Weitere ähnliche Inhalte
Ähnlich wie API Security: Securing Digital Channels and Mobile Apps Against Hacks (20)
Kürzlich hochgeladen (20)
API Security: Securing Digital Channels and Mobile Apps Against Hacks
- 1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security: Securing
Digital Channels and
Mobile Apps Against
Hacks
Sachin Agarwal
VP, Product Marketing
- 2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center
– http://resource.soa.com/
• Webinar Recording
– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc
- 3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?
Your ApplicationYour APIYour Customers
- 4. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business
- 6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network
isolation
• Limited Users
Access locations and variability of operations were limited
- 7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate
based, PKI, WS-Trust
• Some B2B and Partners
applications
• Complex, but quite secure
and flexible
- 8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs
Disrupting how and where information is accessed
• Mobile and Social Apps
don’t’ understand PKI,
WS-Security, etc.
• Focus on human
readability, developer
adoption
- 9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security
Managing the
User Experience
Securing the
App - PII, PHI
Enabling Easy Developer Access
Securing the Channel
Securing the Backend
- 10. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape
• Protocol specific threats
• Key Management
• OAuth
• Monitoring
• Licensing
• Security Token Mediation
API Specific Security
Single Sign On MDM
ATP, Firewall, VPN etc.
- 12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle
Transform
& Secure
Publish Monetize
Dev.
Adoption
API
SOAP to REST
Mobile-
Optimization
OAuth
Mediation
Analytics API Documentation
Applications
and Services
Apps
API Producers API Consumers
- 13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security
1
Authentication &
Authorization
2 App Key Validation/
Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
- 14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO
Control and restrict access to your APIs
Make it easy yet secure
- 15. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth
OAuth lets a person delegate constrained access from
one app to another
User
Resource
Owner
Client
App
Resource
Server
- 17. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need
• OAuth Clients
• Provisioning
• Approval Flow
• OAuth Server
• Identity Integration
• Token Validation
• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)
• QoS, Monitoring
• Policy Management
• API Proxying
• Reporting
• Analytics
OAuth is hard and complicated
- 18. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing
Package your APIs in different ways
Use API keys to restrict what the App can access
The licenses control:
– OAuth Authorization Scopes
– Document visibility
– Quota policies
- 19. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security
HTTP Parameter
• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey
• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security
• Implement HTTPS
• For XML payloads encrypt specific parts of the message
- 20. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection
• Denial of Service
• Injection Attacks
– Detect and prevent SQL,
JavaScript or XPath/XQuery
injection attacks
• Cross Site Scripting
• Network address and range
blacklists/whitelists
• HTTP Parameter Stuffing
- 21. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering
• Provide a content firewall,
protecting against malicious
content
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures.
• Policies for XML and JSON
DoS
• Protection against viruses in
attachments and other binary
content via ICAP integration
with leading anti-virus
engines
- 22. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting
Restrict the number of calls an App can make
Apply controls based on context, affinity, segmentation etc.
- 23. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Gateway
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of Service
Paging/Caching
Orchestration
Scripting
- 24. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The SOA Software API Platform
Analytics
Developer
Engagement
Gateway Services
Service Integration
Lifecycle
Management
- 26. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Platform Capabilities
Platform
Licensing
Quota Mgmt.
Partner Mgmt.
PCI Compliance
Provisioning
Policy Mgmt.
Monitoring
OAuth
Federation
Analytics
Lifecycle
API/Services
Application
User
Compliance
Integrations
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of Service
Paging/Caching
Orchestration
Scripting
API Portal
Search
Documentation
Groups
Social
- 28. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center
– http://resource.soa.com/
• Webinar Recording
– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc