SlideShare una empresa de Scribd logo

Securing Insecure

Descargar como PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena
1 de 37
Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath
About the presenter (@prabath) • 7+ years at WSO2 • Member of OASIS Identity Metasystem Interoperability (IMI) TC,OASIS eXtensible Access Control Markup Language (XACML) TC, OASIS Security Services (SAML) TC, OASIS Identity in the Cloud TC and OASIS Cloud Authorization (CloudAuthZ) TC • Blog: http://blog.facilelogin.com • Books:
Perception
Perception
Perception
Correctness
C-I- A Confidentiality Integrity Availability Correctness
The Weakest Link
Insider Attacks
Defense In Depth
Threat Modeling
Pattern 01 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application passes logged in user’s identifier to the backend APIs and retrieves data related to the user.
Pattern 02 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user.
Pattern 03 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
Pattern 04 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. All the users are in a Windows domain and once they are logged into their workstations – they should not be asked to provide credentials at any point for any other application.
Pattern 05 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees as well as employees from trusted partners via multiple web applications. All the internal user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
Pattern 06 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to an OpenID Connect Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
Pattern 07 Problem Statement A medium-scale enterprise in the finance industry needs to expose an API to its customers through a mobile application. One major requirement is that all the API calls should support non-repudiation.
Pattern 08 Problem Statement A medium-scale enterprise that sells bottled water has a RESTful API (Water API), which can be used to update the amount of water consumed by a registered user. These APIs should be accessed by any registered user via any client application - could be an android app, an iOS app or even a web application. The company only provides APIs and anyone can develop client applications to consume those. All the user data are stored in an Active Directory. Client applications should not be able to access the API directly and query about users. Only registered users can access the API – and they also should not be able to see other users information. At the same time for each update by the user – the Water API must also update user’s health care record maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it too exposes an API (MyHealth API). The Water API has to call MyHealth API to update user record, on be half of the user.
Pattern 09 Problem Statement A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different departments and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall – irrespective of the department they belong to. All the user data are stored in a centralized Active Directory and all the web applications are connected to a centralized OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. These APIs may come from different departments – having their own authorization servers. The company also has a centralized OAuth authorization server and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department.
Pattern 10 Problem Statement A global organization has APIs and API clients distributed across different regions. Each region operates independent from each other. Currently both the clients and the APIs are non-secured. Need to secure the APIs without doing any changes either at the API end or at the client end.
Pattern 11 Problem Statement A company wants to expose an API to its own employees. But the user credentials must not ever go over the wire.
Pattern 12 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user. The backend API must authorize the user.
Contact us !

Recomendados

Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)Kumaresh Chandra Baruri
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 

Recomendados

Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)Kumaresh Chandra Baruri
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
Kodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalKodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalAshish Jain
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou00zzj
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
CloudStack Identity and Access Management (IAM)
CloudStack Identity and Access Management (IAM)CloudStack Identity and Access Management (IAM)
CloudStack Identity and Access Management (IAM)Min Chen
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIsTatsuo Kudo
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet IdentityPrabath Siriwardena
 

Más contenido relacionado

La actualidad más candente

Kodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalKodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalAshish Jain
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou00zzj
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
CloudStack Identity and Access Management (IAM)
CloudStack Identity and Access Management (IAM)CloudStack Identity and Access Management (IAM)
CloudStack Identity and Access Management (IAM)Min Chen
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIsTatsuo Kudo
 

La actualidad más candente (20)

Kodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPalKodak - OpenID Retail Summit at PayPal
Kodak - OpenID Retail Summit at PayPal
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social Logins
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep Dive
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
 
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
CloudStack Identity and Access Management (IAM)
CloudStack Identity and Access Management (IAM)CloudStack Identity and Access Management (IAM)
CloudStack Identity and Access Management (IAM)
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIs
 

Destacado

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialPrabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 

Destacado (14)

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
 
Securing the Insecure
Securing the InsecureSecuring the Insecure
Securing the Insecure
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server Tutorial
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
XML Signature
XML SignatureXML Signature
XML Signature
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Preparing for Tomorrow
Preparing for TomorrowPreparing for Tomorrow
Preparing for Tomorrow
 

