API Security: Securing Digital Channels and Mobile Apps Against Hacks
Transcript of API Security: Securing Digital Channels and Mobile Apps Against Hacks
![Page 1: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/1.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security:
Securing Digital
Channels and Mobile
Apps Against Hacks
Sachin AgarwalVP, Product Marketing
![Page 2: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/2.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center– http://resource.soa.com/
• Webinar Recording– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc
![Page 3: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/3.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?
Your ApplicationYour APIYour Customers
![Page 4: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/4.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business
![Page 5: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/5.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
EVOLUTION OF DIGITAL CHANNELS
![Page 6: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/6.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network isolation
• Limited Users
Access locations and variability of operations were limited
![Page 7: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/7.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust
• Some B2B and Partners applications
• Complex, but quite secure and flexible
![Page 8: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/8.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs
Disrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.
• Focus on human readability, developer adoption
![Page 9: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/9.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security
Managing the User Experience
Securing the App - PII, PHI
Enabling Easy Developer Access
Securing the Channel
Securing the Backend
![Page 10: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/10.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape
• Protocol specific threats
• Key Management• OAuth• Monitoring• Licensing• Security Token
Mediation
API Specific Security
Single Sign On MDM
ATP, Firewall, VPN etc.
![Page 11: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/11.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
UNDERSTANDING API SECURITY
![Page 12: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/12.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle
Transform & Secure
Publish
Monetize
Dev. Adoptio
nAPI
SOAP to RESTMobile- Optimization
OAuthMediation
Analytics API Documentation
Applications and
ServicesApps
API Producers
API Consumers
![Page 13: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/13.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security
1Authentication & Authorization
2 App Key Validation/Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
![Page 14: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/14.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO
Control and restrict access to your APIsMake it easy yet secure
![Page 15: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/15.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth
OAuth lets a person delegate constrained access from one app to another
User
Resource Owner
Client App
Resource Server
![Page 16: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/16.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth Flow
![Page 17: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/17.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need
• OAuth Clients• Provisioning• Approval Flow
• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics
OAuth is hard and complicated
![Page 18: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/18.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing
Package your APIs in different waysUse API keys to restrict what the App can access
The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies
![Page 19: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/19.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security
HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=
mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security• Implement HTTPS• For XML payloads encrypt specific parts of the message
![Page 20: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/20.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection
• Denial of Service• Injection Attacks
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks
• Cross Site Scripting• Network address and range
blacklists/whitelists • HTTP Parameter Stuffing
![Page 21: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/21.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering
• Provide a content firewall,
protecting against malicious
content
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures.
• Policies for XML and JSON
DoS
• Protection against viruses in
attachments and other binary
content via ICAP integration
with leading anti-virus
engines
![Page 22: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/22.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting
Restrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.
![Page 23: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/23.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Gateway
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
![Page 24: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/24.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The SOA Software API Platform
Analytics
Developer Engagement
Gateway Services
Service Integration
Lifecycle Management
![Page 25: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/25.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Flexible Deployment Model
![Page 26: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/26.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Platform Capabilities
Platform
Licensing
Quota Mgmt.
Partner Mgmt.
PCI Compliance
Provisioning
Policy Mgmt.
Monitoring
OAuth
Federation
Analytics
Lifecycle
API/Services
Application
User
Compliance
Integrations
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
API Portal
Search
Documentation
Groups
Social
![Page 27: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/27.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Questions
![Page 28: API Security: Securing Digital Channels and Mobile Apps Against Hacks](https://reader035.fdocuments.net/reader035/viewer/2022062406/55c40be5bb61eb95448b45fd/html5/thumbnails/28.jpg)
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center– http://resource.soa.com/
• Webinar Recording– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc