SlideShare ist ein Scribd-Unternehmen logo

CA API Gateway: Web API and Application Security

Als PPTX, PDF herunterladen
CA Technologies
CA Technologies

CA API Gateway: Web API and Application Security

Technologie
1 von 28
CA API Gateway: Web API and Application Security Ben Urbanski, Advisor, API Management Presales, CA Technologies D03X41E DEVOPS
5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract This session explores common web service, web API and web application security considerations and how you can use CA API Management solutions to address them. Ben Urbanski has almost 10 years of experience with API gateways beginning at IBM in 2007, continuing at Layer 7 in 2011, and to this day at CA Technologies. During that time, he’s been a presales engineer, a senior director of presales engineering, and now an advisor on CA’s API Management Presales Center of Excellence team. He has helped many customers understand how they can simplify and accelerate the creation, security, integration and management of their web services, web APIs, web applications and mobile applications using API gateways, API portals and related products. Earlier in his career, he spent time as a software engineer at several companies, so he’s well grounded in software development practices and how they relate to API management. Ben Urbanski CA Technologies Advisor, API Management Presales
7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda SECURING THE NEW PERIMETER CA API MANAGEMENT SUITE AND COMMON USE CASES DEMONSTRATION SECURITY PROCESS SECURITY CONSIDERATIONS AND FEATURES WHERE TO START? 1 2 3 4 5 6
8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Digital Enterprise and Application Economy Developer Community Cloud ServicesPartners/Divisions Mobile Apps IoT / Big Data Social Registration
9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD APIs are the New Perimeter
10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA quickly and easily creates, secures and manages APIs
11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA API Management ESM CA (Mobile) API Gateway App Developers Applications CA API Developer Portal Design Time Runtime MSSO SDKs MAS SDKs CA Mobile App Services Runtime CA Live API Creator API Publishers Design Time
12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Internal Security  Integration (ESB or noESB or µS)  Traffic Management (SLA)  API Creation  Security Gateway  API Management  Mobile Enablement  Identity Brokering DMZ Trusted Zone Applications Runtime MSSO SDKs Partner App Developers Design Time Internal API and App Developers Design Time Portal Gateways (optionally with MAG & MAS) Gateways MAS SDKs CA Live API Creator or Application Servers API Academy CA API Management Use Cases and Deployment
13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Begins with Risk Analysis Risk Assessment What is your risk? Risk Management What will you do about it?
14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is your risk? Assets Threats Vulnerabilities Risk
15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What will you do about it?  Avoidance  Reduction  Sharing  Retention
16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security  Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance  Leading edge support for industry and vendor security standards and solutions  Service Virtualization  Identification (w/Federation & Brokering), Authentication, Authorization & Auditing  Confidentiality  Integrity  Logging  Non-repudiation  Data Classification and Compliance  Threat Protection
17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance – Common Criteria (CC) is the most relevant security certification for solutions in our space; CA is the only gateway vendor with a recent certification to more relevant profiles – FIPS 140-2 Level 1 crypto processing in all form factors by default. CA offers an optional hardware acceleration card for crypto processing that includes an on board HSM in its hardware appliance form factor for FIPS 140-2 Level 3. – CA’s emphasis on performance allows our customers to take advantage of our many security capabilities without experiencing significant negative performance and scalability impacts.
18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Leading edge support for industry and vendor security standards and solutions – The industry and vendors are frequently creating and evolving security standards and solutions. The standards and solutions can be difficult to understand, implement and maintain. CA wraps its expert knowledge of both in automatic and/or simple to configure policy language that keeps pace with changes. – CA is often used to negotiate differences in security standards and solutions between consumers and providers of services. For example, consumers might want to send their credentials using WS-Security UserName tokens, and providers might expect credentials via SAML tokens. With CA in between, neither consumers nor providers need to change. Instead, CA can accept WS-Security Username tokens (and many others) from the consumer, perform authentication and authorization (and more), and include a SAML assertion in the request forwarded to the provider.  Service Virtualization – An ESB concept, but with security implications. By using CA to virtualize your services (including their identity, protocol and interface), you effectively hide implementation details from attackers.
