SlideShare a Scribd company logo

API Security In Cloud Native Era

WSO2, profile picture
WSO2

The document discusses the security challenges of microservices in cloud-native applications, highlighting the broader attack surface and the need for security at every endpoint. It emphasizes the role of an API gateway in managing authentication, authorization, and protecting against malicious content, with OAuth 2.0 being the recommended standard for API security. Various authentication mechanisms and grant types are reviewed, underscoring the importance of handling user context and protecting against threats such as injection attacks and abnormal activity patterns.

Technology
1 of 40
Downloaded 55 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
API Security in a Cloud Native Era Malintha Amarasinghe, Associate Technical Lead, WSO2 Thilini Shanika, Associate Technical Lead, WSO2
Cloud Native at a glance
Monolithic style vs Microservice style
Cloud Native Applications ● Comprised of a collection of loosely coupled lightweight microservices ○ Developed independently ○ Deployed independently ○ Scaled independently ● Decreased Time-To-Market ● Lower costs ● Extensibility and security
Challenges
Challenges in Securing Microservices ● Broader attack surface due to a large number of entry points ○ Security screening should be enforced at each endpoint level ● Performance ● Sharing user context ● Observability ○ Audit and application logging ○ Health check ○ Matrices ● Deployment complexities ○ Provisioning keys
Should we add a complex security stack over microservices themselves? ? A U T H A U T H A U T H A U T H
Should we add a complex security stack over microservices themselves? No A microservice: - performs one and only one business function - Do that one thing best !
API Gateway
● Handling Security is delegated to API Gateway. ● Microservices can focus only about its business logic. ● Solves the multiple entry point problem. API Gateway
● Responsible for three main functionalities in security PoV. ○ Authentication and Authorization ○ Protection against Malicious content ○ Abnormal pattern detection API Gateway
API Authentication and Authorization
● APIs are mostly exposed for external users. ● Three parties are involved ○ API Creator ○ Application Creator ○ End User ● Access Delegation is important.
● OAuth 2.0 is the defacto standard for API security ● Solves the requirement of Access Delegation when three parties are involved. ● Multiple grant types to support various use cases ○ password, client-credentials, authorization-code, .. ● Two types of tokens ○ Self contained access tokens (JWTs) ○ Reference Tokens (Opaque tokens) OAuth 2.0
● Self contained access tokens (JWTs) ○ A JSON payload with header and signature sections ○ Signed using a shared secret or public/private key pair ○ Contains all the information required for validation ○ A better approach for microservice world Self Contained Access Tokens (JWTs)
Self Contained Access Tokens (JWTs)
Reference Tokens
• Password Grant – Simple to implement – Less secure – Can be used when Client and Authz Server belongs to the same entity. OAuth 2.0 - Grant Types
• Authorization Code – Authenticates the user at the Authorization Server. – User doesn’t pass the credentials to the Client Application – The Client Application can ensure that the access token will be not be exposed to any 3rd party (even the User Agent) – Suitable for traditional web applications OAuth 2.0 - Grant Types
Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (clientId + clientSecret + code) Access Token Access TokenAccess Token Resource Request Prerequisite Client application registered with the Authz Server manually or via Dynamic Client Registration Resource Owner Authorize Request (clientId)
• Single Page Apps (SPAs) and Mobile Apps are becoming increasingly popular. • Provide users with a rich and responsive user interface. • The common security mechanism in use: – Authorization Code with a public, untrusted client • Client authentication is not performed. • PKCE (Proof Key for Code Exchange) Securing Single Page Apps and Mobile Apps
• OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. Authorization Code with PKCE
Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (code + verifier) Access Token Access Token Access Token Resource Request Resource Owner Authorize Request (clientId + challenge + challenge_method)
• Client Credentials • Implicit • JWT Bearer Grant • SAML Bearer Grant OAuth 2.0 - Grant Types Contd..
OAuth 2.0 - Scopes ● Enable fine-grained access control to API resources ● Limit the amount of access granted for an access token ○ i.e: The scopes specifies what the Client Application can do on behalf of the end user.
Demo
Inventory Management System
Other Authentication Mechanisms .. • API Key – A secret token that only the API client and the server knows • Basic Authentication – Standard http Authorization header with base64 encoded username and password value Authorization: Basic base64-encoded(username:password)
Other Authentication Mechanisms .. ● Mutual TLS (Transport Level Security) ○ Service to service authentication in trusted channel
Open Policy Agent (OPA) ● A lightweight general-purpose policy engine that can be co-located with the service ● Can integrate OPA as a library, sidecar, or a host-level daemon
Propagating Trust And User Identity ● API backends might require authenticated user context for internal authentication and business functionalities ● The user context has to be passed from API gateway to backend, after the authentication process ● JWT tokens can be used to propagate – One’s identity – User entitlements, between interested parties
API Security In Cloud Native Era
Malicious Contents
Protection Against Malicious Content • Regular expression threat protection ○ Injection attacks(SQL, Javascript, Java, xpath) • XML Schema validation ○ XML bombs ○ Schema poisoning ○ Coercive parsing ○ External entity attacks • JSON Schema validation ○ Coercive parsing ○ Buffer overflow
Abnormal Activity Patterns
Abnormal Activity Patterns • Account takeover with stolen credentials attacks • Login attacks • API takeover attacks • Data extraction or theft • Data scraping • Targeted API DDos attacks • Data deletion/manipulation • Data injection • Malicious code injection
Abnormal pattern detection by AI
Webinars to Follow ● November 19 - Cloud Native APIs: The API Operator for Kubernetes ● November 21 - Mine Your APIs for Gold: API Monetization ● December 03 - Beautifying the Beautiful: Theming WSO2 API Manager ● December 05 - Building a CI/CD Pipeline for APIs
Q & A
THANK YOU wso2.com

