SlideShare una empresa de Scribd logo
1 de 29
Descargar para leer sin conexión
Agile API Security
Apigee
@apigee
Subra Kumaraswamy
@subrak
youtube.com/apigee
slideshare.net/apigee
@Subrak	
  
Subra	
  Kumaraswamy
Agenda
•  Why Agile Security matters
•  Agile API Security enablers and approaches
•  Key takeaways
•  Q&A
Why Agile security?
6
Developer
Agility
Security
Risks
API security stakeholders
7
Product Manager
How can I release features
with built-in security?
How I can reduce the release
cycle?
Business owner
How to reduce risk while
expanding API exposure?
How to meet compliance?
Ops
How do I enforce consistent
security policy across APIs?
What controls I have to
mitigate attacks like DoS?
App Developer
What options I have to secure
data in rest and transit?
How to I enable Social login?
How can I manage and
revoke keys?
Have implemented layers of security to protect crown jewels..
Security layers – good enough?
That’s not enough, need security, with flexibility
9
A new approach is required
Agile API security
11
API First Architecture with built-in Security
Data Security governance
Security for API exposure
Security for consumption (Apps)
Secure and Agile SDLC
Threat
Assessment
Secure
Coding Testing Verification
API-first architecture
API Tier
All Apps
Analytics
App
Servers
ESB
Social
Apps
Web
Apps
Mobile
Apps
Backend
Services
OrchestrationPersistence Security
Internet
Consistent security
policies & access
control
(Exposure)
Flexible security for
Apps
(Consumption)
Developers
IT security architect
API security architecture
Policy Store
 Log Store
API Security
Authentication

Authorization

Traffic

Management
Logging &
Auditing
Identity for API Management
User Management
RBAC
Management
Policy
Management
Certificate
Management
Keys/Token
Management
Threat Protection
TLS
 DDoS
Rate Limiting &
Quota
Payload Protection
 Analytics
Compliance (SOC 2, PCI DSS, HIPAA)
Developers
Apps
IT Security /
Architect
Key Store
Policy 

Enforcement
Identity landscape in the API world
15
þ  API First Architecture with Security
Data Security governance
Security for API exposure
Security for consumption (Apps)
Secure and Agile SDLC
Threat
Assessment
Secure
Coding Testing Verification
Agile API security
Security Design
Agile SDLC – Focus on automation
Threat
Assessment
Secure
Coding
Testing Verification
API Threat
Modeling
Secure Coding
Practices
Static Analysis
Security
Unit Testing
Dynamic Analysis
Secure Development Training
Black Box
Pen Testing
Continuous
Security
Monitoring
•  API product centric
•  Aligned with Epic and
stories
•  Integrated into Development using Maven and Jenkin
plugins
•  Vulnerabilities prioritized based in criticality and threat
model requirements
•  Blackbox testing aligned
with major release
•  Monitoring of API to
verify policies
•  What categories of developers or applications do you have?
–  internal developers
–  partners (at various service levels)
–  public developers (open adoption)
•  What APIs should each class of developers or applications have
access to?
•  What Authentication and Authorization schemes are supported by
Apps to consume APIs?
•  What type of data is exposed via API?
•  What threats do you want protect against?
API Product security design considerations
API threats
•  Spoofing of identity
•  Denial of service
•  Network eavesdropping (App-to-API)
•  Replay attacks
•  Unauthorized access to management system and configuration data
•  Man-in-the-middle attacks
•  Velocity attack using legitimate API keys
•  Elevation of privilege by applications and developers
•  Disclosure of confidential data stored and processed in mobile, API, and
backend services
•  Theft of credentials, API keys, tokens, or encryption keys
19
þ  API First Architecture with Security
Data Security Governance
Security for API exposure
Security for consumption (Apps)
þ  Secure and Agile SDLC
Threat
Assessment
Secure
Coding Testing Verification
Agile API security
Centralize API security for exposure
2
Backend
Service
Authentication & Authorization
Identity Services
(IdP)
Logging & Auditing
Security Analytics
Authentication &
Authorization
Secure API Exposure
TLS
Apps
Security & Identity"
Capabilities
21
API exposure – security checklist
API Security
API Developer Security
þ Authentication & SSO (SAML, OAuth)
þ API Management Roles (RBAC)
þ Internal Vs External Developer
þ Data Masking
þ Logging and auditing
Governance & Compliance
þ Policy Enforcement
þ PCI/HIPAA Compliance
API (Backend) Security
þ Secure communication (TLS – 1 way or 2 way)
þ Authentication (TLS, OAuth, SAML)
þ Versioning
þ Integration with Enterprise identity providers
þ Logging and auditing
Analytics
þ Run time detection reports (Volume based, Traffic properties)
22
þ  API First Architecture with Security
Data Security Governance
þ  Security for API exposure
Security for Consumption (Apps)
þ  Secure and Agile SDLC
Threat
Assessment
Secure
Coding Testing Verification
Agile API security
Standardize App security for consumption
Security & Identity"
Capabilities
Threat Protection
Application Security
Security for Consumption
Authentication &
Authorization
TLS
Developers
Backend
Services
Apps
24
API consumption – security checklist
API Security
App Developer Security
þ Developer Key Management (Workflow,
Governance)
þ Developer provisioning
þ Authentication & SSO (SAML, OAuth)
þ Internal Vs External Developer
þ Developer permission (RBAC)
App Security
þ Secure communication (TLS – 1 way or 2 way)
– Mobile Vs Partner
þ Authentication (OAuth patterns)
þ API key with Product Scope
þ Quota Enforcement
þ IP Based Whitelist/Blacklist
Threat Protection
þ XML/JSON Poisoning/Injection
þ SQL Injection
þ DDoS/App-DoS Attacks
þ Spike Arrest
25
þ  API First Architecture with Security
Data Security Focused – API Products
þ  Security for API exposure
þ  Security for App Standardized
þ  Secure and Agile SDLC
Threat
Assessment
Secure
Coding Testing Verification
Agile API security
26
•  Organize your APIs as API products for fine granular data security management
•  Central mechanism for authorization and access control to your APIs
•  API products with Key and OAuth Scope protects your API
•  Protect payload data using encryption, hashing and secure key management
•  Improve API agility by aligning Secure SDLC with data security sensitivity
API data security
Key takeaways
27
þ  Practice API First Architecture for
security with flexibility
þ  Use API Products to enable tiered
security
þ  Centralize your API security for
consistent policy enforcement
þ  Standardize App security across
channels for frictionless user experience
þ  Implement SDLC with automation for agility
Threat
Assessment
Secure
Coding Testing Verification
@Subrak	
  
