Scribd
Upload
12 views29 pages

Agile Api Security 150211173630 Conversion Gate02

Uploaded by

NikhilBadsheshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views29 pages

Agile Api Security 150211173630 Conversion Gate02

Uploaded by

NikhilBadsheshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Agile API Security

Subra Kumaraswamy
@subrak

Apigee
@apigee
youtube.com/apigee
slideshare.net/apigee
@Subrak  
Subra  Kumaraswamy
Agenda

• Why Agile Security matters


• Agile API Security enablers and approaches
• Key takeaways
• Q&A
6
Security Developer
Risks Agility Why Agile security?
API security stakeholders

Product Manager Business owner


How can I release features How to reduce risk while
with built-in security? expanding API exposure?

How I can reduce the release How to meet compliance?


cycle?

Ops App Developer


How do I enforce consistent What options I have to secure
security policy across APIs? data in rest and transit?
What controls I have to How to I enable Social login?
mitigate attacks like DoS?
How can I manage and
revoke keys?

7
Security layers – good enough?
Have implemented layers of security to protect crown jewels..
That’s not enough, need security, with flexibility

9
A new approach is required
Agile API security

API First Architecture with built-in Security

Secure

Secure and Agile SDLC


Threat Testing Verification
Assessment Coding

Security for API exposure

Security for consumption (Apps)

Data Security governance

11
API-first architecture
All Apps
Mobile Web Social
Developers Apps Apps Apps

Flexible security for Internet


Apps
(Consumption)

API Tier
Persistence Security Orchestration Analytics

IT security architect

Consistent security
App Backend
policies & access Servers
ESB
Services
control
(Exposure)
API security architecture
Identity for API Management
RBAC Policy Certificate Keys/Token
User Management
Management Management Management Management
Developers
IT Security /
Architect

API Security
Policy Traffic Logging &
Authentication Authorization
Enforcement Management Auditing
Apps

Key Store Policy Store Log Store

Threat Protection
Rate Limiting &
TLS DDoS Payload Protection Analytics
Quota

Compliance (SOC 2, PCI DSS, HIPAA)


Identity landscape in the API world
Agile API security

þ API First Architecture with Security

Secure and Agile SDLC


Threat Secure
Coding Testing Verification
Assessment

Security for API exposure

Security for consumption (Apps)

Data Security governance

15
Agile SDLC – Focus on automation
Threat Secure
Testing Verification
Assessment Coding

API Threat Secure Coding Security Black Box


Modeling Practices Unit Testing Pen Testing

Continuous
Security Design Static Analysis Dynamic Analysis Security
Monitoring

• API product centric • Integrated into Development using Maven and Jenkin • Blackbox testing aligned
plugins with major release
• Aligned with Epic and
• Vulnerabilities prioritized based in criticality and threat • Monitoring of API to
stories model requirements verify policies

Secure Development Training


API Product security design considerations
• What categories of developers or applications do you have?
– internal developers
– partners (at various service levels)

– public developers (open adoption)


• What APIs should each class of developers or applications have
access to?
• What Authentication and Authorization schemes are supported by
Apps to consume APIs?
• What type of data is exposed via API?
• What threats do you want protect against?
API threats
• Spoofing of identity
• Denial of service
• Network eavesdropping (App-to-API)
• Replay attacks
• Unauthorized access to management system and configuration data
• Man-in-the-middle attacks
• Velocity attack using legitimate API keys
• Elevation of privilege by applications and developers
• Disclosure of confidential data stored and processed in mobile, API, and
backend services
• Theft of credentials, API keys, tokens, or encryption keys
Agile API security

þ API First Architecture with Security

Secure

þ Secure and Agile SDLC


Threat Testing Verification
Assessment Coding

Security for API exposure

Security for consumption (Apps)

Data Security Governance

19
Centralize API security for exposure

Secure API Exposure

Backend
TLS Identity Services Service
(IdP)

Authentication & Authorization Authentication &


Authorization
Apps Logging & Auditing
Security & Identity"
Capabilities

Security Analytics

2
API exposure – security checklist
API Security
API (Backend) Security API Developer Security
þ Secure communication (TLS – 1 way or 2 way) þ Authentication & SSO (SAML, OAuth)
þ Authentication (TLS, OAuth, SAML) þ API Management Roles (RBAC)
þ Versioning þ Internal Vs External Developer
þ Integration with Enterprise identity providers þ Data Masking
þ Logging and auditing þ Logging and auditing

Analytics
þ Run time detection reports (Volume based, Traffic properties)

Governance & Compliance


þ Policy Enforcement
þ PCI/HIPAA Compliance
21
Agile API security

þ API First Architecture with Security

Secure

þ Secure and Agile SDLC


Threat Testing Verification
Assessment Coding

þ Security for API exposure

Security for Consumption (Apps)

Data Security Governance

22
Standardize App security for consumption

Security for Consumption

Backend
Services
Threat Protection

Authentication & TLS


Authorization

Developers Security & Identity"


Capabilities
Application Security

Apps
API consumption – security checklist
API Security
App Security App Developer Security
þ Secure communication (TLS – 1 way or 2 way) þ Developer Key Management (Workflow,
– Mobile Vs Partner Governance)
þ Authentication (OAuth patterns) þ Developer provisioning
þ API key with Product Scope þ Authentication & SSO (SAML, OAuth)
þ Quota Enforcement þ Internal Vs External Developer
þ IP Based Whitelist/Blacklist þ Developer permission (RBAC)

Threat Protection

þ XML/JSON Poisoning/Injection
þ SQL Injection
þ DDoS/App-DoS Attacks
þ Spike Arrest
24
Agile API security

þ API First Architecture with Security

Secure

þ Secure and Agile SDLC


Threat Testing Verification
Assessment Coding

þ Security for API exposure

þ Security for App Standardized

Data Security Focused – API Products

25
API data security
• Organize your APIs as API products for fine granular data security management
• Central mechanism for authorization and access control to your APIs
• API products with Key and OAuth Scope protects your API

• Protect payload data using encryption, hashing and secure key management
• Improve API agility by aligning Secure SDLC with data security sensitivity

26
Key takeaways

þ Practice API First Architecture for


security with flexibility
Secure
Threat Coding Testing Verification
Assessment

þ Implement SDLC with automation for agility

þ Centralize your API security for


consistent policy enforcement

þ Standardize App security across


channels for frictionless user experience

þ Use API Products to enable tiered


security

27
Thank You

@Subrak  
Subra  Kumaraswamy

Questions?
Thank  You  

Apigee
@apigee

You might also like