SlideShare una empresa de Scribd logo

Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies

Descargar como PPTX, PDF
CA API Management
CA API Management

The difference between Web Apps, Web Services, and Web APIs, and how getting into Web APIs will change the way you do authentication and access control.

Tecnología
1 de 23
Trust No One The New Security Model for Web APIs Greg Kliewer Principal Consultant, Solutions Architect Layer 7, a CA Technologies company October 8, 2013 © 2013 CA. All rights reserved.
What are Web APIs?
Old School APIs: Application Programming Interfaces My API Your Code My Code APIs are for connecting “software machines”  Modules within a program  Programs on a server  Programs over local networks My Server Your Client 3 © 2013 CA. All rights reserved.
Web APIs are for connecting “web machines”  Over the World Wide Web  Exploiting a globally-connected network My API 4 © 2013 CA. All rights reserved.
How Web APIs Evolved
Before there were Web APIs, there were Web Apps   No programmatic access from the Public Internet  6 APIs protected by network separation Safety through total isolation and control © 2013 CA. All rights reserved.
Then came Web Services SOA / SOAP services  Used web technologies like HTTP, SSL/TLS, and language-independent, text-based grammar  Applied mostly for internal application integration, like old school APIs  BUT there was some limited uptake of SOAP web services for allowing programmatic access to core services by business partners and corporate customers 7 © 2013 CA. All rights reserved.
Security for Web Services The model most of us are familiar with  CA Establish TRUST with public key infrastructure – Private key / public certificate pairs – Have certificates signed by recognized CA / RA Partner – Exchange that certificate with similarly-assured certificate from partners Company  Apply asymmetric crypto at runtime to validate digital signatures / decrypt encrypted content VALIDATE – SSL/TLS Mutual Authentication SSL/TLS SIGN Partner VERIFY – XML-DSIG/XML-ENC applied to SOAP documents Company  8 TRUST partner / corporate customer to treat crypto material with care and caution © 2013 CA. All rights reserved.
But now the disrupters are here My Business 9 © 2013 CA. All rights reserved.
Mobile, Social, Cloud, and Embedded Applications Require programmatic access Do not support PKI / Asymmetric Crypto* *to prove their identity 10 © 2013 CA. All rights reserved.
How can we safely expose Web APIs? 11 © 2013 CA. All rights reserved.
The new security model for Web APIs
In the new world there are exponentially more Apps to be served Enterprise Apps, Portals, and Web Apps are being decomposed into Apps… notes calendar mail 13 © 2013 CA. All rights reserved.
In the new world there are exponentially more Apps to be served …and released into the wild 14 © 2013 CA. All rights reserved.
So if we are going to publish APIs to these new Apps… My API 15 © 2013 CA. All rights reserved.
…we had better require more regular and active scrutiny of the Apps’ access privileges…  First of all, DO NOT issue long-lasting certificates to the Apps (e.g. x.509 expires in 1 yr)  Instead, issue short-lived access tokens that can be revoked at any time Request Access access token How long should the Apps have access without reauthenticating? 1 hour for info services Security Architect 16 CISO © 2013 CA. All rights reserved. 5 mins for financial txns
…we had better require more regular and active scrutiny of the Apps’ access privileges…  Next, include the end user in authenticating / authorizing the App  Explicitly grant access  To a limited scope Declare Scope This App would like to access your profile data and bill to your account. grant Request Access access token 17 © 2013 CA. All rights reserved.
Introducing OAuth The new security model for Web APIs  “ Open standard specification by IETF WG The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This App would like to Declare access your profile data Scope and bill to your account. grant Request Access access token Requests with access token 18 © 2013 CA. All rights reserved. OAuth Auth Server ”
OAuth adoption The big guys… 19 © 2013 CA. All rights reserved.
OAuth adoption …and YOU 20 © 2013 CA. All rights reserved.
How to learn more
Where to learn more   Come talk to us! Primers – Booth #505 – We’re here today and tomorrow  – By Aaron Parecki – By Jakob Jenkov  API Academy – Online resources – The 5 OAuth essentials – Workshops  Publications  OAuth Online Blogs – By Francois Lascelles – http://oauth.net/ – https://www.ietf.org/mailman/listinfo/oauth 22 © 2013 CA. All rights reserved.
Greg Kliewer Principal Consultant, Systems Architect greg.kliewer@ca.com @cainc slideshare.net/CAinc linkedin.com/company/ca-technologies ca.com