Subra	
  Kumaraswamy
Thank You
Questions?
Thank	
  You	
  
Apigee
@apigee

Más contenido relacionado

La actualidad más candente

Efficient API delivery with APIOps
Efficient API delivery with APIOpsEfficient API delivery with APIOps
Efficient API delivery with APIOpsSven Bernhardt
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentationsflynn073
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
API Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkAPI Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkWSO2
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Test Design and Automation for REST API
Test Design and Automation for REST APITest Design and Automation for REST API
Test Design and Automation for REST APIIvan Katunou
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...apidays
 
Implementing security requirements for banking API system using Open Source ...
 Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Introduction to API
Introduction to APIIntroduction to API
Introduction to APIrajnishjha29
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api managerChanaka Fernando
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testingb4usolution .
 

La actualidad más candente (20)

Efficient API delivery with APIOps
Efficient API delivery with APIOpsEfficient API delivery with APIOps
Efficient API delivery with APIOps
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentation
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
API Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkAPI Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation Framework
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
What is an API
What is an APIWhat is an API
What is an API
 
Test Design and Automation for REST API
Test Design and Automation for REST APITest Design and Automation for REST API
Test Design and Automation for REST API
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
 
Implementing security requirements for banking API system using Open Source ...
 Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
Introduction to API
Introduction to APIIntroduction to API
Introduction to API
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api manager
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
API Testing
API TestingAPI Testing
API Testing
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testing
 

Destacado

Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsApigee | Google Cloud
 
Deep dive: Monetize your API Programs
Deep dive: Monetize your API ProgramsDeep dive: Monetize your API Programs
Deep dive: Monetize your API ProgramsApigee | Google Cloud
 
Monetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital AssetsMonetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital AssetsApigee | Google Cloud
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
The Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowThe Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowApigee | Google Cloud
 
Google {Learning} Analytics GEUG14
Google {Learning} Analytics GEUG14 Google {Learning} Analytics GEUG14
Google {Learning} Analytics GEUG14 Martin Hawksey
 
I Love APIs 2015: Create Design-driven APIs with Node.js and Swagger
I Love APIs 2015: Create Design-driven APIs with Node.js and SwaggerI Love APIs 2015: Create Design-driven APIs with Node.js and Swagger
I Love APIs 2015: Create Design-driven APIs with Node.js and SwaggerApigee | Google Cloud
 
The Digital Retailer: Finding and Engaging Your Customers
The Digital Retailer: Finding and Engaging Your CustomersThe Digital Retailer: Finding and Engaging Your Customers
The Digital Retailer: Finding and Engaging Your CustomersApigee | Google Cloud
 
Developers Hate Marketing! Driving API Adoption
Developers Hate Marketing! Driving API AdoptionDevelopers Hate Marketing! Driving API Adoption
Developers Hate Marketing! Driving API AdoptionApigee | Google Cloud
 
Does your API need to be PCI Compliant?
Does your API need to be PCI Compliant?Does your API need to be PCI Compliant?
Does your API need to be PCI Compliant?Apigee | Google Cloud
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheetmarkgatkinson
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
The API Facade Pattern: Technology - Episode 3
The API Facade Pattern: Technology - Episode 3The API Facade Pattern: Technology - Episode 3
The API Facade Pattern: Technology - Episode 3Apigee | Google Cloud
 

Destacado (20)

Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber Threats
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Deep dive: Monetize your API Programs
Deep dive: Monetize your API ProgramsDeep dive: Monetize your API Programs
Deep dive: Monetize your API Programs
 
Monetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital AssetsMonetization - The Right Business Model for Your Digital Assets
Monetization - The Right Business Model for Your Digital Assets
 
Edge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app developmentEdge API BaaS Deep-Dive: Streamline app development
Edge API BaaS Deep-Dive: Streamline app development
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
The Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowThe Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to Know
 
Google {Learning} Analytics GEUG14
Google {Learning} Analytics GEUG14 Google {Learning} Analytics GEUG14
Google {Learning} Analytics GEUG14
 
Webcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product DemoWebcast: Apigee Edge Product Demo
Webcast: Apigee Edge Product Demo
 
I Love APIs 2015: Create Design-driven APIs with Node.js and Swagger
I Love APIs 2015: Create Design-driven APIs with Node.js and SwaggerI Love APIs 2015: Create Design-driven APIs with Node.js and Swagger
I Love APIs 2015: Create Design-driven APIs with Node.js and Swagger
 
The Digital Retailer: Finding and Engaging Your Customers
The Digital Retailer: Finding and Engaging Your CustomersThe Digital Retailer: Finding and Engaging Your Customers
The Digital Retailer: Finding and Engaging Your Customers
 
Developers Hate Marketing! Driving API Adoption
Developers Hate Marketing! Driving API AdoptionDevelopers Hate Marketing! Driving API Adoption
Developers Hate Marketing! Driving API Adoption
 
Does your API need to be PCI Compliant?
Does your API need to be PCI Compliant?Does your API need to be PCI Compliant?
Does your API need to be PCI Compliant?
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheet
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
The API Facade Pattern: Technology - Episode 3
The API Facade Pattern: Technology - Episode 3The API Facade Pattern: Technology - Episode 3
The API Facade Pattern: Technology - Episode 3
 

Similar a How to Achieve Agile API Security

apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...Hamida Rebai Trabelsi
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
APIs In Action -Harnessing the Power of Azure API Management: Building Robust...
APIs In Action -Harnessing the Power of Azure API Management: Building Robust...APIs In Action -Harnessing the Power of Azure API Management: Building Robust...
APIs In Action -Harnessing the Power of Azure API Management: Building Robust...Hamida Rebai Trabelsi
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 

Similar a How to Achieve Agile API Security (20)

apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Day 1 axway apim-training
Day 1   axway apim-trainingDay 1   axway apim-training
Day 1 axway apim-training
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
APIs In Action -Harnessing the Power of Azure API Management: Building Robust...
APIs In Action -Harnessing the Power of Azure API Management: Building Robust...APIs In Action -Harnessing the Power of Azure API Management: Building Robust...
APIs In Action -Harnessing the Power of Azure API Management: Building Robust...
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 

Más de Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 

Más de Apigee | Google Cloud (20)

Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 

Último

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Último (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

