Más contenido relacionado La actualidad más candente (19) Similar a CIS14: Protecting Your APIs from Threats and Hacks (20) Más de CloudIDSummit (20) CIS14: Protecting Your APIs from Threats and Hacks1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security: Securing
Digital Channels and
Mobile Apps Against
Hacks!
Sachin Agarwal!
@sachinagarwal!
2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?!
Your Application!Your API!Your Customers!
3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business!
5. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications!
• No Programmatic Access!
• Security through network
isolation!
• Limited Users!
Access locations and variability of operations were limited
6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services!
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate
based, PKI, WS-Trust!
• Some B2B and Partners
applications!
• Complex, but quite secure
and flexible!
7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs!
Disrupting how and where information is accessed
• Mobile and Social Apps
don’t’ understand PKI,
WS-Security, etc.!
• Focus on human
readability, developer
adoption!
8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security!
Managing the
User Experience!
Securing the
App - PII, PHI!
Enabling Easy Developer Access !
Securing the Channel!
Securing the Backend!
9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape!
• Protocol specific threats!
• Key Management!
• OAuth!
• Monitoring!
• Licensing!
• Security Token Mediation!
API Specific Security!
Single Sign On! MDM!
ATP, Firewall, VPN etc.!
11. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle!
Transform
& Secure! Publish! Monetize!
Dev.
Adoption!
API!
SOAP to REST!
Mobile-
Optimization!
OAuth!
Mediation!
Analytics! API Documentation!
Applications
and Services!
Apps!
API Producers! API Consumers!
12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security!
1
Authentication &
Authorization!
2 App Key Validation/!
Licensing!
3 Message Security!
4 Threat Protection!
5 Content Filtering!
6 Rate Limiting!
Developers!
13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO!
Control and restrict access to your APIs!
Make it easy yet secure!
14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth!
OAuth lets a person delegate constrained access from
one app to another!
User!
Resource
Owner!
Client
App!
Resource
Server!
16. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need!
• OAuth Clients!
• Provisioning!
• Approval Flow!
• OAuth Server!
• Identity Integration!
• Token Validation!
• Token Issue/refresh!
• Token Mediation (SAML, LDAP etc)!
• QoS, Monitoring!
• Policy Management!
• API Proxying!
• Reporting!
• Analytics!
OAuth is hard and complicated!
17. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing!
Package your APIs in different ways!
Use API keys to restrict what the App can access!
The licenses control:!
– OAuth Authorization Scopes!
– Document visibility!
– Quota policies!
18. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security!
HTTP Parameter!
• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey!
• Protect API Keys with HMAC – Hash-based Message Authentication Code!
!
Message Security!
• Implement HTTPS!
• For XML payloads encrypt specific parts of the message!
19. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection!
• Denial of Service!
• Injection Attacks!
– Detect and prevent SQL,
JavaScript or XPath/XQuery
injection attacks !
• Cross Site Scripting!
• Network address and range
blacklists/whitelists !
• HTTP Parameter Stuffing!
!
20. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering!
• Provide a content firewall,
protecting against malicious
content!
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures. !
• Policies for XML and JSON
DoS !
• Protection against viruses in
attachments and other
binary content via ICAP
integration with leading anti-
virus engines!
21. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting!
Restrict the number of calls an App can make!
Apply controls based on context, affinity, segmentation etc.!
22. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Gateway!
Gateway!
Security!
Authentication!
Protection!
IAM Integration!
Encryption!
Mediation!
Quality of Service!
Paging/Caching!
Orchestration!
Scripting!
23. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Resources and API University!
• Resource Center!
– http://resource.soa.com/!
• Webinar Recording!
– http://resource.soa.com/resource/webinars!
• Follow us on:!
!
!
www.facebook.com/soaso-ware
www.linkedin.com/company/soaso-ware
@soaso-wareinc