Presented at APIdays Paris.
API security is the principal concern when it comes to establishing a trusted API ecosystem. Rightly so, because opening up business systems through APIs by definition expands the attack surface that can be exploited. Although many threat vectors and vulnerabilities are well known, we have to remain on the lookout for new threats continuously.
On the positive side, open standards that help defend against security threats are constantly being created and refined. What is even more helpful are the specifications that aggregate relevant standards into a comprehensive API security profile. Excellent examples of these are the current specifications that support open banking initiatives like UK Open Banking and PSD2. Could these specifications not have a wider applicability? In other words, would we be able to benefit from the security guidelines captured in these specifications in other verticals like logistics, retail, energy, healthcare and government, too?
In this talk, we will compare security guidelines covered in the specifications and see to what extent they may benefit the wider enterprise API developer community.
The ‘inevitable conflict’ between opening shop and only allowing entrance to trusted customers.
Image creator: Lukiyanova Natalia
NOTE: applying API security may well be expected to become mandatory, as we see it with open banking. But it is also highly relevant from other regulatory perspectives, like GDPR.
The ‘inevitable conflict’ between opening shop and only allowing entrance to trusted customers.
All kinds of ‘standards’ to protect resources.
In tech terms, there are standards like the the specs for OAuth2.0, OpenID Connect, mTLS, JWT, etc.
Security door guard
Camera protected entrance
Full-height turnstile
Note: what’s clear is that NOT any means is applicable to the job.
All kinds of ‘standards’ to protect resources.
In tech terms, there are standards like the the specs for OAuth2.0, OpenID Connect, mTLS, JWT, etc.
Various standards that have emerged, that help with addressing API security concerns.
NOTE: applying API security may well be expected to become mandatory, as we see it with open banking. It is also highly relevant from other regulatory perspectives, like GDPR.