •  OAuth Clients! •  Provisioning! •  Approval Flow! •  OAuth Server! •  Identity Integration! •  Token Validation! •  Token Issue/refresh! •  Token Mediation (SAML, LDAP etc)! •  QoS, Monitoring! •  Policy Management! •  API Proxying! •  Reporting! •  Analytics! OAuth is hard and complicated!
  • 17. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing! Package your APIs in different ways! Use API keys to restrict what the App can access! The licenses control:! –  OAuth Authorization Scopes! –  Document visibility! –  Quota policies!
  • 18. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Message and Parameter Security! HTTP Parameter! •  http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey! •  Protect API Keys with HMAC – Hash-based Message Authentication Code! ! Message Security! •  Implement HTTPS! •  For XML payloads encrypt specific parts of the message!
  • 19. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Threat Protection! •  Denial of Service! •  Injection Attacks! –  Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks ! •  Cross Site Scripting! •  Network address and range blacklists/whitelists ! •  HTTP Parameter Stuffing! !
  • 20. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Content Filtering! •  Provide a content firewall, protecting against malicious content! •  Validate message content including message headers, form and query parameters, XML and JSON data structures. ! •  Policies for XML and JSON DoS ! •  Protection against viruses in attachments and other binary content via ICAP integration with leading anti- virus engines!
  • 21. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management/Rate Limiting! Restrict the number of calls an App can make! Apply controls based on context, affinity, segmentation etc.!
  • 22. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Gateway! Gateway! Security! Authentication! Protection! IAM Integration! Encryption! Mediation! Quality of Service! Paging/Caching! Orchestration! Scripting!
  • 23. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Resources and API University! •  Resource Center! –  http://resource.soa.com/! •  Webinar Recording! –  http://resource.soa.com/resource/webinars! •  Follow us on:! ! ! www.facebook.com/soaso-ware   www.linkedin.com/company/soaso-ware   @soaso-wareinc    
  • 24. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Questions! •  @sachinagarwal!