Similar a Securing Insecure

Securing the Insecure
Securing the InsecureSecuring the Insecure
Securing the InsecureWSO2
 
API Best Practices
API Best PracticesAPI Best Practices
API Best PracticesSai Koppala
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API ManagementRich Graham
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewayZuaib
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDhanik Sahni
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Meetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdfMeetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdfRed Hat
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationApigee | Google Cloud
 
IBM API management Philip Little
IBM API management Philip LittleIBM API management Philip Little
IBM API management Philip LittleValeri Illescas
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIsReda Hmeid MBCS
 
Vertical APIs as Core Product
Vertical APIs as Core ProductVertical APIs as Core Product
Vertical APIs as Core ProductZak Schwarzman
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDINkloia
 

Similar a Securing Insecure (20)

Securing the Insecure
Securing the InsecureSecuring the Insecure
Securing the Insecure
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gateway
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected App
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Meetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdfMeetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdf
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
 
IBM API management Philip Little
IBM API management Philip LittleIBM API management Philip Little
IBM API management Philip Little
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIs
 
Vertical APIs as Core Product
Vertical APIs as Core ProductVertical APIs as Core Product
Vertical APIs as Core Product
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN
 

Más de Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 

Más de Prabath Siriwardena (12)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Advanced API Security
Advanced API SecurityAdvanced API Security
Advanced API Security
 
WS-Trust
WS-TrustWS-Trust
WS-Trust
 

Securing Insecure

  • 1. Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath
  • 2. About the presenter (@prabath) • 7+ years at WSO2 • Member of OASIS Identity Metasystem Interoperability (IMI) TC,OASIS eXtensible Access Control Markup Language (XACML) TC, OASIS Security Services (SAML) TC, OASIS Identity in the Cloud TC and OASIS Cloud Authorization (CloudAuthZ) TC • Blog: http://blog.facilelogin.com • Books:
  • 12. Pattern 01 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application passes logged in user’s identifier to the backend APIs and retrieves data related to the user.
  • 13.
  • 14.
  • 15. Pattern 02 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user.
  • 16.
  • 17.
  • 18. Pattern 03 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
  • 19.
  • 20. Pattern 04 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. All the users are in a Windows domain and once they are logged into their workstations – they should not be asked to provide credentials at any point for any other application.
  • 21.
  • 22. Pattern 05 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees as well as employees from trusted partners via multiple web applications. All the internal user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
  • 23.
  • 24. Pattern 06 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to an OpenID Connect Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
  • 25.
  • 26. Pattern 07 Problem Statement A medium-scale enterprise in the finance industry needs to expose an API to its customers through a mobile application. One major requirement is that all the API calls should support non-repudiation.
  • 27.
  • 28. Pattern 08 Problem Statement A medium-scale enterprise that sells bottled water has a RESTful API (Water API), which can be used to update the amount of water consumed by a registered user. These APIs should be accessed by any registered user via any client application - could be an android app, an iOS app or even a web application. The company only provides APIs and anyone can develop client applications to consume those. All the user data are stored in an Active Directory. Client applications should not be able to access the API directly and query about users. Only registered users can access the API – and they also should not be able to see other users information. At the same time for each update by the user – the Water API must also update user’s health care record maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it too exposes an API (MyHealth API). The Water API has to call MyHealth API to update user record, on be half of the user.
  • 29.
  • 30. Pattern 09 Problem Statement A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different departments and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall – irrespective of the department they belong to. All the user data are stored in a centralized Active Directory and all the web applications are connected to a centralized OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. These APIs may come from different departments – having their own authorization servers. The company also has a centralized OAuth authorization server and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department.
  • 31.
  • 32. Pattern 10 Problem Statement A global organization has APIs and API clients distributed across different regions. Each region operates independent from each other. Currently both the clients and the APIs are non-secured. Need to secure the APIs without doing any changes either at the API end or at the client end.
  • 33.
  • 34. Pattern 11 Problem Statement A company wants to expose an API to its own employees. But the user credentials must not ever go over the wire.
  • 35. Pattern 12 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user. The backend API must authorize the user.
  • 36.