Recomendados

Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Financial services rely on APIs
Financial services rely on APIsFinancial services rely on APIs
Financial services rely on APIsRogue Wave Software
 

Recomendados

Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Financial services rely on APIs
Financial services rely on APIsFinancial services rely on APIs
Financial services rely on APIsRogue Wave Software
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceCA API Management
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldPing Identity
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Eve Maler
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays
 
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCloudIDSummit
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementEldert Grootenboer
 
The New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT EraThe New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT EraForgeRock
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackNordic APIs
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing InsecurePrabath Siriwardena
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosIDATE DigiWorld
 

Más contenido relacionado

La actualidad más candente

Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceCA API Management
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldPing Identity
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Eve Maler
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays
 
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCloudIDSummit
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementEldert Grootenboer
 
The New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT EraThe New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT EraForgeRock
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackNordic APIs
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 

La actualidad más candente (20)

Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
 
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
 
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and Hacks
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
The New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT EraThe New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT Era
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
 

Destacado

Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosIDATE DigiWorld
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetPaul Brody
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityMarc Nader
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part iiKangkan Goswami
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_uploadBlockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_uploadAnish Mohammed
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей ТимченкоОт простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей ТимченкоPositive Hack Days
 
Инструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир СелинИнструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир СелинPositive Hack Days
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data CenterVMware
 
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...Positive Hack Days
 

Destacado (20)

Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, Atos
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The Internet
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to Cybersecurity
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part ii
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_uploadBlockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей ТимченкоОт простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
 
Инструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир СелинИнструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир Селин
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data Center
 
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
 

Similar a Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
The Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseThe Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseGreg Kliewer
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM Patrick Harding
 
Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...
Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...
Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...CA Technologies
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewayZuaib
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...apidays
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetupMichael Leppitsch
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensForgeRock
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API IntegrationAkana
 

Similar a Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies (20)

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
The Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseThe Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone Else
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...
Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...
Pre-Con Ed: How to Provide Mobile Users With a Convenient, Yet Secure, Sessio...
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gateway
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
 

Más de CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management
 

Más de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
 

Último

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Último (20)

