Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

How to Achieve Agile API Security

5.397 visualizaciones

Publicado el

Learn about security architecture, security patterns for app and API access control, and best practices for threat management, data security, identity and compliance including:

- how to approach API security for your API program?

- the API security pillars - threat protection, data security and identity

- best practices for integrating identity services into API management

- how to meet compliance requirements for API products

Publicado en: Tecnología
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

How to Achieve Agile API Security

  1. 1. Agile API Security Apigee @apigee Subra Kumaraswamy @subrak
  2. 2. youtube.com/apigee
  3. 3. slideshare.net/apigee
  4. 4. @Subrak   Subra  Kumaraswamy
  5. 5. Agenda •  Why Agile Security matters •  Agile API Security enablers and approaches •  Key takeaways •  Q&A
  6. 6. Why Agile security? 6 Developer Agility Security Risks
  7. 7. API security stakeholders 7 Product Manager How can I release features with built-in security? How I can reduce the release cycle? Business owner How to reduce risk while expanding API exposure? How to meet compliance? Ops How do I enforce consistent security policy across APIs? What controls I have to mitigate attacks like DoS? App Developer What options I have to secure data in rest and transit? How to I enable Social login? How can I manage and revoke keys?
  8. 8. Have implemented layers of security to protect crown jewels.. Security layers – good enough?
  9. 9. That’s not enough, need security, with flexibility 9
  10. 10. A new approach is required
  11. 11. Agile API security 11 API First Architecture with built-in Security Data Security governance Security for API exposure Security for consumption (Apps) Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification
  12. 12. API-first architecture API Tier All Apps Analytics App Servers ESB Social Apps Web Apps Mobile Apps Backend Services OrchestrationPersistence Security Internet Consistent security policies & access control (Exposure) Flexible security for Apps (Consumption) Developers IT security architect
  13. 13. API security architecture Policy Store Log Store API Security Authentication Authorization Traffic
 Management Logging & Auditing Identity for API Management User Management RBAC Management Policy Management Certificate Management Keys/Token Management Threat Protection TLS DDoS Rate Limiting & Quota Payload Protection Analytics Compliance (SOC 2, PCI DSS, HIPAA) Developers Apps IT Security / Architect Key Store Policy 
 Enforcement
  14. 14. Identity landscape in the API world
  15. 15. 15 þ  API First Architecture with Security Data Security governance Security for API exposure Security for consumption (Apps) Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  16. 16. Security Design Agile SDLC – Focus on automation Threat Assessment Secure Coding Testing Verification API Threat Modeling Secure Coding Practices Static Analysis Security Unit Testing Dynamic Analysis Secure Development Training Black Box Pen Testing Continuous Security Monitoring •  API product centric •  Aligned with Epic and stories •  Integrated into Development using Maven and Jenkin plugins •  Vulnerabilities prioritized based in criticality and threat model requirements •  Blackbox testing aligned with major release •  Monitoring of API to verify policies
  17. 17. •  What categories of developers or applications do you have? –  internal developers –  partners (at various service levels) –  public developers (open adoption) •  What APIs should each class of developers or applications have access to? •  What Authentication and Authorization schemes are supported by Apps to consume APIs? •  What type of data is exposed via API? •  What threats do you want protect against? API Product security design considerations
  18. 18. API threats •  Spoofing of identity •  Denial of service •  Network eavesdropping (App-to-API) •  Replay attacks •  Unauthorized access to management system and configuration data •  Man-in-the-middle attacks •  Velocity attack using legitimate API keys •  Elevation of privilege by applications and developers •  Disclosure of confidential data stored and processed in mobile, API, and backend services •  Theft of credentials, API keys, tokens, or encryption keys
  19. 19. 19 þ  API First Architecture with Security Data Security Governance Security for API exposure Security for consumption (Apps) þ  Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  20. 20. Centralize API security for exposure 2 Backend Service Authentication & Authorization Identity Services (IdP) Logging & Auditing Security Analytics Authentication & Authorization Secure API Exposure TLS Apps Security & Identity" Capabilities
  21. 21. 21 API exposure – security checklist API Security API Developer Security þ Authentication & SSO (SAML, OAuth) þ API Management Roles (RBAC) þ Internal Vs External Developer þ Data Masking þ Logging and auditing Governance & Compliance þ Policy Enforcement þ PCI/HIPAA Compliance API (Backend) Security þ Secure communication (TLS – 1 way or 2 way) þ Authentication (TLS, OAuth, SAML) þ Versioning þ Integration with Enterprise identity providers þ Logging and auditing Analytics þ Run time detection reports (Volume based, Traffic properties)
  22. 22. 22 þ  API First Architecture with Security Data Security Governance þ  Security for API exposure Security for Consumption (Apps) þ  Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  23. 23. Standardize App security for consumption Security & Identity" Capabilities Threat Protection Application Security Security for Consumption Authentication & Authorization TLS Developers Backend Services Apps
  24. 24. 24 API consumption – security checklist API Security App Developer Security þ Developer Key Management (Workflow, Governance) þ Developer provisioning þ Authentication & SSO (SAML, OAuth) þ Internal Vs External Developer þ Developer permission (RBAC) App Security þ Secure communication (TLS – 1 way or 2 way) – Mobile Vs Partner þ Authentication (OAuth patterns) þ API key with Product Scope þ Quota Enforcement þ IP Based Whitelist/Blacklist Threat Protection þ XML/JSON Poisoning/Injection þ SQL Injection þ DDoS/App-DoS Attacks þ Spike Arrest
  25. 25. 25 þ  API First Architecture with Security Data Security Focused – API Products þ  Security for API exposure þ  Security for App Standardized þ  Secure and Agile SDLC Threat Assessment Secure Coding Testing Verification Agile API security
  26. 26. 26 •  Organize your APIs as API products for fine granular data security management •  Central mechanism for authorization and access control to your APIs •  API products with Key and OAuth Scope protects your API •  Protect payload data using encryption, hashing and secure key management •  Improve API agility by aligning Secure SDLC with data security sensitivity API data security
  27. 27. Key takeaways 27 þ  Practice API First Architecture for security with flexibility þ  Use API Products to enable tiered security þ  Centralize your API security for consistent policy enforcement þ  Standardize App security across channels for frictionless user experience þ  Implement SDLC with automation for agility Threat Assessment Secure Coding Testing Verification
  28. 28. @Subrak   Subra  Kumaraswamy Thank You Questions?
  29. 29. Thank  You   Apigee @apigee

×