Download - CIS14: Protecting Your APIs from Threats and Hacks

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

API Security: Securing Digital Channels and Mobile Apps Against

Hacks!

Sachin Agarwal!@sachinagarwal!


What is an API?!

Your Application!Your API!Your Customers!


APIs – Extend the Reach of your Business!


EVOLUTION OF DIGITAL CHANNELS!


Client-Server/ Web Applications!

•  No Programmatic Access!

•  Security through network isolation!

•  Limited Users!

Access locations and variability of operations were limited


Web Services!

The enterprise opened slightly with Web Services/SOAP

•  SSL/TLS, Certificate based, PKI, WS-Trust!

•  Some B2B and Partners applications!

•  Complex, but quite secure and flexible!


And then came APIs!

Disrupting how and where information is accessed

•  Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.!

•  Focus on human readability, developer adoption!


Realizing End-to-End Security!

Managing the User Experience!

Securing the App - PII, PHI!

Enabling Easy Developer Access !

Securing the Channel!

Securing the Backend!


Understanding the Security Landscape!

•  Protocol specific threats!•  Key Management!•  OAuth!•  Monitoring!•  Licensing!•  Security Token Mediation!

API Specific Security!

Single Sign On! MDM!

ATP, Firewall, VPN etc.!


UNDERSTANDING API SECURITY!


The API Lifecycle!

Transform & Secure! Publish! Monetize!Dev.

Adoption!API!

SOAP to REST!Mobile- Optimization!

OAuth!Mediation!

Analytics! API Documentation!

Applications and Services! Apps!

API Producers! API Consumers!


API Security!

1 Authentication & Authorization!

2 App Key Validation/!Licensing!

3 Message Security!

4 Threat Protection!

5 Content Filtering!

6 Rate Limiting!

Developers!


Authentication/Authorization/SSO!Control and restrict access to your APIs!Make it easy yet secure!


Understanding OAuth!

OAuth lets a person delegate constrained access from one app to another!

User!

Resource Owner!

Client App!

Resource Server!


OAuth Flow!


OAuth – You need!

•  OAuth Clients!•  Provisioning!•  Approval Flow!

•  OAuth Server!•  Identity Integration!•  Token Validation!•  Token Issue/refresh!

•  Token Mediation (SAML, LDAP etc)!•  QoS, Monitoring!•  Policy Management!•  API Proxying!•  Reporting!•  Analytics!

OAuth is hard and complicated!


Licensing!

Package your APIs in different ways!Use API keys to restrict what the App can access!

The licenses control:!–  OAuth Authorization Scopes!–  Document visibility!–  Quota policies!


Message and Parameter Security!

HTTP Parameter!•  http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey!•  Protect API Keys with HMAC – Hash-based Message Authentication Code!!Message Security!•  Implement HTTPS!•  For XML payloads encrypt specific parts of the message!


Threat Protection!

•  Denial of Service!•  Injection Attacks!

–  Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks !

•  Cross Site Scripting!•  Network address and range

blacklists/whitelists !•  HTTP Parameter Stuffing!

!


Content Filtering!

•  Provide a content firewall, protecting against malicious content!•  Validate message content

including message headers, form and query parameters, XML and JSON data structures. !

•  Policies for XML and JSON DoS !

•  Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines!


Quota Management/Rate Limiting!Restrict the number of calls an App can make!Apply controls based on context, affinity, segmentation etc.!


API Gateway!

Gateway!

Security!

Authentication!

Protection!

IAM Integration!

Encryption!

Mediation!

Quality of Service!

Paging/Caching!

Orchestration!

Scripting!


API Resources and API University!

•  Resource Center!–  http://resource.soa.com/!

•  Webinar Recording!–  http://resource.soa.com/resource/webinars!

•  Follow us on:!!!

www.facebook.com/soaso-ware

www.linkedin.com/company/soaso-ware

@soaso-wareinc


Questions!

•  @sachinagarwal!

Download - CIS14: Protecting Your APIs from Threats and Hacks

Top Related