SlideShare ist ein Scribd-Unternehmen logo

Securing Your API

Jason Austin
Jason Austin

Providing an Application Programming Interface (or API) has become a crucial piece of the modern web application. API’s provide opportunities to build the ecosystem around your application, opening doors for collaboration and innovative mashups. However, the API opens up another entry point into your application, requiring that you somehow secure the access to it. This talk will outline some of the options you have when securing your API. I’ll give overviews and implementation tips on some of the more popular schemes such as OAuth, HTTP authentication, and generating API keys. We’ll also look at some general API best practices such as rate limiting, error handling, and secure data communication.

Technologie
1 von 43
Downloaden Sie, um offline zu lesen
Securing Your API Jason Austin - @jason_austin - jfaustin@gmail.com Thursday, May 26, 2011
A Quick Rundown • API overview • API methodologies • Security methodologies • Best practices Thursday, May 26, 2011
API vs. Web Service • API = Application Programming Interface • Web Service = API that operates over HTTP • In this presentation, API == Web Service Thursday, May 26, 2011
Why Create An API • Extend your product reach • Encourage mashups • Expose your data programmatically • Connect with developers Thursday, May 26, 2011
API Success Stories • Twitter • Foursquare • Facebook Thursday, May 26, 2011
Popular Methodologies • REST • XML-RPC • SOAP Thursday, May 26, 2011
REST Service • Representational State Transfer • Architecture, not a standard • HTTP-based Thursday, May 26, 2011
RESTful • Client-Server • Self-contained Requests (Stateless) • Cacheable • Named, Layered Resources http://brewerydb.com/api/breweries/2324 http://brewerydb.com/api/beers/435 Thursday, May 26, 2011
REST over HTTP • GET - Read-only, for retrieving information • POST - Creating a new resource • PUT - Updating an existing resource • DELETE - Deleting an existing resource Thursday, May 26, 2011
REST Security • None built in • Encryption over HTTPS • Left to the implementer • Error handling left to implementer Thursday, May 26, 2011
SOAP Service • Simple Object Access Protocol • XML-based • Uses GET for read, POST for write • W3C Specification for sending and receiving messages Thursday, May 26, 2011
SOAP Security • Nothing provided in spec • WS-Security • Extension to SOAP spec • Provided as a guide for securing SOAP services Thursday, May 26, 2011
WS-Security • Guidelines for solving 3 problems • Identify and authenticate a client • Ensure integrity of the message • Curtail eavesdropping while in transit • Defines mechanisms as opposed to actual protocols • http://www.oasis-open.org/committees/wss/ Thursday, May 26, 2011
XML-RPC Service • XML Remote Procedure Call • XML-based • Uses HTTP-POST • Spec published by UserLand Software in ~1998 Thursday, May 26, 2011
XML-RPC • Uses XML to specify a method and parameters • Simple data structures, no objects • Arrays and Structs most complex Thursday, May 26, 2011
XML-RPC Security • None in the spec • Encryption over HTTPS • Security left to the implementer • Error handling - <fault> base response element Thursday, May 26, 2011
Security Mechanisms • OAuth • BasicAuth • API Keys Thursday, May 26, 2011
OAuth 1.0 Think of it as a valet key for your internet accounts... Open standard for API access delegation RFC 5849 - The OAuth 1.0 Protocol Published April 2010 Thursday, May 26, 2011
OAuth 1.0 Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider Thursday, May 26, 2011
Thursday, May 26, 2011
Benefits of OAuth 1.0 • Applications don’t need a user’s password • Power in the hands of the user • Secure handshake • Doesn’t require SSL • Many libraries available Thursday, May 26, 2011
OAuth 1.0 Pitfalls • Signatures based on complex cryptography • Server-side implementation is complex Thursday, May 26, 2011
OAuth - Roll Your Own • Consumer Registration and Management • User pass-through, grant access • Consumer access management by User • Token storage and generation • 2-legged vs. 3-legged Thursday, May 26, 2011
OAuth 2.0 - Coming Soon • Removes signature requirement except on token acquisition • Requires SSL • Single security token, no signature required • Guidelines for use with Javascript and applications with no web browser Thursday, May 26, 2011
More Info on OAuth • OAuth Spec http://oauth.net/ • OAuth 2.0 Information http://oauth.net/2/ • Lorna’s OAuth Blog Series http://www.lornajane.net/ Thursday, May 26, 2011
BasicAuth • Passes a username and password with the request • Defined by the HTTP specification Thursday, May 26, 2011
BasicAuth Do’s • SSL is a must • Username / Password is transmitted in cleartext • Base64 encoded, but not encrypted • Basic > Digest • Basic assumes authentication is required • Digest requires extra transfer for nonce Thursday, May 26, 2011
BasicAuth Pros • Client requests are easy • Part of nearly every HTTP request library • Server setup is easy • Use existing BasicAuth credentials Thursday, May 26, 2011
BasicAuth Cons • Requires a username and password for a user • Credentials are not, by default, encrypted • Requires username and password to be embedded in client code Thursday, May 26, 2011
Access Keys • Not based on any standard • Implementation requirements are up to the service provider • Keys -> signatures Thursday, May 26, 2011
Access Key Basics • Part of URL http://pintlabs.com/api?key=23sdbk32 • Sign request with key instead of passing it in URL • Use params + shared secret as signature Thursday, May 26, 2011
Signed Request Workflow ?key=val Client sign ?key=val&signature=23kcwej323 vje48hvn4 ?key=val&signature=23kcwej323 Server ?key=val sign vje48hvn4 23kcwej323 == 23kcwej323 Thursday, May 26, 2011
Access Keys Pros • Easy to generate keys and distribute them • Typically removes the need to transfer username and password in raw form • Signed requests prevents altering parameters Thursday, May 26, 2011
Access Keys Cons • Unsigned • Must embed them in code • SSL is not required, so will (by default) transfer in plaintext • Signed • Encryption is scary....ish Thursday, May 26, 2011
Best Practices for Keys • Use signed requests over unsigned • One key per application per developer • Require username in headers Thursday, May 26, 2011
General Best Practices • Rate Limiting • Access Control • Error Handling • SSL Layer • API Domain “Stupid is as Stupid Does” - Gump Thursday, May 26, 2011
Rate-Limiting • Keeps API access in check • Authenticated and Unauthenticated calls should be subject to rate limiting • Best practice • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis Thursday, May 26, 2011
Rate-Limiting Best Practices • Authenticated • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis • Unauthenticated • Based on domain or IP address • Allow limit to be overridden as well Thursday, May 26, 2011
Access Control • Treat API endpoints just as service endpoints in your application • Have a standard API access site wide • Allow override on a per-user, per- application basis. • Allows you to roll out features to a select group or user Thursday, May 26, 2011
Error Handling • Set appropriate HTTP headers • Provide viable, valid error messages • Log errors for the API too • Have a standard error response object for all methods, including authentication Thursday, May 26, 2011
SSL Layer • Encrypts all traffic to and from your API • Can cause performance hit • ~10-15% in trials • Depending on protocol, should be a requirement Thursday, May 26, 2011
API Domain • Use sub-domain • Can move to separate webserver • Handle traffic requirements Thursday, May 26, 2011
Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3427 Thursday, May 26, 2011

