SlideShare ist ein Scribd-Unternehmen logo

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Als PPTX, PDF herunterladen
Akana
Akana
Internet
1 von 28
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security: Securing Digital Channels and Mobile Apps Against Hacks Sachin Agarwal VP, Product Marketing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. What is an API? Your ApplicationYour APIYour Customers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. APIs – Extend the Reach of your Business
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. UNDERSTANDING API SECURITY
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The API Lifecycle Transform & Secure Publish Monetize Dev. Adoption API SOAP to REST Mobile- Optimization OAuth Mediation Analytics API Documentation Applications and Services Apps API Producers API Consumers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth Flow
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The SOA Software API Platform Analytics Developer Engagement Gateway Services Service Integration Lifecycle Management
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Flexible Deployment Model
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software API Platform Capabilities Platform Licensing Quota Mgmt. Partner Mgmt. PCI Compliance Provisioning Policy Mgmt. Monitoring OAuth Federation Analytics Lifecycle API/Services Application User Compliance Integrations Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting API Portal Search Documentation Groups Social
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Questions
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc

Empfohlen

The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
Distil Networks
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and Hacks
CloudIDSummit
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 

Empfohlen

The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
Distil Networks
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and Hacks
CloudIDSummit
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
CloudIDSummit
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
Shiu-Fun Poon
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
Paulo Eduardo Sibalde
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
Will Tran
 
Layer 7 & Oracle: Cyber Defense for SOA & REST
Layer 7 & Oracle: Cyber Defense for SOA & RESTLayer 7 & Oracle: Cyber Defense for SOA & REST
Layer 7 & Oracle: Cyber Defense for SOA & REST
CA API Management
 
SOA Security Model For EAI
SOA Security Model For EAISOA Security Model For EAI
SOA Security Model For EAI
vivekjv
 
Informatiebeveiliging: Modellen Raamwerken Methodes
Informatiebeveiliging: Modellen Raamwerken MethodesInformatiebeveiliging: Modellen Raamwerken Methodes
Informatiebeveiliging: Modellen Raamwerken Methodes
Leon Kuunders
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 

Was ist angesagt? (19)

Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 

Andere mochten auch

Data-Ed Online: How Safe is Your Data? Data Security
Data-Ed Online: How Safe is Your Data? Data SecurityData-Ed Online: How Safe is Your Data? Data Security
Data-Ed Online: How Safe is Your Data? Data Security
DATAVERSITY
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 

Andere mochten auch (10)

Layer 7 & Oracle: Cyber Defense for SOA & REST
Layer 7 & Oracle: Cyber Defense for SOA & RESTLayer 7 & Oracle: Cyber Defense for SOA & REST
Layer 7 & Oracle: Cyber Defense for SOA & REST
 
SOA Security Model For EAI
SOA Security Model For EAISOA Security Model For EAI
SOA Security Model For EAI
 
Informatiebeveiliging: Modellen Raamwerken Methodes
Informatiebeveiliging: Modellen Raamwerken MethodesInformatiebeveiliging: Modellen Raamwerken Methodes
Informatiebeveiliging: Modellen Raamwerken Methodes
 
Web services and SOA
Web services and SOAWeb services and SOA
Web services and SOA
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsLayer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model Requirements
 
Data-Ed Online: How Safe is Your Data? Data Security
Data-Ed Online: How Safe is Your Data? Data SecurityData-Ed Online: How Safe is Your Data? Data Security
Data-Ed Online: How Safe is Your Data? Data Security
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Ähnlich wie API Security: Securing Digital Channels and Mobile Apps Against Hacks

The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
Akana
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
Sachin Agarwal
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Are APIs and SOA Converging
Are APIs and SOA ConvergingAre APIs and SOA Converging
Are APIs and SOA Converging
Sachin Agarwal
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
Akana
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
Akana
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
Akana
 
Intermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and DemoIntermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and Demo
Akana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
Akana
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Api frenzy june 2013 v2
Api frenzy june 2013 v2Api frenzy june 2013 v2
Api frenzy june 2013 v2
Sachin Agarwal
 

Ähnlich wie API Security: Securing Digital Channels and Mobile Apps Against Hacks (20)

The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
 
Are APIs and SOA Converging
Are APIs and SOA ConvergingAre APIs and SOA Converging
Are APIs and SOA Converging
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
Intermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and DemoIntermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and Demo
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Intermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and DemoIntermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and Demo
 
Confronting API Security in the Brave New Open Banking Era
Confronting API Security in the Brave New Open Banking EraConfronting API Security in the Brave New Open Banking Era
Confronting API Security in the Brave New Open Banking Era
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
API Frenzy: The Implications and Planning for a Successful API Strategy
API Frenzy: The Implications and Planning for a Successful API StrategyAPI Frenzy: The Implications and Planning for a Successful API Strategy
API Frenzy: The Implications and Planning for a Successful API Strategy
 
Api frenzy june 2013 v2
Api frenzy june 2013 v2Api frenzy june 2013 v2
Api frenzy june 2013 v2
 

Mehr von Akana

The Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and IntegrationThe Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and Integration
Akana
 
Eat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a TimeEat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a Time
Akana
 
API Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform OverviewAPI Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform Overview
Akana
 
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPowerRealizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Akana
 
Architecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and AkanaArchitecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and Akana
Akana
 
Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?
Akana
 
Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?
Akana
 
Using APIs
Using APIsUsing APIs
Using APIs
Akana
 
Turbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA GoalsTurbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA Goals
Akana
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
Akana
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT EnterpriseThe API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
Akana
 
Realizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower CustomersRealizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower Customers
Akana
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
Akana
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
Akana
 

Mehr von Akana (20)

The Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and IntegrationThe Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and Integration
 
Eat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a TimeEat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a Time
 
API Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform OverviewAPI Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform Overview
 
API Economy - The Making of a Digital Business
API Economy - The Making of a Digital BusinessAPI Economy - The Making of a Digital Business
API Economy - The Making of a Digital Business
 
Extracting Insights from your API Programs
Extracting Insights from your API ProgramsExtracting Insights from your API Programs
Extracting Insights from your API Programs
 
API Adoption Patterns in Banking & The Promise of Microservices
API Adoption Patterns in Banking & The Promise of MicroservicesAPI Adoption Patterns in Banking & The Promise of Microservices
API Adoption Patterns in Banking & The Promise of Microservices
 
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPowerRealizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
 
Architecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and AkanaArchitecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and Akana
 
Digital Healthcare – Realizing Interoperability with APIs
Digital Healthcare – Realizing Interoperability with APIsDigital Healthcare – Realizing Interoperability with APIs
Digital Healthcare – Realizing Interoperability with APIs
 
Driving Digital Innovation with a Layered API Design Approach
Driving Digital Innovation with a Layered API Design ApproachDriving Digital Innovation with a Layered API Design Approach
Driving Digital Innovation with a Layered API Design Approach
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
 
Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?
 
Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?
 
Using APIs
Using APIsUsing APIs
Using APIs
 
Turbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA GoalsTurbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA Goals
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT EnterpriseThe API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
 
Realizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower CustomersRealizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower Customers
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 

Kürzlich hochgeladen

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 

Kürzlich hochgeladen (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 

API Security: Securing Digital Channels and Mobile Apps Against Hacks

  • 1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security: Securing Digital Channels and Mobile Apps Against Hacks Sachin Agarwal VP, Product Marketing
  • 2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc
  • 3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. What is an API? Your ApplicationYour APIYour Customers
  • 4. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. APIs – Extend the Reach of your Business
  • 5. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
  • 6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
  • 7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
  • 8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
  • 9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
  • 10. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
  • 11. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. UNDERSTANDING API SECURITY
  • 12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The API Lifecycle Transform & Secure Publish Monetize Dev. Adoption API SOAP to REST Mobile- Optimization OAuth Mediation Analytics API Documentation Applications and Services Apps API Producers API Consumers
  • 13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
  • 14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
  • 15. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
  • 16. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth Flow
  • 17. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
  • 18. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
  • 19. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
  • 20. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
  • 21. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
  • 22. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
  • 23. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
  • 24. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The SOA Software API Platform Analytics Developer Engagement Gateway Services Service Integration Lifecycle Management
  • 25. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Flexible Deployment Model
  • 26. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software API Platform Capabilities Platform Licensing Quota Mgmt. Partner Mgmt. PCI Compliance Provisioning Policy Mgmt. Monitoring OAuth Federation Analytics Lifecycle API/Services Application User Compliance Integrations Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting API Portal Search Documentation Groups Social
  • 27. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Questions
  • 28. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc