API Security: Securing Digital Channels and Mobile Apps Against Hacks

52 %
48 %
Information about API Security: Securing Digital Channels and Mobile Apps Against Hacks
Technology

Published on March 4, 2014

Author: SOA_Software

Source: slideshare.net

Description

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

API Security: Securing Digital Channels and Mobile Apps Against Hacks Sachin Agarwal VP, Product Marketing Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

What is an API? Your Customers Your API Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Your Application

APIs – Extend the Reach of your Business Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

EVOLUTION OF DIGITAL CHANNELS Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Client-Server/ Web Applications Access locations and variability of operations were limited • No Programmatic Access • Security through network isolation • Limited Users Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Realizing End-to-End Security Securing the Backend Managing the User Experience Securing the Channel Securing the App - PII, PHI Enabling Easy Developer Access Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Understanding the Security Landscape Single Sign On API Specific Security • • • • • • MDM ATP, Firewall, VPN etc. Protocol specific threats Key Management OAuth Monitoring Licensing Security Token Mediation Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

UNDERSTANDING API SECURITY Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

The API Lifecycle API Producers Applications and Services SOAP to REST MobileOptimization Transform & Secure Publish API Consumers OAuth Mediation API Analytics Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Dev. Adoption Monetize API Documentation Apps

API Security 5 1 6 Authentication & Authorization 3 2 Content Filtering Message Security App Key Validation/ Licensing 4 Threat Protection Developers Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Rate Limiting

Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Understanding OAuth OAuth lets a person delegate constrained access from one app to another Client App Resource Server Resource Owner User Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

OAuth Flow Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

OAuth – You need OAuth is hard and complicated • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – – – OAuth Authorization Scopes Document visibility Quota policies Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Threat Protection • • • • • Denial of Service Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks Cross Site Scripting Network address and range blacklists/whitelists HTTP Parameter Stuffing Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Content Filtering • Provide a content firewall, protecting against malicious content • • • Validate message content including message headers, form and query parameters, XML and JSON data structures. Policies for XML and JSON DoS Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

SOA Software API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

The SOA Software API Platform Analytics Developer Engagement Gateway Services Service Integration Lifecycle Management Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Flexible Deployment Model Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

SOA Software API Platform Capabilities Platform Lifecycle Gateway API Portal Licensing API/Services Security Search Quota Mgmt. Application Authentication Documentation Partner Mgmt. User Protection Groups PCI Compliance Compliance IAM Integration Social Provisioning Integrations Encryption Policy Mgmt. Mediation Monitoring Quality of Service OAuth Paging/Caching Federation Orchestration Analytics Scripting Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Questions Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Add a comment

Related presentations

Related pages

API Security: Securing Digital Channels and Mobile Apps ...

Resources » Webinars » API Security: Securing Digital Channels and ... Channels and Mobile Apps Against Hacks. ... about API security and how ...
Read more

API Security: Securing Digital Channels and Mobile Apps ...

... Securing Digital Channels and Mobile Apps Against Hacks ... continuing to support your business's digital ... API Security: Creating a Solid ...
Read more

API Security: Securing Digital Channels and Mobile Apps ...

API Security: Securing Digital Channels and ... Securing Digital Channels and Mobile Apps ... against APIs; How to separate security ...
Read more

What's an API? - YouTube

API Security: Securing Digital Channels and Mobile Apps Against ... How to Develop Mobile Apps Faster with APIs ... Mozilla Hacks 1,425 ...
Read more

Securing your Digital Channels and APIs against Threats ...

Securing your Digital Channels and APIs against ... against threats and security breaches. API ... gateway mobile Apps OAuth ...
Read more

How a Hacker can Attack Your Application | Arxan

See how easy it is for hackers to bypass iOS encryption to progress a mobile app ... Arxan enables developers and security engineers ... Securing Mobile ...
Read more

Mobile Applications Security

SECURING A MOBILE WORLD ... attacks against an app, ... Web & Mobile Security Securing Android Technology LEARN, DISCOVER, CONNECT!
Read more

API Security - CIO Summits by CDM Media - Strategic ...

API Security: A Guide To Securing Your ... place to prevent API hacks ... accessing data through digital channels such as mobile ...
Read more

Is Your Mobile Device Safe From Hackers? - Mashable

Although mobile security makes ... is related to apps. "While mobile hacks can ... the digital generation. Mashable is redefining ...
Read more