How to Achieve Agile API Security

  • 5. Agenda •  Why Agile Security matters •  Agile API Security enablers and approaches •  Key takeaways •  Q&A
  • 7. API security stakeholders 7 Product Manager How can I release features with built-in security? How I can reduce the release cycle? Business owner How to reduce risk while expanding API exposure? How to meet compliance? Ops How do I enforce consistent security policy across APIs? What controls I have to mitigate attacks like DoS? App Developer What options I have to secure data in rest and transit? How to I enable Social login? How can I manage and revoke keys?
  • 8. Have implemented layers of security to protect crown jewels.. Security layers – good enough?
  • 9. That’s not enough, need security, with flexibility 9
  • 10. A new approach is required
  • 11. Agile API security 11 API First Architecture with built-in Security Data Security governance Security for API exposure Security for consumption (Apps) Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification
  • 12. API-first architecture API Tier All Apps Analytics App Servers ESB Social Apps Web Apps Mobile Apps Backend Services OrchestrationPersistence Security Internet Consistent security policies & access control (Exposure) Flexible security for Apps (Consumption) Developers IT security architect
  • 13. API security architecture Policy Store Log Store API Security Authentication Authorization Traffic
 Management Logging & Auditing Identity for API Management User Management RBAC Management Policy Management Certificate Management Keys/Token Management Threat Protection TLS DDoS Rate Limiting & Quota Payload Protection Analytics Compliance (SOC 2, PCI DSS, HIPAA) Developers Apps IT Security / Architect Key Store Policy 
 Enforcement
  • 14. Identity landscape in the API world
  • 15. 15 þ  API First Architecture with Security Data Security governance Security for API exposure Security for consumption (Apps) Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  • 16. Security Design Agile SDLC – Focus on automation Threat Assessment Secure Coding Testing Verification API Threat Modeling Secure Coding Practices Static Analysis Security Unit Testing Dynamic Analysis Secure Development Training Black Box Pen Testing Continuous Security Monitoring •  API product centric •  Aligned with Epic and stories •  Integrated into Development using Maven and Jenkin plugins •  Vulnerabilities prioritized based in criticality and threat model requirements •  Blackbox testing aligned with major release •  Monitoring of API to verify policies
  • 17. •  What categories of developers or applications do you have? –  internal developers –  partners (at various service levels) –  public developers (open adoption) •  What APIs should each class of developers or applications have access to? •  What Authentication and Authorization schemes are supported by Apps to consume APIs? •  What type of data is exposed via API? •  What threats do you want protect against? API Product security design considerations
  • 18. API threats •  Spoofing of identity •  Denial of service •  Network eavesdropping (App-to-API) •  Replay attacks •  Unauthorized access to management system and configuration data •  Man-in-the-middle attacks •  Velocity attack using legitimate API keys •  Elevation of privilege by applications and developers •  Disclosure of confidential data stored and processed in mobile, API, and backend services •  Theft of credentials, API keys, tokens, or encryption keys
  • 19. 19 þ  API First Architecture with Security Data Security Governance Security for API exposure Security for consumption (Apps) þ  Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  • 20. Centralize API security for exposure 2 Backend Service Authentication & Authorization Identity Services (IdP) Logging & Auditing Security Analytics Authentication & Authorization Secure API Exposure TLS Apps Security & Identity" Capabilities
  • 21. 21 API exposure – security checklist API Security API Developer Security þ Authentication & SSO (SAML, OAuth) þ API Management Roles (RBAC) þ Internal Vs External Developer þ Data Masking þ Logging and auditing Governance & Compliance þ Policy Enforcement þ PCI/HIPAA Compliance API (Backend) Security þ Secure communication (TLS – 1 way or 2 way) þ Authentication (TLS, OAuth, SAML) þ Versioning þ Integration with Enterprise identity providers þ Logging and auditing Analytics þ Run time detection reports (Volume based, Traffic properties)
  • 22. 22 þ  API First Architecture with Security Data Security Governance þ  Security for API exposure Security for Consumption (Apps) þ  Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  • 23. Standardize App security for consumption Security & Identity" Capabilities Threat Protection Application Security Security for Consumption Authentication & Authorization TLS Developers Backend Services Apps
  • 24. 24 API consumption – security checklist API Security App Developer Security þ Developer Key Management (Workflow, Governance) þ Developer provisioning þ Authentication & SSO (SAML, OAuth) þ Internal Vs External Developer þ Developer permission (RBAC) App Security þ Secure communication (TLS – 1 way or 2 way) – Mobile Vs Partner þ Authentication (OAuth patterns) þ API key with Product Scope þ Quota Enforcement þ IP Based Whitelist/Blacklist Threat Protection þ XML/JSON Poisoning/Injection þ SQL Injection þ DDoS/App-DoS Attacks þ Spike Arrest
  • 25. 25 þ  API First Architecture with Security Data Security Focused – API Products þ  Security for API exposure þ  Security for App Standardized þ  Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  • 26. 26 •  Organize your APIs as API products for fine granular data security management •  Central mechanism for authorization and access control to your APIs •  API products with Key and OAuth Scope protects your API •  Protect payload data using encryption, hashing and secure key management •  Improve API agility by aligning Secure SDLC with data security sensitivity API data security
  • 27. Key takeaways 27 þ  Practice API First Architecture for security with flexibility þ  Use API Products to enable tiered security þ  Centralize your API security for consistent policy enforcement þ  Standardize App security across channels for frictionless user experience þ  Implement SDLC with automation for agility Threat Assessment Secure Coding Testing Verification