API Security and Management Best Practices

Download as PPTX, PDF

5 likes4,530 views

The document discusses best practices for API security and management, emphasizing the importance of trust, equality, and cultural understanding between API users and developers. It outlines multiple key practices such as separating security roles, utilizing SSL, and managing access control to mitigate security risks. The document also highlights the evolving landscape of APIs and the need for secure and well-managed API development.

Technology

API Security and Management
Best Practices
K Scott Morrison
CTO & Chief Architect

Feb 26, 2012

Researchers have discovered
that the national divorce rate
has been falling since 2006…

2007: 3.6 divorces per 1000 people
2008: 3.5 divorces per 1000 people
2009: 3.4 divorces per 1000 people

So, does this mean people are getting better at relationships?

Source: Slate http://slate.me/wGf9et

They require
^
maintenance.
very high
high

This talk is about how to
have a successful
API relationship.

Best Practice #1

It takes two to tango.

Successful
relationships
are built on
trust and
equality

BP #2

Understand and
respect the cultural
differences.

The New Identity Management

API Users API Developers
External Internal

APIs change composition
of internal teams
Product API
CFO
Manager Developer
Business Security
Manager Officer

BP #4

Take security away
from developers.

Separation of
Concerns
API
Server

API
Expert
API
Proxy
Security
Expert

SQL Injection (courtesy
XKCD)
Exploits of a Mom

Source: https://xkcd.com/327/

API Security and Management Best Practices

BP #7

It’s still all about
access control.

BP #9

Manage
misconfiguration risk
with appliances.

Protect the
Servers API
Client

Firewall

API
Proxy

DMZ

API
Server Secure
Zone Enterprise
Network

The New Governance
Old New
Documentation WSDL Wiki/Blog
Discovery Reg/Rep Search
Approval G10 Platform Email
Enforcement Gateway Gateway
User Provisioning IAM Portal
Community What’s that? Forum

The Layer 7 API
Developer Portal
API
Client

Firewall

iPhone
API
Developer
Proxy

API API
Server Portal

Enterprise
Network

To Summarize:
 The game has changed
Clients need attention

 The security problems are the same
But the names have changed

 Don’t just build APIs
Build secure and managed APIs

Don’t Miss @RSA Conference
2012
 ASEC-402: Hacking’s Gilded Age: How APIs Will
Increase IT Risk
K. Scott Morrison
Friday, March 02 10:10 a.m.
Room 302

 STAR-402: Enterprise Access Control Patterns for
REST and Web API
Francois Lascelles
Friday, March 02 10:10 a.m.
Room 304

Yes, they are at the same time. You
must choose…

Picture Credits
 Antelope Canyon 4 by klsmith– stock.exchg
 Band silhouettes by mr_basmt– stock.exchg

For further information:

K. Scott Morrison
Chief Technology Officer & Chief Architect
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377

smorrison@layer7tech.com
http://www.layer7tech.com

February 2012

More Related Content

What's hot (20)

