SlideShare ist ein Scribd-Unternehmen logo

Api security-present

Security Bootcamp
Security Bootcamp

Nguyễn Minh Trí

Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Five Simple Strategies for Securing APIs Tran Minh Tri Security bootcamp 2018
Product manager tritm@mi2.com.vn Tran Minh Tri @tridalat Slideshare.net/tridalat Linkedin.com/tridalat https://api.mi2.vn
3 Contents WHAT ARE APIS ? ARE THEY WORTH THE RISK ? THE THREE ATTACK VECTORS TO WATCH OUT FOR FIVE SIMPLE MITIGATION STRATEGIES YOU MIGHT HAVE OVERLOOKED CONCLUSION
WHAT ARE APIS ? APIs are like windows into an application
5 APIs are the building blocks of digital transformation IOT Devices Cloud Mobile Partners/External Divisions External Developers Data Your Digital Business
6
7 Digital transformation as a maturity model Low digital maturity High digital maturity Offline/In-Person Web Mobile Omnichannel Ecosystem How Do APIs Increase an Organization’s Risk?
8 Digital Transformation in Retail Low digital maturity High digital maturity  RETAIL STORE  CATALOG & CALL CENTER  WEB STOREFRONT  AFFILIATE CHANNELS  MOBILE STOREFRONT  SHOPPER PROFILE APIs  PRODUCT CATALOG APIs  PERSISTENT CART APIs  IN-STORE/PROXIMITY APIs  INVENTORY/LOGISTICS APIs  PERSONALIZED PROFILE APIs  ADVANCED PAYMENT APIs  LOYALTY PARTNER APIs  MARKETPLACE APIs  SMART PRODUCT APIs Offline / In-Person Web Mobile Omnichannel Ecosystem
9Low digital maturity High digital maturity Offline / In-Person Web Mobile Omnichannel Ecosystem  DEALER  SERVICE CENTER/MECHANIC  BRAND CONTENT  ONLINE PRODUCT DATA  RATINGS & REVIEWS  DEALER APIs  PRODUCT DATA APIs  DRIVER PROFILE APIs  DIAGNOSTIC APIs  VEHICLE FEATURE APIs  HISTORY/MAINTENANCE APIs  OTA UPDATE APIs  UBI APIs  LOCATION & CONTEXT APIs  INSURANCE APIs  VEHICLE SHARE APIs Digital Transformation in Automotive
10Low digital maturity High digital maturity  DROPOFF / PICKUP CENTER  COURIER  WEB RESEARCH  WEB SCHEDULING  WEB TRACKING  RATE AND SLA APIs  SERVICE APIs  TRACKING APIs  FLEET TRACKING APIs  SUPPLY CHAIN APIs  TRAFFIC MANAGEMENT APIs  ENROUTE REDIRECT APIs  PROOF OF DELIVERY APIs  TRAFFIC DATA APIs  3PL SERVICES APIs  3P PICKUP/DROPOFF APIs Digital Transformation in Transportation & Logistics Offline / In-Person Web Mobile Omnichannel Ecosystem
11Low digital maturity High digital maturity  PRACTITIONER OFFICE  OFFLINE HEALTH RECORDS  CALL CENTER  ONLINE RESEARCH  CLAIMS & HISTORY  APPOINTMENT APIs  PLAN SELECION APIs  INSURER INTEGRATON APIs  TELEHEALTH APIs  BIOTELEMETRY APIs  EHR APIs  MONITORING DEVICE APIs  CARE ANALYTICS APIs  PARTNER SERVICES APIs Digital Transformation in Healthcare Offline / In-Person Web Mobile Omnichannel Ecosystem
12Low digital maturity High digital maturity  RETAIL BANKING  ONLINE BANKING  LOCATION & SERVICE APIs  ACCOUNT APIs  ALERT/MONITORING APIs  MOBILE PAYMENT APIs  DIRECT DEPOSIT APIs  INVESTMENT APIs  P2P MOBILE PAYMENT APIs  LOYALTY PARTNER APIs  P2P LENDING APIs  WEALTH MANAGEMENT APIs Digital Transformation in Financial Services Offline / In-Person Web Mobile Omnichannel Ecosystem
13Low digital maturity High digital maturity  BROADCAST MEDIA  PROPRIETARY STB  ONLINE PURCHASE  GUIDE & METADATA  STREAMING MEDIA APIs  METADATA APIs  ENTITLEMENT APIs  VIEWER PROFILE APIs  QUAD-PLAY APIs  SERVICE DASHBOARD APIs  WALLET/PAYMENT APIs  PARTNER ENTITLEMENT APIs  CONTENT-KEYED APIs  AD NETWORK APIs  EVENT APIs Digital Transformation in Media & Entertainment Offline / In-Person Web Mobile Omnichannel Ecosystem
14Low digital maturity High digital maturity  BROADCAST SPORTS  DISCONNECTED DEVICES  SCORES & STATS  ONLINE CONTENT  SCORES & STATS APIs  TRACK & MONITOR APIs  FITNESS PROFILE APIs  REAL-TIME 2ND SCREEN APIs  MULTI-DEVICE PROFILE APIs  FITNESS PLATFORM APIs  HEALTH CONNECTIVITY APIs  DATA SUBSCRIPTION APIs Digital Transformation in Sports & Fitness Offline / In-Person Web Mobile Omnichannel Ecosystem
15Low digital maturity High digital maturity  PROPRIETARY RESERVATIONS  TRAVEL AGENT  FARES & SCHEDULES  ONLINE BOOKING  ONLINE CHANNELS  FARE & SCHEDULE APIs  STATUS & ALERT APIs  TRAVELER PROFILE APIs  IDENTITY & ACCESS APIs  LOCATION-AWARE APIs  ENROUTE SERVICES APIs  LOYALTY PARTNER APIs  MULTI-MODE TRAVEL APIs Digital Transformation in Travel & Hospitality Offline / In-Person Web Mobile Omnichannel Ecosystem
