LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure
0 likes•21 views
This document discusses the need for a holistic approach to API security as APIs have become more widely used. It notes that API security needs to evolve from established perimeter security models to new models to account for blurred perimeters from APIs. The document advocates considering all aspects of API security including authentication, authorization, integrity, confidentiality, availability, auditability and more. It also stresses that the right infrastructure is needed and that a one-size-fits-all approach does not work given differences in APIs. The document promotes securing APIs through the entire development lifecycle from design to deployment using a Sec-Dev-Ops model with collaboration between teams.
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure
- 1. AN HOLISTIC APPROACH TO API SECURITY ISABELLE MAUNY - CTO The API Security Platform for the Enterprise
- 2. API SECURITY NEEDS TO 2 EVOLVE
- 3. TITLE TEXT Complex deployments 3 FROM ESTABLISHED PERIMETER…
- 5. TITLE TEXT 5 App icon made by https://www.flaticon.com/authors/pixel-buddha Internal Partner Public VIRTUAL APPLICATION NETWORKS
- 6. TITLE TEXTFAST APP DELIVERY 6 APPLICATION DEVELOPMENT APPLICATION SECURITY
- 7. 7 SECURITY IS NEEDED. ALWAYS. 1
- 8. 8 EXPOSING ENTERPRISE DATA AND PROCESSES. WHAT ARE APIS FOR ?
- 9. 9 Internal External 80 55 57 69 Now Expect in the next 18 months Source: @The State of Cybersecurity and Digital Trust 2016” Accenture and HIS Research - Sample: 208 Enterprise Security Professionals Have you experienced the theft or corruption of internal corporate or user/consumer information by Internal or External threat actors?
- 10. 10
- 11. “I think that a lot of people think that because there is no GUI on an API that no one can find it and it is invisible. But we can find them in about five seconds with a proxy… …Almost every threat that applies to a web app, can happen to an API, but a lot of people for some reason are not protecting them as much as their web applications.” Tanya Janca Application Security Evangelist - AppSec Podcast 11 “
- 12. 12 YOU NEED AN HOLISTIC APPROACH TO API SECURITY2
- 13. 13 Authentication Integrity (transport & message) Audit Confidentiality (transport & message) Availability (Rate Limiting) Authorization Non Repudiation Data Validity (attacks protection)
- 14. 14 YES. You need to consider all of this… … AND you need to configure all aspects in the right way
- 15. 15 EASY TO GET THOSE WRONG!
- 16. 16 AND you need the right infrastructure…
- 17. 17 NOT ALL APIS ARE EQUAL 3
- 18. “Security is a risk control measure…In the security sphere, one size does not fit all. We have to take ‘appropriate measures’. Nat SakimuraFixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/ 18 “
- 19. 19 Financial APIS Security Auth Grant Types OpenID Connect Flows TLS Settings Message Confidentiality Non-Repudiation Message Integrity Financial APIs Working Group: http://openid.net/wg/fapi/
- 20. 20 DEVOPS, BUT WITH SECURITY ON 4
- 22. TITLE TEXTSEC-DEV-OPS IN ACTION 22 Develop Assess Secure TestDocument Deploy Continuous API testing, including security testing Deploy to API Security Platform Configure and apply security policy from assessed risk Assess API description and evaluate risk level Document and annotate API with OpenAPI/Swagger
- 24. 24 RELIES ON STRONG COLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND BUSINESS TEAMS PROPER SECURITY
- 25. CONTACT: [email protected] WWW.42CRUNCH.COM The API Security Platform for the Enterprise