PPTX

Api security teodorcotruta

ODP

Security components in mule esbhimajareddys

ODP

Security in mulesoftakshay yeluru

PPTX

Deep-Dive: API Security in the Digital AgeApigee | Google Cloud

PDF

Guidelines to protect your APIs from threatsIsabelle Mauny

PPTX

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management

PDF

API Security In Cloud Native EraWSO2

PDF

42crunch-API-security-workshop42Crunch

PPTX

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management

PPTX

Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud

PPTX

The Inconvenient Truth About API SecurityDistil Networks

PDF

Protecting Your APIs Against Attack & Hijack CA API Management

PPTX

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays

PPTX

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

PDF

SecDevOps for API Security42Crunch

PDF

apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...apidays

PPTX

Gateway/APIC securityShiu-Fun Poon

PPTX

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

PPTX

Security in microservices architecturesinovia

PPTX

DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud

Api security teodorcotruta

Security components in mule esbhimajareddys

Security in mulesoftakshay yeluru

Deep-Dive: API Security in the Digital AgeApigee | Google Cloud

Guidelines to protect your APIs from threatsIsabelle Mauny

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management

API Security In Cloud Native EraWSO2

42crunch-API-security-workshop42Crunch

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management

Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud

The Inconvenient Truth About API SecurityDistil Networks

Protecting Your APIs Against Attack & Hijack CA API Management

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

SecDevOps for API Security42Crunch

apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...apidays

Gateway/APIC securityShiu-Fun Poon

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

Security in microservices architecturesinovia

DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud

Viewers also liked (20)

PPTX

Deep-Dive: Secure API ManagementApigee | Google Cloud

PPTX

Secure Your REST API (The Right Way)Stormpath

PDF

API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management

PDF

Api architectures for the modern enterpriseCA API Management

PDF

Best Practices for API Management WSO2

PDF

Architecting &Building Scalable Secure Web APISHAKIL AKHTAR

PDF

Zentral presentation MacAdmins meetup Univ. Utah Henry Stamerjohann

PDF

Secure and Govern Integration between the Enterprise & the CloudCA API Management

PDF

Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs

PPTX

Security Best PracticesClint Edmonson

PDF

Designing & Implementing Hypermedia APIs – Mike Amundsen, Principal API Archi...CA API Management

PDF

Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityDiogo Mónica

PPTX

ApiworldOwen Rubel

PDF

Towards a Federated Cloud EcosystemClovis Chapman

PDF

MTLS in a Microservices WorldDiogo Mónica

PDF

Reusable APIsCA API Management

PDF

APIs for biz dev 2.0 - Which business model to win in the API Economy?3scale

PPTX

Introducing SwaggerTony Tam

PDF

RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7CA API Management

PDF

오픈 API 서비스 A to Z: Daum API를 중심으로 (윤석찬, Daum) :: API Meetup 2014Channy Yun

Deep-Dive: Secure API ManagementApigee | Google Cloud

Secure Your REST API (The Right Way)Stormpath

API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management

Api architectures for the modern enterpriseCA API Management

Best Practices for API Management WSO2

Architecting &Building Scalable Secure Web APISHAKIL AKHTAR

Zentral presentation MacAdmins meetup Univ. Utah Henry Stamerjohann

Secure and Govern Integration between the Enterprise & the CloudCA API Management

Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs

Security Best PracticesClint Edmonson

Designing & Implementing Hypermedia APIs – Mike Amundsen, Principal API Archi...CA API Management

Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityDiogo Mónica

ApiworldOwen Rubel

Towards a Federated Cloud EcosystemClovis Chapman

MTLS in a Microservices WorldDiogo Mónica

Reusable APIsCA API Management

APIs for biz dev 2.0 - Which business model to win in the API Economy?3scale

Introducing SwaggerTony Tam

RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7CA API Management

오픈 API 서비스 A to Z: Daum API를 중심으로 (윤석찬, Daum) :: API Meetup 2014Channy Yun

Similar to API Security and Management Best Practices (20)

PPTX

How to Build a Successful API Program: Best Practices For the CarrierCA API Management

PPTX

Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management

PPTX

Cross Platform Mobile Apps with APIs from Qcon San FranciscoCA API Management

PDF

Managing API Security in SaaS and CloudCA API Management

PDF

Managing API Security in SaaS and CloudCA API Management

PPTX

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

PDF

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays

PDF

5 Ways to Get Top Mobile App Developer Talent for Your Open APIs CA API Management

PDF

OWASPAPISecurityJie Liau

PPTX

ROI for APIs: Using Hackathons to Evaluate Your API ProgramCA API Management

PDF

2022 APIsecure_Shift Left API Security - The Right WayAPIsecure_ Official

PDF

API Testing and Hacking (1).pdfVishwas N

PDF

API Testing and Hacking.pdfVishwasN6

PDF

API Testing and Hacking.pdfVishwas N

PPTX

A great api is hard to findDan Diephouse

PPTX

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official

PDF

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays

PDF

Melbourne API Management SeminarCA API Management

PDF

Cyberlands Sales DeckCyberlands B.V.