Empfohlen

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 

Empfohlen

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Broken access controls
Broken access controlsBroken access controls
Broken access controlsAkansha Kesharwani
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security LayerApigee | Google Cloud
 
Web services
Web servicesWeb services
Web servicesSalvador Fernández Fernández
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Was ist angesagt? (20)

Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 

Andere mochten auch

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
How Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperHow Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperJason Austin
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIWSO2
 
Application programming interface
Application programming interfaceApplication programming interface
Application programming interfaceOmar Jadalla
 
HTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo WebHTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo WebPlain Concepts
 
Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014Bruce Jones
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIsSilota Inc.
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Todas las APIs de Google
Todas las APIs de GoogleTodas las APIs de Google
Todas las APIs de GoogleCarlos Toxtli
 
Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.melidevelopers
 
Getting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDBGetting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDBAmazon Web Services
 
API 101 - Understanding APIs.
API 101 - Understanding APIs.API 101 - Understanding APIs.
API 101 - Understanding APIs.Kirsten Hunter
 

Andere mochten auch (20)

APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Web services
Web servicesWeb services
Web services
 
Trascendiendo los sitios web
Trascendiendo los sitios webTrascendiendo los sitios web
Trascendiendo los sitios web
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
How Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperHow Beer Made Me A Better Developer
How Beer Made Me A Better Developer
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EI
 
Application programming interface
Application programming interfaceApplication programming interface
Application programming interface
 
HTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo WebHTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo Web
 
Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014
 
Introduction to Web Services
Introduction to Web ServicesIntroduction to Web Services
Introduction to Web Services
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy Presentation
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIs
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Todas las APIs de Google
Todas las APIs de GoogleTodas las APIs de Google
Todas las APIs de Google
 
Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.
 