19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Identification, Authentication & Authorization – Many out-of-the-box methods of identification, authentication and authorization based on industry standards and vendor proprietary mechanisms – The ability to support identity federation based on different standards, and identity brokering between standards and vendor proprietary mechanisms – Some (but not all) supported standards include SSL with mutual authentication, FTP Credentials, HTTP Basic, HTTP Digest, HTTP Cookies, NTLM, Kerberos, SAML, WS-SecureConversation, WS-Security, OAuth, OpenID Connect, XACML, LDAP, WS-Trust, WS-Federation, X.509 Certificates – Some (but not all) supported vendor proprietary mechanisms include Mobile SSO, CA Single Sign-On, Tivoli Access Manager, Oracle Access Manager, Sun Java System Access Manager – CA can easily and conditionally use one or more of the above methods in a single policy (including JDBC and other protocols for custom identity provider implementations) – CA provides an out-of-the-box and configurable WS-Trust based STS service – CA can be an enterprise PEP, PDP, PIP and PRP for XACML – CA can be a SAML identity provider – CA can be a OAuth authorization server and an OpenID Connect server
20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Confidentiality – Easy to configure and accelerated secure transport (SSL/TLS) for point-to-point encryption and confidentiality (both in front and behind our gateway, with and without client authentication) – Easy to configure and accelerated end-to-end confidentiality with message or element level encryption and decryption based on industry standards (e.g. XML Encryption, WS-Security, and JWE)  Integrity – Easy to configure and accelerated end-to-end integrity with message or element level digital signature and verification based on industry standards (e.g. XML Signature and WS-Security) – HMAC signature support for emerging non-XML standards like REST and OAuth
21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Auditing & Logging – Automatic and configurable auditing and logging of events by category and priority level both on and off gateways – Gateway Audit Event viewer that can see all audit events across a cluster of multiple gateways with or without full request and response message recording – Auditing and logging is very configurable and can be managed globally across a cluster and/or conditionally in policy – Audit and log events can be sent remotely via syslog and/or all other outbound protocols supported by CA  Non-repudiation – CA supports non-repudiation through a combination of auditing, logging and digital signatures
22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Data Classification and Compliance – Automatic XML well-formed-ness validation – XML schema validation, Schematron, and JSON schema validation – Many additional out-of-the-box assertions for classifying, validating, masking and filtering message content at runtime  Threat Protection – Automatic threat protection for TCP/IP Based Attacks, Coercive Parsing and XML Bomb, External Entity Attack, Schema Poisoning, WSDL Scanning and XML Routing Detours – Configurable threat protection for single and multi-message denial of service attacks – Injection attack protection (both SQL and code) – Rate limiting and SLA enforcement with high performance and accuracy across a cluster of multiple gateways – True replay attack protection across a cluster of multiple gateways – Virus scanning via the ICAP protocol with specific support Symantec, McAfee and Sophos
23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Mobile API Gateway  Apple Push Notification  Android Push Notification  Mobile SSO (API and SDK) – Multi-user Support – Social Login – One Time Password – Dynamic App Config & Credential Provisioning – Geo-location Support – Cross Device SSO (QRC, BLE, NFC)  Enterprise Browser  Samsung KNOX for APIs API Portal API Servers IdM MAG
24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD OWASP Top 10[1] Protection as Web App Proxy  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Un-validated Redirects and Forwards [1] https://www.owasp.org/index.php/Top_10_2013-Top_10
25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Where do I start?  Reduce attack surface (expose only what’s needed; require all traffic to go through gateway)  Use a secure transport (i.e. SSL/TLS)  Control access (e.g. Mutual Auth SSL, HTTP Basic Auth, OAuth, MSSO, API Key?, etc.)  Enforce a strict interface (i.e. validate protocol, resource, method, parameters, schema)  Validate (and optionally encode) input (and optionally output) parameter values  Rate limit (to not exceed capacity - anywhere)  Monitor (log and audit)
26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA (Mobile) API Gateway (for runtime policy enforcement) Policy Manager (for policy authoring and administration) ACME Warehouse Service CA API Developer Portal (for discovering, exploring, registering to access and monitoring utilization of APIs) Demo
27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Demos Optimize with API Insights & Monitoring CA API Management Theater 3 Orchestrate and Secure APIs & Microservices CA API Management Theater 3 Launch Faster with API Management in the Cloud CA API Management Theater 3 Deliver Continuously with API Testing CA API Management Theater 3
28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME DO3T82S Building the Digital Platform - with secure APIs 11/16/2016 at 1:00 pm DO3X18S Securing your API Portfolio with API Management 11/16/2016 at 2:00 pm DO3T02S Case Study: How Adobe Secures, Manages and Deploys Enterprise Mobile Apps 11/17/2016 at 1:45 pm
29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Questions?
30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Thank you. Stay connected at communities.ca.com
@CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.31 @CAWORLD #CAWORLD DevOps – API Management and Application Development For more information on DevOps – API Management and Application Development, please visit: http://cainc.to/DL8ozQ