More Related Content

What's hot (20)

PDF
[API World ] - Managing Asynchronous APIs
WSO2
 
PPTX
API Security and Management Best Practices
CA API Management
 
PPTX
Securing Microservices with Spring Cloud Security
Will Tran
 
PPTX
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
PDF
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
Apigee | Google Cloud
 
PDF
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
PDF
Identiverse - Microservices Security
Bertrand Carlier
 
PPTX
Gateway/APIC security
Shiu-Fun Poon
 
PPTX
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
PPTX
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays
 
PDF
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
WSO2
 
PPTX
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
PPTX
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 
PDF
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
PDF
Azure security guidelines for developers
Ivo Andreev
 
ODP
Security components in mule esb
himajareddys
 
PPTX
Best Practices for API Security
MuleSoft
 
PDF
Api days 2018 - API Security by Sqreen
Sqreen
 
PPTX
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
PPTX
Data-driven API Security
Apigee | Google Cloud
 
[API World ] - Managing Asynchronous APIs
WSO2
 
API Security and Management Best Practices
CA API Management
 
Securing Microservices with Spring Cloud Security
Will Tran
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
Apigee | Google Cloud
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
Identiverse - Microservices Security
Bertrand Carlier
 
Gateway/APIC security
Shiu-Fun Poon
 
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays
 
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
WSO2
 
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
Azure security guidelines for developers
Ivo Andreev
 
Security components in mule esb
himajareddys
 
Best Practices for API Security
MuleSoft
 
Api days 2018 - API Security by Sqreen
Sqreen
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Data-driven API Security
Apigee | Google Cloud
 

Similar to API Security In Cloud Native Era (20)

PDF
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 
PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PPTX
Cloud Identity Management
Damian T. Gordon
 
PDF
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2
 
PDF
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
WSO2
 
PDF
The Role of IAM in Microservices
WSO2
 
PPTX
Microservices Security
Aditi Anand
 
PPT
Cartes Asia Dem 2010 V2
Donald Malloy
 
PPTX
Microservices security - jpmc tech fest 2018
MOnCloud
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
Building a secure BFF at Postman
Ankit Muchhala
 
PPTX
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
SSH Communications Security
 
PDF
[Workshop] API-driven Integration
WSO2
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
PDF
IoT Security Issues and MQTT
HiveMQ
 
PPTX
Security Best Practices for Your Ignition System
Inductive Automation
 
PDF
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 
PDF
APIConnect Security Best Practice
Shiu-Fun Poon
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Cloud Identity Management
Damian T. Gordon
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2
 
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
WSO2
 
The Role of IAM in Microservices
WSO2
 
Microservices Security
Aditi Anand
 
Cartes Asia Dem 2010 V2
Donald Malloy
 
Microservices security - jpmc tech fest 2018
MOnCloud
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Building a secure BFF at Postman
Ankit Muchhala
 
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
SSH Communications Security
 
[Workshop] API-driven Integration
WSO2
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
IoT Security Issues and MQTT
HiveMQ
 
Security Best Practices for Your Ignition System
Inductive Automation
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 
APIConnect Security Best Practice
Shiu-Fun Poon
 
Ad

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Ad

Recently uploaded (20)

PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 

API Security In Cloud Native Era

  • 1. API Security in a Cloud Native Era Malintha Amarasinghe, Associate Technical Lead, WSO2 Thilini Shanika, Associate Technical Lead, WSO2
  • 2. Cloud Native at a glance
  • 3. Monolithic style vs Microservice style
  • 4. Cloud Native Applications ● Comprised of a collection of loosely coupled lightweight microservices ○ Developed independently ○ Deployed independently ○ Scaled independently ● Decreased Time-To-Market ● Lower costs ● Extensibility and security
  • 6. Challenges in Securing Microservices ● Broader attack surface due to a large number of entry points ○ Security screening should be enforced at each endpoint level ● Performance ● Sharing user context ● Observability ○ Audit and application logging ○ Health check ○ Matrices ● Deployment complexities ○ Provisioning keys
  • 7. Should we add a complex security stack over microservices themselves? ? A U T H A U T H A U T H A U T H
  • 8. Should we add a complex security stack over microservices themselves? No A microservice: - performs one and only one business function - Do that one thing best !
  • 10. ● Handling Security is delegated to API Gateway. ● Microservices can focus only about its business logic. ● Solves the multiple entry point problem. API Gateway
  • 11. ● Responsible for three main functionalities in security PoV. ○ Authentication and Authorization ○ Protection against Malicious content ○ Abnormal pattern detection API Gateway
  • 13. ● APIs are mostly exposed for external users. ● Three parties are involved ○ API Creator ○ Application Creator ○ End User ● Access Delegation is important.
  • 14. ● OAuth 2.0 is the defacto standard for API security ● Solves the requirement of Access Delegation when three parties are involved. ● Multiple grant types to support various use cases ○ password, client-credentials, authorization-code, .. ● Two types of tokens ○ Self contained access tokens (JWTs) ○ Reference Tokens (Opaque tokens) OAuth 2.0
  • 15. ● Self contained access tokens (JWTs) ○ A JSON payload with header and signature sections ○ Signed using a shared secret or public/private key pair ○ Contains all the information required for validation ○ A better approach for microservice world Self Contained Access Tokens (JWTs)
  • 16. Self Contained Access Tokens (JWTs)
  • 18. • Password Grant – Simple to implement – Less secure – Can be used when Client and Authz Server belongs to the same entity. OAuth 2.0 - Grant Types
  • 19. • Authorization Code – Authenticates the user at the Authorization Server. – User doesn’t pass the credentials to the Client Application – The Client Application can ensure that the access token will be not be exposed to any 3rd party (even the User Agent) – Suitable for traditional web applications OAuth 2.0 - Grant Types
  • 20. Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (clientId + clientSecret + code) Access Token Access TokenAccess Token Resource Request Prerequisite Client application registered with the Authz Server manually or via Dynamic Client Registration Resource Owner Authorize Request (clientId)
  • 21. • Single Page Apps (SPAs) and Mobile Apps are becoming increasingly popular. • Provide users with a rich and responsive user interface. • The common security mechanism in use: – Authorization Code with a public, untrusted client • Client authentication is not performed. • PKCE (Proof Key for Code Exchange) Securing Single Page Apps and Mobile Apps
  • 22. • OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. Authorization Code with PKCE
  • 23. Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (code + verifier) Access Token Access Token Access Token Resource Request Resource Owner Authorize Request (clientId + challenge + challenge_method)
  • 24. • Client Credentials • Implicit • JWT Bearer Grant • SAML Bearer Grant OAuth 2.0 - Grant Types Contd..
  • 25. OAuth 2.0 - Scopes ● Enable fine-grained access control to API resources ● Limit the amount of access granted for an access token ○ i.e: The scopes specifies what the Client Application can do on behalf of the end user.
  • 26. Demo
  • 28. Other Authentication Mechanisms .. • API Key – A secret token that only the API client and the server knows • Basic Authentication – Standard http Authorization header with base64 encoded username and password value Authorization: Basic base64-encoded(username:password)
  • 29. Other Authentication Mechanisms .. ● Mutual TLS (Transport Level Security) ○ Service to service authentication in trusted channel
  • 30. Open Policy Agent (OPA) ● A lightweight general-purpose policy engine that can be co-located with the service ● Can integrate OPA as a library, sidecar, or a host-level daemon
  • 31. Propagating Trust And User Identity ● API backends might require authenticated user context for internal authentication and business functionalities ● The user context has to be passed from API gateway to backend, after the authentication process ● JWT tokens can be used to propagate – One’s identity – User entitlements, between interested parties
  • 34. Protection Against Malicious Content • Regular expression threat protection ○ Injection attacks(SQL, Javascript, Java, xpath) • XML Schema validation ○ XML bombs ○ Schema poisoning ○ Coercive parsing ○ External entity attacks • JSON Schema validation ○ Coercive parsing ○ Buffer overflow
  • 36. Abnormal Activity Patterns • Account takeover with stolen credentials attacks • Login attacks • API takeover attacks • Data extraction or theft • Data scraping • Targeted API DDos attacks • Data deletion/manipulation • Data injection • Malicious code injection
  • 38. Webinars to Follow ● November 19 - Cloud Native APIs: The API Operator for Kubernetes ● November 21 - Mine Your APIs for Gold: API Monetization ● December 03 - Beautifying the Beautiful: Theming WSO2 API Manager ● December 05 - Building a CI/CD Pipeline for APIs
  • 39. Q & A