Getting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDBGetting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDB
 
Api presentation
Api presentationApi presentation
Api presentation
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
API 101 - Understanding APIs.
API 101 - Understanding APIs.API 101 - Understanding APIs.
API 101 - Understanding APIs.
 

Ähnlich wie Securing Your API

Apereo OAE - Architectural overview
Apereo OAE - Architectural overviewApereo OAE - Architectural overview
Apereo OAE - Architectural overviewNicolaas Matthijs
 
Building mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPBuilding mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPfunkatron
 
Damien Tanner, Pusher
Damien Tanner, PusherDamien Tanner, Pusher
Damien Tanner, PusherMashery
 
OSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody HerrigesOSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody HerrigesNETWAYS
 
Web micro-framework BATTLE!
Web micro-framework BATTLE!Web micro-framework BATTLE!
Web micro-framework BATTLE!Richard Jones
 
Solr installation
Solr installationSolr installation
Solr installationZHAO Sam
 
Connecting Any Web Services
Connecting Any Web ServicesConnecting Any Web Services
Connecting Any Web ServicesSafe Software
 
High Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESBHigh Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESBWSO2
 
Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1rit2011
 
Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3Wen-Tien Chang
 
Apache Sever Technology By Greg Williams
Apache Sever Technology By Greg WilliamsApache Sever Technology By Greg Williams
Apache Sever Technology By Greg WilliamsGregWilliams65325
 
Oct meetup open stack 101 clean
Oct meetup open stack 101 cleanOct meetup open stack 101 clean
Oct meetup open stack 101 cleanbenrodrigue
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
MySQL DW Breakfast
MySQL DW BreakfastMySQL DW Breakfast
MySQL DW BreakfastIvan Zoratti
 
Why RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is BestWhy RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is BestGalder Zamarreño
 
Phase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect optionPhase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect optionEduserv
 
Comet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forwardComet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forwardNOLOH LLC.
 

Ähnlich wie Securing Your API (20)

Apereo OAE - Architectural overview
Apereo OAE - Architectural overviewApereo OAE - Architectural overview
Apereo OAE - Architectural overview
 
Building mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPBuilding mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHP
 
Damien Tanner, Pusher
Damien Tanner, PusherDamien Tanner, Pusher
Damien Tanner, Pusher
 
OSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody HerrigesOSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody Herriges
 
Web micro-framework BATTLE!
Web micro-framework BATTLE!Web micro-framework BATTLE!
Web micro-framework BATTLE!
 
HTML5 WebSockets
HTML5 WebSocketsHTML5 WebSockets
HTML5 WebSockets
 
Solr installation
Solr installationSolr installation
Solr installation
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - Bootcamp
 
Connecting Any Web Services
Connecting Any Web ServicesConnecting Any Web Services
Connecting Any Web Services
 
High Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESBHigh Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESB
 
Http front-ends
Http front-endsHttp front-ends
Http front-ends
 
Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1
 
Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3
 
Apache Sever Technology By Greg Williams
Apache Sever Technology By Greg WilliamsApache Sever Technology By Greg Williams
Apache Sever Technology By Greg Williams
 
Oct meetup open stack 101 clean
Oct meetup open stack 101 cleanOct meetup open stack 101 clean
Oct meetup open stack 101 clean
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
 
MySQL DW Breakfast
MySQL DW BreakfastMySQL DW Breakfast
MySQL DW Breakfast
 
Why RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is BestWhy RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is Best
 
Phase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect optionPhase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect option
 
Comet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forwardComet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forward
 

Mehr von Jason Austin

Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to ElasticsearchJason Austin
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented ArchitectureJason Austin
 
Preparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldPreparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldJason Austin
 
Object Oriented PHP5
Object Oriented PHP5Object Oriented PHP5
Object Oriented PHP5Jason Austin
 
UNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusUNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusJason Austin
 
Lean mean php machine
Lean mean php machineLean mean php machine
Lean mean php machineJason Austin
 
