Embed Size (px)
DESCRIPTION
Sachin Agarwal, SOA Software Overview of common API security hacks and threats and best practices to secure your APIs against these threats such as detection and prevention of Denial of Service (DoS) attacks, malformed messages or excessive XML/JSON depth and breadth, message Encryption and rate limiting, and development and governance methodologies that need to be adopted to ensure security compliance.
Citation preview
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security: Securing Digital Channels and Mobile Apps Against
Hacks!
Sachin Agarwal!@sachinagarwal!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?!
Your Application!Your API!Your Customers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
EVOLUTION OF DIGITAL CHANNELS!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications!
• No Programmatic Access!
• Security through network isolation!
• Limited Users!
Access locations and variability of operations were limited
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services!
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust!
• Some B2B and Partners applications!
• Complex, but quite secure and flexible!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs!
Disrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.!
• Focus on human readability, developer adoption!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security!
Managing the User Experience!
Securing the App - PII, PHI!
Enabling Easy Developer Access !
Securing the Channel!
Securing the Backend!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape!
• Protocol specific threats!• Key Management!• OAuth!• Monitoring!• Licensing!• Security Token Mediation!
API Specific Security!
Single Sign On! MDM!
ATP, Firewall, VPN etc.!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
UNDERSTANDING API SECURITY!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle!
Transform & Secure! Publish! Monetize!Dev.
Adoption!API!
SOAP to REST!Mobile- Optimization!
OAuth!Mediation!
Analytics! API Documentation!
Applications and Services! Apps!
API Producers! API Consumers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security!
1 Authentication & Authorization!
2 App Key Validation/!Licensing!
3 Message Security!
4 Threat Protection!
5 Content Filtering!
6 Rate Limiting!
Developers!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO!Control and restrict access to your APIs!Make it easy yet secure!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth!
OAuth lets a person delegate constrained access from one app to another!
User!
Resource Owner!
Client App!
Resource Server!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth Flow!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need!
• OAuth Clients!• Provisioning!• Approval Flow!
• OAuth Server!• Identity Integration!• Token Validation!• Token Issue/refresh!
• Token Mediation (SAML, LDAP etc)!• QoS, Monitoring!• Policy Management!• API Proxying!• Reporting!• Analytics!
OAuth is hard and complicated!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing!
Package your APIs in different ways!Use API keys to restrict what the App can access!
The licenses control:!– OAuth Authorization Scopes!– Document visibility!– Quota policies!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security!
HTTP Parameter!• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey!• Protect API Keys with HMAC – Hash-based Message Authentication Code!!Message Security!• Implement HTTPS!• For XML payloads encrypt specific parts of the message!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection!
• Denial of Service!• Injection Attacks!
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks !
• Cross Site Scripting!• Network address and range
blacklists/whitelists !• HTTP Parameter Stuffing!
!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering!
• Provide a content firewall, protecting against malicious content!• Validate message content
including message headers, form and query parameters, XML and JSON data structures. !
• Policies for XML and JSON DoS !
• Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting!Restrict the number of calls an App can make!Apply controls based on context, affinity, segmentation etc.!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Gateway!
Gateway!
Security!
Authentication!
Protection!
IAM Integration!
Encryption!
Mediation!
Quality of Service!
Paging/Caching!
Orchestration!
Scripting!
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Resources and API University!
• Resource Center!– http://resource.soa.com/!
• Webinar Recording!– http://resource.soa.com/resource/webinars!
• Follow us on:!!!
www.facebook.com/soaso-ware
www.linkedin.com/company/soaso-ware
@soaso-wareinc
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Questions!
• @sachinagarwal!