16
17 Prominent API Breaches
18 Niantic's API for Pokemon Go Cracked  API functions as the access point for accessing DB and algorithm  3rd parties found the API and created apps that aid in the capture  Server side issues (including downtime) increased as a result Pokevision FastPokeMap
The Three Attack Vectors to Watch Out For
20 Outside the Enterprise Internet of Things Mobile SaaS/Cloud Solutions AWS, Google, SFDC … Partner Ecosystems External Developers Within the Enterprise Secure Data Application Portfolio ID/Authentication Reporting & Analytics Internal Teams The Three Attack Vectors to Watch Out For Many API developers come directly from a web design background, and may bring with them some bad habits Identity  Identity attacks exploit flaws in authentication, authorization, and session tracking. In particular, many of these are the result of migrating bad practices from the web world into API development. Parameters  Parameter attacks exploit the data sent into an API, including URL, query parameters, HTTP headers, and/or post content Main-in-the-middle  Simplify These attacks intercept legitimate transactions and exploit unsigned and/or unencrypted data being sent between the client and the server. They can reveal confdential information (such as personal data), alter a transaction in flight, or even replay legitimate transactions.
21 Attack Vector: Parameters  API functions as the access point for accessing DB and algorithm – In the traditional web world, parameterization was limited and indirect – Subject to the capabilities of URLs and forms  APIs in contrast and offer much more explicit parameterization – The full power of RESTful design: GET, POST, PUT, DELETE  (And don’t stop there… what about effects of HEAD, etc)?  This creates a greater potential attack surface – Injection, bounds, correlation, and so on
22 Attack Vector: Identity  We had it surprisingly good in the Web world – Browser session usually tied to human – Dealing with one identity is not so tough  Security tokens abound, but solutions are mature – Username/pass, multi-factor, SAML, etc  APIs rapidly becoming more difficult – Non-human entities – Multiple layers of relevant identities  Me, my attributes, my phone, my developer, my provider…
23 API keys “An application programing interface key (API key) is a code generated by websites that allow users to access their application programming interface. API keys are used to track how the API is being used in order to prevent malicious use or abuse of the terms of service. Many applications publishing APIs require clients to use an API key to access to their functionality (Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
24 Man-in-the-middle
25 How Should You Secure Your APIs? 25
Five Simple Mitigation StrategiesThat Will Allow an Organization to More Securely Publish APIs
27 Strategy 1: Validate Parameters Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Rigorous validation of consumer supplied inputs – and API output • Use schema validation
28 Strategy 2: Apply Explicit Threat Detection Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Blacklist dangerous tags like <SCRIPT> • Virus scanning of attachments • Very large messages can all be effective denial-of-service attacks
29 Strategy 3: Turn on SSL Everywhere Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions
30 Strategy 4: Apply Rigorous Authentication and Authorization Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Multiple identity profile (Roles, Geo location,IP,User agent,Time of day...) • OAuth for people
31 Strategy 5: Use Proven Solutions Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Separate out API implementation and API security into distinct tiers • API Gateway ( Access control, Threat detection, Confidentiality and integrity, Audit management)
Conclusion APIs represent a great opportunity for the enterprise to integrate applications quickly and easily. But APIs can be a double-edged sword: promising agility, while at the same time increasing risk. But if an organization can address API security as an architectural challenge long before any development takes place, it can reap the rewards of this technological breakthrough safely and securely.
33 Q & A