Web Hosting Pilot - NC State University
Web Hosting Pilot - NC State UniversityWeb Hosting Pilot - NC State University
Web Hosting Pilot - NC State UniversityJason Austin
 
Tweeting For NC State University
Tweeting For NC State UniversityTweeting For NC State University
Tweeting For NC State UniversityJason Austin
 
Pathways Project on NCSU Web Dev
Pathways Project on NCSU Web DevPathways Project on NCSU Web Dev
Pathways Project on NCSU Web DevJason Austin
 

Mehr von Jason Austin (11)

Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Preparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldPreparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile World
 
Object Oriented PHP5
Object Oriented PHP5Object Oriented PHP5
Object Oriented PHP5
 
UNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusUNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On Campus
 
RSS Like A Ninja
RSS Like A NinjaRSS Like A Ninja
RSS Like A Ninja
 
Lean mean php machine
Lean mean php machineLean mean php machine
Lean mean php machine
 
Web Hosting Pilot - NC State University
Web Hosting Pilot - NC State UniversityWeb Hosting Pilot - NC State University
Web Hosting Pilot - NC State University
 
Tweeting For NC State University
Tweeting For NC State UniversityTweeting For NC State University
Tweeting For NC State University
 
Pathways Project on NCSU Web Dev
Pathways Project on NCSU Web DevPathways Project on NCSU Web Dev
Pathways Project on NCSU Web Dev
 

Kürzlich hochgeladen

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Securing Your API

  • 1. Securing Your API Jason Austin - @jason_austin - jfaustin@gmail.com Thursday, May 26, 2011
  • 2. A Quick Rundown • API overview • API methodologies • Security methodologies • Best practices Thursday, May 26, 2011
  • 3. API vs. Web Service • API = Application Programming Interface • Web Service = API that operates over HTTP • In this presentation, API == Web Service Thursday, May 26, 2011
  • 4. Why Create An API • Extend your product reach • Encourage mashups • Expose your data programmatically • Connect with developers Thursday, May 26, 2011
  • 5. API Success Stories • Twitter • Foursquare • Facebook Thursday, May 26, 2011
  • 6. Popular Methodologies • REST • XML-RPC • SOAP Thursday, May 26, 2011
  • 7. REST Service • Representational State Transfer • Architecture, not a standard • HTTP-based Thursday, May 26, 2011
  • 8. RESTful • Client-Server • Self-contained Requests (Stateless) • Cacheable • Named, Layered Resources http://brewerydb.com/api/breweries/2324 http://brewerydb.com/api/beers/435 Thursday, May 26, 2011
  • 9. REST over HTTP • GET - Read-only, for retrieving information • POST - Creating a new resource • PUT - Updating an existing resource • DELETE - Deleting an existing resource Thursday, May 26, 2011
  • 10. REST Security • None built in • Encryption over HTTPS • Left to the implementer • Error handling left to implementer Thursday, May 26, 2011
  • 11. SOAP Service • Simple Object Access Protocol • XML-based • Uses GET for read, POST for write • W3C Specification for sending and receiving messages Thursday, May 26, 2011
  • 12. SOAP Security • Nothing provided in spec • WS-Security • Extension to SOAP spec • Provided as a guide for securing SOAP services Thursday, May 26, 2011
  • 13. WS-Security • Guidelines for solving 3 problems • Identify and authenticate a client • Ensure integrity of the message • Curtail eavesdropping while in transit • Defines mechanisms as opposed to actual protocols • http://www.oasis-open.org/committees/wss/ Thursday, May 26, 2011
  • 14. XML-RPC Service • XML Remote Procedure Call • XML-based • Uses HTTP-POST • Spec published by UserLand Software in ~1998 Thursday, May 26, 2011
  • 15. XML-RPC • Uses XML to specify a method and parameters • Simple data structures, no objects • Arrays and Structs most complex Thursday, May 26, 2011
  • 16. XML-RPC Security • None in the spec • Encryption over HTTPS • Security left to the implementer • Error handling - <fault> base response element Thursday, May 26, 2011
  • 17. Security Mechanisms • OAuth • BasicAuth • API Keys Thursday, May 26, 2011
  • 18. OAuth 1.0 Think of it as a valet key for your internet accounts... Open standard for API access delegation RFC 5849 - The OAuth 1.0 Protocol Published April 2010 Thursday, May 26, 2011
  • 19. OAuth 1.0 Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider Thursday, May 26, 2011
  • 21. Benefits of OAuth 1.0 • Applications don’t need a user’s password • Power in the hands of the user • Secure handshake • Doesn’t require SSL • Many libraries available Thursday, May 26, 2011
  • 22. OAuth 1.0 Pitfalls • Signatures based on complex cryptography • Server-side implementation is complex Thursday, May 26, 2011
  • 23. OAuth - Roll Your Own • Consumer Registration and Management • User pass-through, grant access • Consumer access management by User • Token storage and generation • 2-legged vs. 3-legged Thursday, May 26, 2011
  • 24. OAuth 2.0 - Coming Soon • Removes signature requirement except on token acquisition • Requires SSL • Single security token, no signature required • Guidelines for use with Javascript and applications with no web browser Thursday, May 26, 2011
  • 25. More Info on OAuth • OAuth Spec http://oauth.net/ • OAuth 2.0 Information http://oauth.net/2/ • Lorna’s OAuth Blog Series http://www.lornajane.net/ Thursday, May 26, 2011
  • 26. BasicAuth • Passes a username and password with the request • Defined by the HTTP specification Thursday, May 26, 2011
  • 27. BasicAuth Do’s • SSL is a must • Username / Password is transmitted in cleartext • Base64 encoded, but not encrypted • Basic > Digest • Basic assumes authentication is required • Digest requires extra transfer for nonce Thursday, May 26, 2011
  • 28. BasicAuth Pros • Client requests are easy • Part of nearly every HTTP request library • Server setup is easy • Use existing BasicAuth credentials Thursday, May 26, 2011
  • 29. BasicAuth Cons • Requires a username and password for a user • Credentials are not, by default, encrypted • Requires username and password to be embedded in client code Thursday, May 26, 2011
  • 30. Access Keys • Not based on any standard • Implementation requirements are up to the service provider • Keys -> signatures Thursday, May 26, 2011
  • 31. Access Key Basics • Part of URL http://pintlabs.com/api?key=23sdbk32 • Sign request with key instead of passing it in URL • Use params + shared secret as signature Thursday, May 26, 2011
  • 32. Signed Request Workflow ?key=val Client sign ?key=val&signature=23kcwej323 vje48hvn4 ?key=val&signature=23kcwej323 Server ?key=val sign vje48hvn4 23kcwej323 == 23kcwej323 Thursday, May 26, 2011
  • 33. Access Keys Pros • Easy to generate keys and distribute them • Typically removes the need to transfer username and password in raw form • Signed requests prevents altering parameters Thursday, May 26, 2011
  • 34. Access Keys Cons • Unsigned • Must embed them in code • SSL is not required, so will (by default) transfer in plaintext • Signed • Encryption is scary....ish Thursday, May 26, 2011
  • 35. Best Practices for Keys • Use signed requests over unsigned • One key per application per developer • Require username in headers Thursday, May 26, 2011
  • 36. General Best Practices • Rate Limiting • Access Control • Error Handling • SSL Layer • API Domain “Stupid is as Stupid Does” - Gump Thursday, May 26, 2011
  • 37. Rate-Limiting • Keeps API access in check • Authenticated and Unauthenticated calls should be subject to rate limiting • Best practice • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis Thursday, May 26, 2011
  • 38. Rate-Limiting Best Practices • Authenticated • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis • Unauthenticated • Based on domain or IP address • Allow limit to be overridden as well Thursday, May 26, 2011
  • 39. Access Control • Treat API endpoints just as service endpoints in your application • Have a standard API access site wide • Allow override on a per-user, per- application basis. • Allows you to roll out features to a select group or user Thursday, May 26, 2011
  • 40. Error Handling • Set appropriate HTTP headers • Provide viable, valid error messages • Log errors for the API too • Have a standard error response object for all methods, including authentication Thursday, May 26, 2011
  • 41. SSL Layer • Encrypts all traffic to and from your API • Can cause performance hit • ~10-15% in trials • Depending on protocol, should be a requirement Thursday, May 26, 2011
  • 42. API Domain • Use sub-domain • Can move to separate webserver • Handle traffic requirements Thursday, May 26, 2011
  • 43. Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3427 Thursday, May 26, 2011