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies

  • 1. Trust No One The New Security Model for Web APIs Greg Kliewer Principal Consultant, Solutions Architect Layer 7, a CA Technologies company October 8, 2013 © 2013 CA. All rights reserved.
  • 2. What are Web APIs?
  • 3. Old School APIs: Application Programming Interfaces My API Your Code My Code APIs are for connecting “software machines”  Modules within a program  Programs on a server  Programs over local networks My Server Your Client 3 © 2013 CA. All rights reserved.
  • 4. Web APIs are for connecting “web machines”  Over the World Wide Web  Exploiting a globally-connected network My API 4 © 2013 CA. All rights reserved.
  • 5. How Web APIs Evolved
  • 6. Before there were Web APIs, there were Web Apps   No programmatic access from the Public Internet  6 APIs protected by network separation Safety through total isolation and control © 2013 CA. All rights reserved.
  • 7. Then came Web Services SOA / SOAP services  Used web technologies like HTTP, SSL/TLS, and language-independent, text-based grammar  Applied mostly for internal application integration, like old school APIs  BUT there was some limited uptake of SOAP web services for allowing programmatic access to core services by business partners and corporate customers 7 © 2013 CA. All rights reserved.
  • 8. Security for Web Services The model most of us are familiar with  CA Establish TRUST with public key infrastructure – Private key / public certificate pairs – Have certificates signed by recognized CA / RA Partner – Exchange that certificate with similarly-assured certificate from partners Company  Apply asymmetric crypto at runtime to validate digital signatures / decrypt encrypted content VALIDATE – SSL/TLS Mutual Authentication SSL/TLS SIGN Partner VERIFY – XML-DSIG/XML-ENC applied to SOAP documents Company  8 TRUST partner / corporate customer to treat crypto material with care and caution © 2013 CA. All rights reserved.
  • 9. But now the disrupters are here My Business 9 © 2013 CA. All rights reserved.
  • 10. Mobile, Social, Cloud, and Embedded Applications Require programmatic access Do not support PKI / Asymmetric Crypto* *to prove their identity 10 © 2013 CA. All rights reserved.
  • 11. How can we safely expose Web APIs? 11 © 2013 CA. All rights reserved.
  • 12. The new security model for Web APIs
  • 13. In the new world there are exponentially more Apps to be served Enterprise Apps, Portals, and Web Apps are being decomposed into Apps… notes calendar mail 13 © 2013 CA. All rights reserved.
  • 14. In the new world there are exponentially more Apps to be served …and released into the wild 14 © 2013 CA. All rights reserved.
  • 15. So if we are going to publish APIs to these new Apps… My API 15 © 2013 CA. All rights reserved.
  • 16. …we had better require more regular and active scrutiny of the Apps’ access privileges…  First of all, DO NOT issue long-lasting certificates to the Apps (e.g. x.509 expires in 1 yr)  Instead, issue short-lived access tokens that can be revoked at any time Request Access access token How long should the Apps have access without reauthenticating? 1 hour for info services Security Architect 16 CISO © 2013 CA. All rights reserved. 5 mins for financial txns
  • 17. …we had better require more regular and active scrutiny of the Apps’ access privileges…  Next, include the end user in authenticating / authorizing the App  Explicitly grant access  To a limited scope Declare Scope This App would like to access your profile data and bill to your account. grant Request Access access token 17 © 2013 CA. All rights reserved.
  • 18. Introducing OAuth The new security model for Web APIs  “ Open standard specification by IETF WG The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This App would like to Declare access your profile data Scope and bill to your account. grant Request Access access token Requests with access token 18 © 2013 CA. All rights reserved. OAuth Auth Server ”
  • 19. OAuth adoption The big guys… 19 © 2013 CA. All rights reserved.
  • 20. OAuth adoption …and YOU 20 © 2013 CA. All rights reserved.
  • 21. How to learn more
  • 22. Where to learn more   Come talk to us! Primers – Booth #505 – We’re here today and tomorrow  – By Aaron Parecki – By Jakob Jenkov  API Academy – Online resources – The 5 OAuth essentials – Workshops  Publications  OAuth Online Blogs – By Francois Lascelles – http://oauth.net/ – https://www.ietf.org/mailman/listinfo/oauth 22 © 2013 CA. All rights reserved.
  • 23. Greg Kliewer Principal Consultant, Systems Architect greg.kliewer@ca.com @cainc slideshare.net/CAinc linkedin.com/company/ca-technologies ca.com

Notas del editor

  1. Web sitesPortalsCustomers accessed them via browsers on their desktop and laptop computersNo programmatic access from the WWWAPIs were exposed “behind the firewall” for web sites and portals to access, but there was no access from the WWWAPIs were protected by network separation
  2. Used Web API technologies like HTTP, SSL/TLS, and language-independent, text-based grammarWere mostly adopted for old-school API purposes: to connect applications “on the corporate network”; to “service orient” the enterprise and delivery apps – often new web apps – quickly and less expensivelyHOWEVER, there was some limited uptake of SOAP services access to enterprise services and assets from the WWW by business partners and corporate customersEnterprise to Enterprise integration
  3. REQUIRE programmatic access from the WWWDID NOT EMBARACE use PKI-based securityWhy? Because the market for these apps are not corporations with whom we can contract and run technology projects. These apps are consumed by capital-C Consumers who demand impeccable user experience, including simple and easy installationShow picture of PKI (CA/RA and WoT) As a publisher of Web APIs, do not expect to identify who is calling by verifying digital signatures with asymmetric crypo operations