Empfohlen

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 

Empfohlen

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
Laurentiu Meirosu
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
Teri Radichel
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
Robb Boyd
 
Securing your API Portfolio with API Management
Securing your API Portfolio with API ManagementSecuring your API Portfolio with API Management
Securing your API Portfolio with API Management
CA Technologies
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
CA API Management
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 

Was ist angesagt? (20)

API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 

Andere mochten auch

A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
CA API Management
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Application Development with API Manager
Application Development with API ManagerApplication Development with API Manager
Application Development with API Manager
WSO2
 

Andere mochten auch (20)

Securing your API Portfolio with API Management
Securing your API Portfolio with API ManagementSecuring your API Portfolio with API Management
Securing your API Portfolio with API Management
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...
Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...
Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
 
Pre-Con Ed: CA API Gateway: Developing Custom Policies to Secure Your Enterpr...
Pre-Con Ed: CA API Gateway: Developing Custom Policies to Secure Your Enterpr...Pre-Con Ed: CA API Gateway: Developing Custom Policies to Secure Your Enterpr...
Pre-Con Ed: CA API Gateway: Developing Custom Policies to Secure Your Enterpr...
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Pre-Con Ed: CA API Developer Portal: Policy Writing for the Portal Using the ...
Pre-Con Ed: CA API Developer Portal: Policy Writing for the Portal Using the ...Pre-Con Ed: CA API Developer Portal: Policy Writing for the Portal Using the ...
Pre-Con Ed: CA API Developer Portal: Policy Writing for the Portal Using the ...
 
Tech Talk: CA API Gateway: Deploying Docker Container Gateways
Tech Talk: CA API Gateway: Deploying Docker Container GatewaysTech Talk: CA API Gateway: Deploying Docker Container Gateways
Tech Talk: CA API Gateway: Deploying Docker Container Gateways
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
owaspa4
owaspa4owaspa4
owaspa4
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Mobile Inception - Web API Security
Mobile Inception - Web API SecurityMobile Inception - Web API Security
Mobile Inception - Web API Security
 
Case Study: Aaramshop—Top Five Lessons Learned About Accelerating E-Commerce ...
Case Study: Aaramshop—Top Five Lessons Learned About Accelerating E-Commerce ...Case Study: Aaramshop—Top Five Lessons Learned About Accelerating E-Commerce ...
Case Study: Aaramshop—Top Five Lessons Learned About Accelerating E-Commerce ...
 
Build Your Own Virtual API
Build Your Own Virtual APIBuild Your Own Virtual API
Build Your Own Virtual API
 
Secure the Open Enterprise with CA API Management
Secure the Open Enterprise with CA API ManagementSecure the Open Enterprise with CA API Management
Secure the Open Enterprise with CA API Management
 
Application Development with API Manager
Application Development with API ManagerApplication Development with API Manager
Application Development with API Manager
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Build modern web & api
Build modern web & apiBuild modern web & api
Build modern web & api
 
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
 
Secure Your APIs with Amazon API Gateway
Secure Your APIs with Amazon API GatewaySecure Your APIs with Amazon API Gateway
Secure Your APIs with Amazon API Gateway
 

Ähnlich wie CA API Gateway: Web API and Application Security

Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
Array Networks
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Technology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned WayTechnology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned Way
CA Technologies
 
An Overview of OPC UA Security
An Overview of OPC UA SecurityAn Overview of OPC UA Security
An Overview of OPC UA Security
Sadatulla Zishan
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014
Andrew Ames
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 

Ähnlich wie CA API Gateway: Web API and Application Security (20)

2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Technology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned WayTechnology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned Way
 
An Overview of OPC UA Security
An Overview of OPC UA SecurityAn Overview of OPC UA Security
An Overview of OPC UA Security
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Friendly Technologies- Cloud-Based TR-069 Device Management Suite
Friendly Technologies- Cloud-Based TR-069 Device Management SuiteFriendly Technologies- Cloud-Based TR-069 Device Management Suite
Friendly Technologies- Cloud-Based TR-069 Device Management Suite
 

Mehr von CA Technologies

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
CA Technologies
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
CA Technologies
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
CA Technologies
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
CA Technologies
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
CA Technologies
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
CA Technologies
 

Mehr von CA Technologies (20)

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
 
Case Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCase Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital Government
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security Program
 
Keynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageKeynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive Advantage
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
 

Kürzlich hochgeladen

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

CA API Gateway: Web API and Application Security

  • 1. CA API Gateway: Web API and Application Security Ben Urbanski, Advisor, API Management Presales, CA Technologies D03X41E DEVOPS
  • 2. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  • 3. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract This session explores common web service, web API and web application security considerations and how you can use CA API Management solutions to address them. Ben Urbanski has almost 10 years of experience with API gateways beginning at IBM in 2007, continuing at Layer 7 in 2011, and to this day at CA Technologies. During that time, he’s been a presales engineer, a senior director of presales engineering, and now an advisor on CA’s API Management Presales Center of Excellence team. He has helped many customers understand how they can simplify and accelerate the creation, security, integration and management of their web services, web APIs, web applications and mobile applications using API gateways, API portals and related products. Earlier in his career, he spent time as a software engineer at several companies, so he’s well grounded in software development practices and how they relate to API management. Ben Urbanski CA Technologies Advisor, API Management Presales
  • 4. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda SECURING THE NEW PERIMETER CA API MANAGEMENT SUITE AND COMMON USE CASES DEMONSTRATION SECURITY PROCESS SECURITY CONSIDERATIONS AND FEATURES WHERE TO START? 1 2 3 4 5 6
  • 5. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Digital Enterprise and Application Economy Developer Community Cloud ServicesPartners/Divisions Mobile Apps IoT / Big Data Social Registration
  • 6. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD APIs are the New Perimeter
  • 7. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA quickly and easily creates, secures and manages APIs
  • 8. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA API Management ESM CA (Mobile) API Gateway App Developers Applications CA API Developer Portal Design Time Runtime MSSO SDKs MAS SDKs CA Mobile App Services Runtime CA Live API Creator API Publishers Design Time
  • 9. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Internal Security  Integration (ESB or noESB or µS)  Traffic Management (SLA)  API Creation  Security Gateway  API Management  Mobile Enablement  Identity Brokering DMZ Trusted Zone Applications Runtime MSSO SDKs Partner App Developers Design Time Internal API and App Developers Design Time Portal Gateways (optionally with MAG & MAS) Gateways MAS SDKs CA Live API Creator or Application Servers API Academy CA API Management Use Cases and Deployment
  • 10. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Begins with Risk Analysis Risk Assessment What is your risk? Risk Management What will you do about it?
  • 11. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is your risk? Assets Threats Vulnerabilities Risk
  • 12. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What will you do about it?  Avoidance  Reduction  Sharing  Retention
  • 13. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security  Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance  Leading edge support for industry and vendor security standards and solutions  Service Virtualization  Identification (w/Federation & Brokering), Authentication, Authorization & Auditing  Confidentiality  Integrity  Logging  Non-repudiation  Data Classification and Compliance  Threat Protection
  • 14. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance – Common Criteria (CC) is the most relevant security certification for solutions in our space; CA is the only gateway vendor with a recent certification to more relevant profiles – FIPS 140-2 Level 1 crypto processing in all form factors by default. CA offers an optional hardware acceleration card for crypto processing that includes an on board HSM in its hardware appliance form factor for FIPS 140-2 Level 3. – CA’s emphasis on performance allows our customers to take advantage of our many security capabilities without experiencing significant negative performance and scalability impacts.
  • 15. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Leading edge support for industry and vendor security standards and solutions – The industry and vendors are frequently creating and evolving security standards and solutions. The standards and solutions can be difficult to understand, implement and maintain. CA wraps its expert knowledge of both in automatic and/or simple to configure policy language that keeps pace with changes. – CA is often used to negotiate differences in security standards and solutions between consumers and providers of services. For example, consumers might want to send their credentials using WS-Security UserName tokens, and providers might expect credentials via SAML tokens. With CA in between, neither consumers nor providers need to change. Instead, CA can accept WS-Security Username tokens (and many others) from the consumer, perform authentication and authorization (and more), and include a SAML assertion in the request forwarded to the provider.  Service Virtualization – An ESB concept, but with security implications. By using CA to virtualize your services (including their identity, protocol and interface), you effectively hide implementation details from attackers.
