Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Adding layers of security to an API in real-time

19 de dic de 2018
3 recomendaciones 403 visualizaciones
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Próximo SlideShare
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
Cargando en…3
×

Eche un vistazo a continuación

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
Mike Schwartz
Gravitee.io
Knoldus Inc.
Best Practices for API Security
MuleSoft
Building better security for your API platform using Azure API Management
Eldert Grootenboer
Security in mulesoft
akshay yeluru
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
Identiverse - Microservices Security
Bertrand Carlier
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
1 de 9 Anuncio

Adding layers of security to an API in real-time

19 de dic de 2018
3 recomendaciones 403 visualizaciones
Software

A workshop presented at APIdays Paris.

A workshop presented at APIdays Paris.

Software
Anuncio

Recomendado

Leveraging open banking specifications for rigorous API security – What’s in...
Rogue Wave Software
424 vistas
16 diapositivas
Securing APIs with oAuth2
Michae Blakeney
104 vistas
13 diapositivas
API Security In Cloud Native Era
WSO2
534 vistas
40 diapositivas
OWASP ASVS 3 - What's new for level 1?
Boy Baukema
771 vistas
38 diapositivas
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
733 vistas
17 diapositivas
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
158 vistas
56 diapositivas
Introduction to stable proxies.
stableproxies
216 vistas
22 diapositivas
Security components in mule esb
himajareddys
594 vistas
7 diapositivas
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
Mike Schwartz
2.8k vistas
Gravitee.io
Knoldus Inc.
138 vistas
Best Practices for API Security
MuleSoft
10.4k vistas
Building better security for your API platform using Azure API Management
Eldert Grootenboer
119 vistas
Security in mulesoft
akshay yeluru
168 vistas
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
65 vistas
Identiverse - Microservices Security
Bertrand Carlier
1.7k vistas
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
179 vistas
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
47 vistas
Advanced API Security Patterns
42Crunch
750 vistas
Financial Grade OAuth & OpenID Connect
Nat Sakimura
3.5k vistas
Managing Identities in the World of APIs
Apigee | Google Cloud
1.1k vistas
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
2.6k vistas
API IN(SECURITY)
OWASP Khartoum
246 vistas
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
830 vistas
apidays LIVE Paris - Data Gateways: building “Data-as-a-Service” for the Hybr...
apidays
50 vistas
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
12.2k vistas
Building APIs in a Cloud Native Era
Nuwan Dias
197 vistas
Cryptzone: The Software-Defined Perimeter
Cryptzone
436 vistas
API Security using Mulesoft
Pritam Prakash
403 vistas
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
Mike Schwartz
2.8k vistas
12 diapositivas
Gravitee.io
Knoldus Inc.
138 vistas
16 diapositivas
Best Practices for API Security
MuleSoft
10.4k vistas
31 diapositivas
Building better security for your API platform using Azure API Management
Eldert Grootenboer
119 vistas
26 diapositivas
Security in mulesoft
akshay yeluru
168 vistas
7 diapositivas
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
65 vistas
22 diapositivas

Similares a Adding layers of security to an API in real-time (20)

Best Practices for API Security
Bui Kiet
128 vistas
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
1.3k vistas
apidays LIVE Singapore - Novel approaches in API security by Dr Tal Steinherz...
apidays
541 vistas
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
10 vistas
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
127 vistas
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
412 vistas
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
2.1k vistas
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
101 vistas
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
184 vistas
[WSO2 Integration Summit London 2019] Identity and Access Management in an AP...
WSO2
207 vistas
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
46.2k vistas
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
712 vistas
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
29 vistas
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
1.8k vistas
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
5.8k vistas
Virtual Meetup - API Security Best Practices
Jimmy Attia
454 vistas
Catalyst 2015: Patrick Harding
Ping Identity
1.7k vistas
Enhancing your Security APIs
Apigee | Google Cloud
997 vistas
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
5.8k vistas
attacks-oauth-secure-oauth-implementation-33644.pdf
MohitRampal5
5 vistas
Best Practices for API Security
Bui Kiet
128 vistas
31 diapositivas
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
1.3k vistas
50 diapositivas
apidays LIVE Singapore - Novel approaches in API security by Dr Tal Steinherz...
apidays
541 vistas
25 diapositivas
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
10 vistas
34 diapositivas
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
127 vistas
34 diapositivas
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
412 vistas
39 diapositivas
Anuncio

Más de Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
Rogue Wave Software
1.1k vistas
No liftoff, touchdown, or heartbeat shall miss because of a software failure
Rogue Wave Software
224 vistas
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Rogue Wave Software
261 vistas
Getting the most from your API management platform: A case study
Rogue Wave Software
203 vistas
Advanced technologies and techniques for debugging HPC applications
Rogue Wave Software
307 vistas
The forgotten route: Making Apache Camel work for you
Rogue Wave Software
1.8k vistas
Are open source and embedded software development on a collision course?
Rogue Wave Software
145 vistas
Three big mistakes with APIs and microservices
Rogue Wave Software
223 vistas
5 strategies for enterprise cloud infrastructure success
Rogue Wave Software
114 vistas
PSD2 & Open Banking: How to go from standards to implementation and compliance
Rogue Wave Software
366 vistas
Java 10 and beyond: Keeping up with the language and planning for the future
Rogue Wave Software
193 vistas
How to keep developers happy and lawyers calm (Presented at ESC Boston)
Rogue Wave Software
135 vistas
Open source applied - Real world use cases (Presented at Open Source 101)
Rogue Wave Software
278 vistas
How to migrate SourcePro apps from Solaris to Linux
Rogue Wave Software
665 vistas
Approaches to debugging mixed-language HPC apps
Rogue Wave Software
130 vistas
Enterprise Linux: Justify your migration from Red Hat to CentOS
Rogue Wave Software
712 vistas
Walk through an enterprise Linux migration
Rogue Wave Software
631 vistas
How to keep developers happy and lawyers calm
Rogue Wave Software
114 vistas
Open source and embedded software development
Rogue Wave Software
274 vistas
Open source software: The infrastructure impact
Rogue Wave Software
580 vistas
The Global Influence of Open Banking, API Security, and an Open Data Perspective
Rogue Wave Software
1.1k vistas
44 diapositivas
No liftoff, touchdown, or heartbeat shall miss because of a software failure
Rogue Wave Software
224 vistas
31 diapositivas
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Rogue Wave Software
261 vistas
25 diapositivas
Getting the most from your API management platform: A case study
Rogue Wave Software
203 vistas
25 diapositivas
Advanced technologies and techniques for debugging HPC applications
Rogue Wave Software
307 vistas
27 diapositivas
The forgotten route: Making Apache Camel work for you
Rogue Wave Software
1.8k vistas
41 diapositivas

Más reciente (20)

Lamia Belguesmi
LamiaBelguesmi
3 vistas
Sprinkle your Devops platform with product thinking.pdf
Javier Turégano Molina
0 vistas
.NET Intro & Dependency Injection Workshop
Serhii Kokhan
5 vistas
Secure your Config with Key Vault for .NET Core API
Lakshman S
10 vistas
Enterprise Serverless Adoption. An Experience Report
SheenBrisals
34 vistas
Fortinet_ProductGuide_NOV2021_R127.pdf
AlonzoJames2
0 vistas
Borland_intro_v5_csc.pptx
ssuser9e9be71
0 vistas
LECTURE 1 OF SOFTWARE CONSTRUCTION.ppt
Tik Tok
4 vistas
Lesson_08_Continuous_Monitoring.pdf
Minh Quân Đoàn
0 vistas
Extending Security to EVERY Edge
itnewsafrica
0 vistas
You Don't Know Javascript
Vikas Prabhu
0 vistas
Best Practices - Oracle-BIP.pptx
AdityaDas899782
2 vistas
Software presentation
AfreenJunejo
2 vistas
02.pptx
Maryam522887
3 vistas
Functions in C.pptx
KarthikSivagnanam2
0 vistas
Agility in large transformation programs_Yashasre_Barve_AI2023.pdf
Yashasree Barve
4 vistas
lecture-sql.ppt
JackpeterNdati
0 vistas
Software_presentation.pptx
khadijakhan546647
0 vistas
What are the Stages of Contract Lifecycle Management
Sirion Labs
0 vistas
Application Software.ppt
SyamsAkbar1
0 vistas
Lamia Belguesmi
LamiaBelguesmi
3 vistas
2 diapositivas
Sprinkle your Devops platform with product thinking.pdf
Javier Turégano Molina
0 vistas
36 diapositivas
.NET Intro & Dependency Injection Workshop
Serhii Kokhan
5 vistas
16 diapositivas
Secure your Config with Key Vault for .NET Core API
Lakshman S
10 vistas
7 diapositivas
Enterprise Serverless Adoption. An Experience Report
SheenBrisals
34 vistas
100 diapositivas
Fortinet_ProductGuide_NOV2021_R127.pdf
AlonzoJames2
0 vistas
248 diapositivas
Anuncio

Adding layers of security to an API in real-time

  1. 1. 1© 2018 Rogue Wave Software, Inc. All Rights Reserved.
  2. 2. 2© 2018 Rogue Wave Software, Inc. All Rights Reserved. API Security Layers Transport layer Client authentication and authorization Content security
  3. 3. 3© 2018 Rogue Wave Software, Inc. All Rights Reserved. In summary… • mTLS: ensures client authenticity • OAuth: ensures client authorization • JWT: ensures message integrity, confidentiality, and non-repudiation. Ensure that each request is coming from a trusted source
  4. 4. 5© 2018 Rogue Wave Software, Inc. All Rights Reserved. Add layers of security to an API - let’s see it for real!
  5. 5. 6© 2018 Rogue Wave Software, Inc. All Rights Reserved. Demo overview • API: open banking Accounts-and-Transactions – Apply mutual TLS – Apply Oauth2.0 – Apply JOSE Security / Open Banking security – Apply additional message security
  6. 6. 7© 2018 Rogue Wave Software, Inc. All Rights Reserved. Additional security aspects to consider • MFA (SCA) User authentication: can we trust the user? • Injection • Cross-site scripting • Request overload • … Can we trust what the user is doing?
  7. 7. 8© 2018 Rogue Wave Software, Inc. All Rights Reserved. Conclusion API security: There’s quite a lot to it …but there’s useful specifications to help you out. Implementing security standards is far from trivial …don’t do it yourself …excellent tools in the market to help you
  8. 8. 9© 2018 Rogue Wave Software, Inc. All Rights Reserved.
  9. 9. 10© 2018 Rogue Wave Software, Inc. All Rights Reserved.

Notas del editor

  • OAuth2.0 icon: jlabusch.github.io/oauth2-server

    “End-to-end trust”

    mTLS:
    OAuth: client has to provide a token (called access token) that again serves as proof of the client’s identity. So first of all, that access token helps to determine whether this particular client is allowed access to the API at all. In addition, more fine-grained authorization may be in place, allowing one client to access an API resource whereas another client is denied that access. (with open banking: Payment APIs accessible to “payment clients”, and Account APIs accessible to “account clients”.

    OAuth: security that pertains to the relationship between a particular client and a particular API version.

    So now you know that whatever message you are receiving, it is actually coming from that particular consumer (and may have been consented by the resource owner). Still, you’d like to have some proof that a particular message is actually coming from that sender (client). Hence, signing the message. In particular relevant when it comes to non-repudiation (and also for ‘future reference’ – the message may be stored in its tokenized form, for audit purposes).

    Once received by the API, the message may be decoded and sent to the downstream system that it’s meant for. Or the message may be forwarded in its encoded form. Or it may be decoded and encoded again – using a very different technology perhaps (greatly depends on what the downstream system can handle).

    And, by the way, the whole story may repeat itself on the way back.

    NOTE that by having the client sign the JWT with its certificate, you explicitly associate that client with that certificate (which is on a more ‘profound’ level than doing so just on the transport level??)

    So full-blown, it COULD look like this:
    A client establishes a mTLS-secured connection with an AS to request an access token (and, possibly, an ID token);
    Alternatively, the client may use a JWT assertion for authentication purposes;
    If using JWT access tokens, the client will receive a JWS that is signed by the AS; the client can verify the JWT using the public key;
    The client may then proceed to establish a mTLS-secured connection with the API endpoint. It may use the same client cert, or a distinct one;
    The client forwards the access token (JWS) to the API gateway, typically in the request Authorization header. The gateway validates the token (public key) and authorizes the client (yes, this client may access this API resource)]
    The request sent by the client contains another header that contains another JWS/JWE, which represents the signed request payload. This JWT may have been signed by the client cert used to establishe the TLS connection – or yet another one.
    The API gateway validates the incoming JWS and, if ok, accepts the request. So, all in all, several private/public keys may be used, and multiple JWT may come into play (ID token, access token, message payload).







  • Good as it all is – we’re not quite there yet.

    Even though the client may be acknowledged as a trusted one, and even though we are certain that the received message is coming from that client (as proven through the JWT signature) – we can never be sure of the intentions of the user. Even a signed and encrypted message may contain malicious content, for example. So that’s yet another thing that needs to be validated.

×