PPTX

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management

How to Build a Successful API Program: Best Practices For the CarrierCA API Management

Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management

Cross Platform Mobile Apps with APIs from Qcon San FranciscoCA API Management

Managing API Security in SaaS and CloudCA API Management

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays

5 Ways to Get Top Mobile App Developer Talent for Your Open APIs CA API Management

OWASPAPISecurityJie Liau

ROI for APIs: Using Hackathons to Evaluate Your API ProgramCA API Management

2022 APIsecure_Shift Left API Security - The Right WayAPIsecure_ Official

API Testing and Hacking (1).pdfVishwas N

API Testing and Hacking.pdfVishwasN6

API Testing and Hacking.pdfVishwas N

A great api is hard to findDan Diephouse

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays

Melbourne API Management SeminarCA API Management

Cyberlands Sales DeckCyberlands B.V.

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management

More from CA API Management (20)

PDF

Mastering Digital Channels with APIsCA API Management

PDF

Takeaways from API Security Breaches WebinarCA API Management

PDF

Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management

PDF

API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management

PPTX

API Monetization: Unlock the Value of Your DataCA API Management

PDF

Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management

PDF

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management

PDF

Enabling the Multi-Device UniverseCA API Management

PDF

Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management

PDF

The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management

PPTX

APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management

PDF

Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management

PPTX

Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management

PDF

5 steps end to end security consumer appsCA API Management

PDF

Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management

PPTX

Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management

PDF

Using APIs to Create an Omni-Channel Retail ExperienceCA API Management

PPTX

Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management

PDF

Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management

PPTX

The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management

Mastering Digital Channels with APIsCA API Management

Takeaways from API Security Breaches WebinarCA API Management

Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management

API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management

API Monetization: Unlock the Value of Your DataCA API Management

Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management

Enabling the Multi-Device UniverseCA API Management

Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management

The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management

APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management

Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management

Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management

5 steps end to end security consumer appsCA API Management

Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management

Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management

Using APIs to Create an Omni-Channel Retail ExperienceCA API Management

Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management

Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management

The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management

Recently uploaded (20)

PPTX

Top iOS App Development Company in the USA for Innovative AppsSynapseIndia

PPTX

OpenID AuthZEN - Analyst Briefing July 2025David Brossard

PDF

Blockchain Transactions Explained For EveryoneCIFDAQ

PPTX

AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptxsameeraaabegumm

PDF

Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdfdarshakparmar

PDF

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

PDF

CIFDAQ Token Spotlight for 9th July 2025CIFDAQ

PPTX

MSP360 Backup Scheduling and Retention Best Practices.pptxMSP360

PDF

Smart Trailers 2025 Update with History and OverviewPaul Menig

PDF

[Newgen] NewgenONE Marvin Brochure 1.pdfdarshakparmar

PDF

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

PDF

Presentation - Vibe Coding The Future of Techyanuarsinggih1

PDF

Achieving Consistent and Reliable AI Code Generation - Medusa AImedusaaico

PPTX

Webinar: Introduction to LF Energy EVerestDanBrown980551

PDF

CIFDAQ Market Insights for July 7th 2025CIFDAQ

PDF

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

PDF

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

PDF

How Startups Are Growing Faster with App Developers in Australia.pdfIndia App Developer