Empfohlen

Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
Security Bootcamp
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Removable Disk Hacking for Fun and Profit
Removable Disk Hacking for Fun and ProfitRemovable Disk Hacking for Fun and Profit
Removable Disk Hacking for Fun and Profit
Rungga Reksya Sabilillah
 
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...
CODE BLUE
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 

Empfohlen

Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
Security Bootcamp
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Removable Disk Hacking for Fun and Profit
Removable Disk Hacking for Fun and ProfitRemovable Disk Hacking for Fun and Profit
Removable Disk Hacking for Fun and Profit
Rungga Reksya Sabilillah
 
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...
[CB19] Leveraging Yara Rules to Hunt for Abused Telegram Accounts by Asaf Apr...
CODE BLUE
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
Fortytwo
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
Ronnie Isherwood
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
CTM360
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
Alex Q. Chen
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
Animesh Behera
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Kunal Gawade, CFE
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
PortalGuard
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin Cardwell
EC-Council
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
HarishBabuKaveri
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?
Fortytwo
 
Ethical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training ReportEthical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training Report
Raghav Bisht
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
Aditya K Sood
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSO
Rohit Kapoor
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Priyanka Aash
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
mmubashirkhan
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
FahmiDzikrullah
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 

Weitere ähnliche Inhalte

Was ist angesagt?

Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
Fortytwo
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin Cardwell
EC-Council
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
mmubashirkhan
 

Was ist angesagt? (20)

Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin Cardwell
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?
 
Ethical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training ReportEthical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training Report
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSO
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 

Ähnlich wie Api security-present

LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
 
APIs: the Glue of Cloud Computing
APIs: the Glue of Cloud ComputingAPIs: the Glue of Cloud Computing
APIs: the Glue of Cloud Computing
3scale
 
Cloud Security Primer - F5 Networks
Cloud Security Primer - F5 NetworksCloud Security Primer - F5 Networks
Cloud Security Primer - F5 Networks
Harry Gunns
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
Akana
 
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
Priyanka Aash
 

Ähnlich wie Api security-present (20)

F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
Api management customer
Api management customerApi management customer
Api management customer
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
Success with APIs: A Checklist
Success with APIs: A ChecklistSuccess with APIs: A Checklist
Success with APIs: A Checklist
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
 
APIs: the Glue of Cloud Computing
APIs: the Glue of Cloud ComputingAPIs: the Glue of Cloud Computing
APIs: the Glue of Cloud Computing
 
INTERFACE, by apidays - From Monolith to Open Finance with APIs by Marcilio ...
INTERFACE, by apidays - From Monolith to Open Finance with APIs by Marcilio ...INTERFACE, by apidays - From Monolith to Open Finance with APIs by Marcilio ...
INTERFACE, by apidays - From Monolith to Open Finance with APIs by Marcilio ...
 
Cloud Security Primer - F5 Networks
Cloud Security Primer - F5 NetworksCloud Security Primer - F5 Networks
Cloud Security Primer - F5 Networks
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
 
I Love APIs Europe 2015: Technical Sessions
I Love APIs Europe 2015: Technical SessionsI Love APIs Europe 2015: Technical Sessions
I Love APIs Europe 2015: Technical Sessions
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
Service Virtualization + API Management together
Service Virtualization + API Management togetherService Virtualization + API Management together
Service Virtualization + API Management together
 
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
 

Mehr von Security Bootcamp

GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
Security Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
Security Bootcamp
 

Mehr von Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 
Tran Minh Tri - Bao mat du lieu thoi ky [3.0]
Tran Minh Tri - Bao mat du lieu thoi ky [3.0]Tran Minh Tri - Bao mat du lieu thoi ky [3.0]
Tran Minh Tri - Bao mat du lieu thoi ky [3.0]
 

Kürzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Api security-present

  • 1. Five Simple Strategies for Securing APIs Tran Minh Tri Security bootcamp 2018
  • 2. Product manager tritm@mi2.com.vn Tran Minh Tri @tridalat Slideshare.net/tridalat Linkedin.com/tridalat https://api.mi2.vn
  • 3. 3 Contents WHAT ARE APIS ? ARE THEY WORTH THE RISK ? THE THREE ATTACK VECTORS TO WATCH OUT FOR FIVE SIMPLE MITIGATION STRATEGIES YOU MIGHT HAVE OVERLOOKED CONCLUSION
  • 4. WHAT ARE APIS ? APIs are like windows into an application
  • 5. 5 APIs are the building blocks of digital transformation IOT Devices Cloud Mobile Partners/External Divisions External Developers Data Your Digital Business
  • 6. 6
  • 7. 7 Digital transformation as a maturity model Low digital maturity High digital maturity Offline/In-Person Web Mobile Omnichannel Ecosystem How Do APIs Increase an Organization’s Risk?
  • 8. 8 Digital Transformation in Retail Low digital maturity High digital maturity  RETAIL STORE  CATALOG & CALL CENTER  WEB STOREFRONT  AFFILIATE CHANNELS  MOBILE STOREFRONT  SHOPPER PROFILE APIs  PRODUCT CATALOG APIs  PERSISTENT CART APIs  IN-STORE/PROXIMITY APIs  INVENTORY/LOGISTICS APIs  PERSONALIZED PROFILE APIs  ADVANCED PAYMENT APIs  LOYALTY PARTNER APIs  MARKETPLACE APIs  SMART PRODUCT APIs Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 9. 9Low digital maturity High digital maturity Offline / In-Person Web Mobile Omnichannel Ecosystem  DEALER  SERVICE CENTER/MECHANIC  BRAND CONTENT  ONLINE PRODUCT DATA  RATINGS & REVIEWS  DEALER APIs  PRODUCT DATA APIs  DRIVER PROFILE APIs  DIAGNOSTIC APIs  VEHICLE FEATURE APIs  HISTORY/MAINTENANCE APIs  OTA UPDATE APIs  UBI APIs  LOCATION & CONTEXT APIs  INSURANCE APIs  VEHICLE SHARE APIs Digital Transformation in Automotive
  • 10. 10Low digital maturity High digital maturity  DROPOFF / PICKUP CENTER  COURIER  WEB RESEARCH  WEB SCHEDULING  WEB TRACKING  RATE AND SLA APIs  SERVICE APIs  TRACKING APIs  FLEET TRACKING APIs  SUPPLY CHAIN APIs  TRAFFIC MANAGEMENT APIs  ENROUTE REDIRECT APIs  PROOF OF DELIVERY APIs  TRAFFIC DATA APIs  3PL SERVICES APIs  3P PICKUP/DROPOFF APIs Digital Transformation in Transportation & Logistics Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 11. 11Low digital maturity High digital maturity  PRACTITIONER OFFICE  OFFLINE HEALTH RECORDS  CALL CENTER  ONLINE RESEARCH  CLAIMS & HISTORY  APPOINTMENT APIs  PLAN SELECION APIs  INSURER INTEGRATON APIs  TELEHEALTH APIs  BIOTELEMETRY APIs  EHR APIs  MONITORING DEVICE APIs  CARE ANALYTICS APIs  PARTNER SERVICES APIs Digital Transformation in Healthcare Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 12. 12Low digital maturity High digital maturity  RETAIL BANKING  ONLINE BANKING  LOCATION & SERVICE APIs  ACCOUNT APIs  ALERT/MONITORING APIs  MOBILE PAYMENT APIs  DIRECT DEPOSIT APIs  INVESTMENT APIs  P2P MOBILE PAYMENT APIs  LOYALTY PARTNER APIs  P2P LENDING APIs  WEALTH MANAGEMENT APIs Digital Transformation in Financial Services Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 13. 13Low digital maturity High digital maturity  BROADCAST MEDIA  PROPRIETARY STB  ONLINE PURCHASE  GUIDE & METADATA  STREAMING MEDIA APIs  METADATA APIs  ENTITLEMENT APIs  VIEWER PROFILE APIs  QUAD-PLAY APIs  SERVICE DASHBOARD APIs  WALLET/PAYMENT APIs  PARTNER ENTITLEMENT APIs  CONTENT-KEYED APIs  AD NETWORK APIs  EVENT APIs Digital Transformation in Media & Entertainment Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 14. 14Low digital maturity High digital maturity  BROADCAST SPORTS  DISCONNECTED DEVICES  SCORES & STATS  ONLINE CONTENT  SCORES & STATS APIs  TRACK & MONITOR APIs  FITNESS PROFILE APIs  REAL-TIME 2ND SCREEN APIs  MULTI-DEVICE PROFILE APIs  FITNESS PLATFORM APIs  HEALTH CONNECTIVITY APIs  DATA SUBSCRIPTION APIs Digital Transformation in Sports & Fitness Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 15. 15Low digital maturity High digital maturity  PROPRIETARY RESERVATIONS  TRAVEL AGENT  FARES & SCHEDULES  ONLINE BOOKING  ONLINE CHANNELS  FARE & SCHEDULE APIs  STATUS & ALERT APIs  TRAVELER PROFILE APIs  IDENTITY & ACCESS APIs  LOCATION-AWARE APIs  ENROUTE SERVICES APIs  LOYALTY PARTNER APIs  MULTI-MODE TRAVEL APIs Digital Transformation in Travel & Hospitality Offline / In-Person Web Mobile Omnichannel Ecosystem
  • 16. 16
  • 18. 18 Niantic's API for Pokemon Go Cracked  API functions as the access point for accessing DB and algorithm  3rd parties found the API and created apps that aid in the capture  Server side issues (including downtime) increased as a result Pokevision FastPokeMap
  • 19. The Three Attack Vectors to Watch Out For
  • 20. 20 Outside the Enterprise Internet of Things Mobile SaaS/Cloud Solutions AWS, Google, SFDC … Partner Ecosystems External Developers Within the Enterprise Secure Data Application Portfolio ID/Authentication Reporting & Analytics Internal Teams The Three Attack Vectors to Watch Out For Many API developers come directly from a web design background, and may bring with them some bad habits Identity  Identity attacks exploit flaws in authentication, authorization, and session tracking. In particular, many of these are the result of migrating bad practices from the web world into API development. Parameters  Parameter attacks exploit the data sent into an API, including URL, query parameters, HTTP headers, and/or post content Main-in-the-middle  Simplify These attacks intercept legitimate transactions and exploit unsigned and/or unencrypted data being sent between the client and the server. They can reveal confdential information (such as personal data), alter a transaction in flight, or even replay legitimate transactions.
  • 21. 21 Attack Vector: Parameters  API functions as the access point for accessing DB and algorithm – In the traditional web world, parameterization was limited and indirect – Subject to the capabilities of URLs and forms  APIs in contrast and offer much more explicit parameterization – The full power of RESTful design: GET, POST, PUT, DELETE  (And don’t stop there… what about effects of HEAD, etc)?  This creates a greater potential attack surface – Injection, bounds, correlation, and so on
  • 22. 22 Attack Vector: Identity  We had it surprisingly good in the Web world – Browser session usually tied to human – Dealing with one identity is not so tough  Security tokens abound, but solutions are mature – Username/pass, multi-factor, SAML, etc  APIs rapidly becoming more difficult – Non-human entities – Multiple layers of relevant identities  Me, my attributes, my phone, my developer, my provider…
  • 23. 23 API keys “An application programing interface key (API key) is a code generated by websites that allow users to access their application programming interface. API keys are used to track how the API is being used in order to prevent malicious use or abuse of the terms of service. Many applications publishing APIs require clients to use an API key to access to their functionality (Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
  • 25. 25 How Should You Secure Your APIs? 25
  • 26. Five Simple Mitigation StrategiesThat Will Allow an Organization to More Securely Publish APIs
  • 27. 27 Strategy 1: Validate Parameters Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Rigorous validation of consumer supplied inputs – and API output • Use schema validation
  • 28. 28 Strategy 2: Apply Explicit Threat Detection Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Blacklist dangerous tags like <SCRIPT> • Virus scanning of attachments • Very large messages can all be effective denial-of-service attacks
  • 29. 29 Strategy 3: Turn on SSL Everywhere Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions
  • 30. 30 Strategy 4: Apply Rigorous Authentication and Authorization Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Multiple identity profile (Roles, Geo location,IP,User agent,Time of day...) • OAuth for people
  • 31. 31 Strategy 5: Use Proven Solutions Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Separate out API implementation and API security into distinct tiers • API Gateway ( Access control, Threat detection, Confidentiality and integrity, Audit management)
  • 32. Conclusion APIs represent a great opportunity for the enterprise to integrate applications quickly and easily. But APIs can be a double-edged sword: promising agility, while at the same time increasing risk. But if an organization can address API security as an architectural challenge long before any development takes place, it can reap the rewards of this technological breakthrough safely and securely.