  • 16. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Identification, Authentication & Authorization – Many out-of-the-box methods of identification, authentication and authorization based on industry standards and vendor proprietary mechanisms – The ability to support identity federation based on different standards, and identity brokering between standards and vendor proprietary mechanisms – Some (but not all) supported standards include SSL with mutual authentication, FTP Credentials, HTTP Basic, HTTP Digest, HTTP Cookies, NTLM, Kerberos, SAML, WS-SecureConversation, WS-Security, OAuth, OpenID Connect, XACML, LDAP, WS-Trust, WS-Federation, X.509 Certificates – Some (but not all) supported vendor proprietary mechanisms include Mobile SSO, CA Single Sign-On, Tivoli Access Manager, Oracle Access Manager, Sun Java System Access Manager – CA can easily and conditionally use one or more of the above methods in a single policy (including JDBC and other protocols for custom identity provider implementations) – CA provides an out-of-the-box and configurable WS-Trust based STS service – CA can be an enterprise PEP, PDP, PIP and PRP for XACML – CA can be a SAML identity provider – CA can be a OAuth authorization server and an OpenID Connect server
  • 17. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Confidentiality – Easy to configure and accelerated secure transport (SSL/TLS) for point-to-point encryption and confidentiality (both in front and behind our gateway, with and without client authentication) – Easy to configure and accelerated end-to-end confidentiality with message or element level encryption and decryption based on industry standards (e.g. XML Encryption, WS-Security, and JWE)  Integrity – Easy to configure and accelerated end-to-end integrity with message or element level digital signature and verification based on industry standards (e.g. XML Signature and WS-Security) – HMAC signature support for emerging non-XML standards like REST and OAuth
  • 18. 21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Auditing & Logging – Automatic and configurable auditing and logging of events by category and priority level both on and off gateways – Gateway Audit Event viewer that can see all audit events across a cluster of multiple gateways with or without full request and response message recording – Auditing and logging is very configurable and can be managed globally across a cluster and/or conditionally in policy – Audit and log events can be sent remotely via syslog and/or all other outbound protocols supported by CA  Non-repudiation – CA supports non-repudiation through a combination of auditing, logging and digital signatures
  • 19. 22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Gateway / Internal Security (additional detail)  Data Classification and Compliance – Automatic XML well-formed-ness validation – XML schema validation, Schematron, and JSON schema validation – Many additional out-of-the-box assertions for classifying, validating, masking and filtering message content at runtime  Threat Protection – Automatic threat protection for TCP/IP Based Attacks, Coercive Parsing and XML Bomb, External Entity Attack, Schema Poisoning, WSDL Scanning and XML Routing Detours – Configurable threat protection for single and multi-message denial of service attacks – Injection attack protection (both SQL and code) – Rate limiting and SLA enforcement with high performance and accuracy across a cluster of multiple gateways – True replay attack protection across a cluster of multiple gateways – Virus scanning via the ICAP protocol with specific support Symantec, McAfee and Sophos
  • 20. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Mobile API Gateway  Apple Push Notification  Android Push Notification  Mobile SSO (API and SDK) – Multi-user Support – Social Login – One Time Password – Dynamic App Config & Credential Provisioning – Geo-location Support – Cross Device SSO (QRC, BLE, NFC)  Enterprise Browser  Samsung KNOX for APIs API Portal API Servers IdM MAG
  • 21. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD OWASP Top 10[1] Protection as Web App Proxy  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Un-validated Redirects and Forwards [1] https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 22. 25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Where do I start?  Reduce attack surface (expose only what’s needed; require all traffic to go through gateway)  Use a secure transport (i.e. SSL/TLS)  Control access (e.g. Mutual Auth SSL, HTTP Basic Auth, OAuth, MSSO, API Key?, etc.)  Enforce a strict interface (i.e. validate protocol, resource, method, parameters, schema)  Validate (and optionally encode) input (and optionally output) parameter values  Rate limit (to not exceed capacity - anywhere)  Monitor (log and audit)
  • 23. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA (Mobile) API Gateway (for runtime policy enforcement) Policy Manager (for policy authoring and administration) ACME Warehouse Service CA API Developer Portal (for discovering, exploring, registering to access and monitoring utilization of APIs) Demo
  • 24. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Demos Optimize with API Insights & Monitoring CA API Management Theater 3 Orchestrate and Secure APIs & Microservices CA API Management Theater 3 Launch Faster with API Management in the Cloud CA API Management Theater 3 Deliver Continuously with API Testing CA API Management Theater 3
  • 25. 28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME DO3T82S Building the Digital Platform - with secure APIs 11/16/2016 at 1:00 pm DO3X18S Securing your API Portfolio with API Management 11/16/2016 at 2:00 pm DO3T02S Case Study: How Adobe Secures, Manages and Deploys Enterprise Mobile Apps 11/17/2016 at 1:45 pm
  • 26. 29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Questions?
  • 27. 30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Thank you. Stay connected at communities.ca.com
  • 28. @CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.31 @CAWORLD #CAWORLD DevOps – API Management and Application Development For more information on DevOps – API Management and Application Development, please visit: http://cainc.to/DL8ozQ