PDF

Agentic AI lifecycle for Enterprise Hyper-AutomationDebmalya Biswas

PDF

New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

Top iOS App Development Company in the USA for Innovative AppsSynapseIndia

OpenID AuthZEN - Analyst Briefing July 2025David Brossard

Blockchain Transactions Explained For EveryoneCIFDAQ

AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptxsameeraaabegumm

Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdfdarshakparmar

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

CIFDAQ Token Spotlight for 9th July 2025CIFDAQ

MSP360 Backup Scheduling and Retention Best Practices.pptxMSP360

Smart Trailers 2025 Update with History and OverviewPaul Menig

[Newgen] NewgenONE Marvin Brochure 1.pdfdarshakparmar

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

Presentation - Vibe Coding The Future of Techyanuarsinggih1

Achieving Consistent and Reliable AI Code Generation - Medusa AImedusaaico

Webinar: Introduction to LF Energy EVerestDanBrown980551

CIFDAQ Market Insights for July 7th 2025CIFDAQ

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

How Startups Are Growing Faster with App Developers in Australia.pdfIndia App Developer

Agentic AI lifecycle for Enterprise Hyper-AutomationDebmalya Biswas

New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

API Security and Management Best Practices

1. API Security and Management Best Practices K Scott Morrison CTO & Chief Architect Feb 26, 2012

2. Researchers have discovered that the national divorce rate has been falling since 2006…

3. 2007: 3.6 divorces per 1000 people 2008: 3.5 divorces per 1000 people 2009: 3.4 divorces per 1000 people So, does this mean people are getting better at relationships? Source: Slate http://slate.me/wGf9et

4. No.

5. It’s because of the recession.

6. APIs are like a relationship

7. They require ^ maintenance. very high high

8. This talk is about how to have a successful API relationship.

9. Piece of Advice #1

10. Best Practice #1 It takes two to tango.

11. The Web wasn’t a relationship

12. Successful relationships are built on trust and equality

13. Equal, but different

14. BP #2 Understand and respect the cultural differences.

15. Client Server

16. Inside Outside

17. Us Them

18. Contractor Regular

19. Partner Contractor Regular

20. Partner No Affiliation Regular

21. The New Identity Management API Users API Developers External Internal

22. APIs change composition of internal teams Product API CFO Manager Developer Business Security Manager Officer

23. BP #3 Memorize this simple equation.

24. API Development != Web Development

25. Beware of habits

26. BP #4 Take security away from developers.

27. Separation of Concerns API Server API Expert API Proxy Security Expert

28. BP #5 Trust, but verify.

29. SQL Injection (courtesy XKCD) Exploits of a Mom Source: https://xkcd.com/327/

31. BP #6 SSL everywhere.

32. It’s Cheap

33. BP #7 It’s still all about access control.

34. But think hard about tokens

35. BP #8 Don’t roll your own.

36. Security is hard to get right

37. BP #9 Manage misconfiguration risk with appliances.

38. Protect the Servers API Client Firewall API Proxy DMZ API Server Secure Zone Enterprise Network

39. BP #10 Engage the developers.

40. The New Governance Old New Documentation WSDL Wiki/Blog Discovery Reg/Rep Search Approval G10 Platform Email Enforcement Gateway Gateway User Provisioning IAM Portal Community What’s that? Forum

41. The Layer 7 API Developer Portal API Client Firewall iPhone API Developer Proxy API API Server Portal Enterprise Network

42. To Summarize:  The game has changed Clients need attention  The security problems are the same But the names have changed  Don’t just build APIs Build secure and managed APIs

43. Don’t Miss @RSA Conference 2012  ASEC-402: Hacking’s Gilded Age: How APIs Will Increase IT Risk K. Scott Morrison Friday, March 02 10:10 a.m. Room 302  STAR-402: Enterprise Access Control Patterns for REST and Web API Francois Lascelles Friday, March 02 10:10 a.m. Room 304 Yes, they are at the same time. You must choose…

44. Picture Credits  Antelope Canyon 4 by klsmith– stock.exchg  Band silhouettes by mr_basmt– stock.exchg

45. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 [email protected] http://www.layer7tech.com February 2012

Editor's Notes

#3: Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
#5: Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
#6: Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
#26: Token protection, SSL, etc.
#39: The new enterprise web is about integration
#42: The new enterprise web is about integration