Hinweis der Redaktion

  1. As you build out your presentation, here are a few dos and don’ts.
  2. A1 Injection CA API Management provides policy assertions to protect against SQL and other types of injection attacks. CA API Management also has full access to all Web request and response content and context to enable inspection and protection at runtime. A2 Broken Authentication and Session Management CA API Management can require strong or multi-factor authentication over secure protocols and can protect against brute force attacks using simple or sophisticated rate limiting or throughput quota policies. CA API Management can also detect and protect against session-based attacks by controlling cookie security attributes, using digital signatures and encryption or tracking, mapping and enforcing stick session identifiers sent in a variety of ways, through policy management. A3 Cross-Site Scripting (XSS) CA API Management considers cross-site scripting another form of injection and protects against it using the same or similar policy assertions used for A1 Injection. A4 Insecure Direct Object References CA API Management could be used to support per user or session indirect object references and can check access authorization for requests with direct object references. A5 Security Misconfiguration CA API Management is a special-purposed security gateway that has been hardened for easy and secure deployment to the DMZ and is the only gateway of its kind with Common Criteria certification for the Enterprise Security Management–Policy Management Version 1.4—and Enterprise Security Management–Access Control Version 2 profiles. As the first line of application layer defense in front of your Web applications, CA API Management can help protect you from security misconfigurations elsewhere in your stack. A6 Sensitive Data Exposure CA API Management has a variety of capabilities for filtering, masking, tokenizing and encrypting (using modern and strong algorithms) sensitive data in flight and at rest to protect against sensitive data exposure. CA API Management is also FIPS 140-2 Level 1 compliant in all of its available form factors and FIPS 140-2 Level 3 compliant when integrated with a network HSM or when including the optional onboard HSM in the hardware appliance form factor. A7 Missing Function Level Access Control CA API Management can control access to Web pages and their resources using industry-standard-based policy or with integrations to identity access management solutions like CA Single Sign-On. A8 Cross-Site Request Forgery (CSRF) CA API Management provides out-of-the-box cross-site request forgery detection and protection using double submit cookie validation and/or HTTP referrer validation. A9 Using Components with Known Vulnerabilities As noted under A5, CA API Management is a special purposed security gateway that has been hardened for easy and secure deployment to the DMZ, and is the only gateway of its kind with Common Criteria certification for the Enterprise Security Management—Policy Management Version 1.4 and Enterprise Security Management—Access Control Version 2 profiles. CA API Management engineering and support teams are constantly vigilant for new vulnerabilities, and quickly create, release and communicate vulnerability patches to CA API Management customers. These patches are easily applied through the patch management system included with CA API Management. A10 Unvalidated Redirects and Forwards CA API Management can detect, validate and, if necessary, help prevent redirects. CA API Management can also be used to detect and validate absolute or relative URL or URI references in request messages. Additionally, CA API Management provides ODATA threat protection, which allows the same sort of metadata validation that JSON and XML schema protection provides.