api security: securing digital channels and mobile apps against hacks
DESCRIPTION
More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.TRANSCRIPT
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security:
Securing Digital
Channels and Mobile
Apps Against Hacks
Sachin AgarwalVP, Product Marketing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center– http://resource.soa.com/
• Webinar Recording– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
What is an API?
Your ApplicationYour APIYour Customers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
APIs – Extend the Reach of your Business
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
EVOLUTION OF DIGITAL CHANNELS
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network isolation
• Limited Users
Access locations and variability of operations were limited
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Web Services
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust
• Some B2B and Partners applications
• Complex, but quite secure and flexible
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
And then came APIs
Disrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.
• Focus on human readability, developer adoption
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Realizing End-to-End Security
Managing the User Experience
Securing the App - PII, PHI
Enabling Easy Developer Access
Securing the Channel
Securing the Backend
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding the Security Landscape
• Protocol specific threats
• Key Management• OAuth• Monitoring• Licensing• Security Token
Mediation
API Specific Security
Single Sign On MDM
ATP, Firewall, VPN etc.
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
UNDERSTANDING API SECURITY
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The API Lifecycle
Transform & Secure
Publish
Monetize
Dev. Adoptio
nAPI
SOAP to RESTMobile- Optimization
OAuthMediation
Analytics API Documentation
Applications and
ServicesApps
API Producers
API Consumers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Security
1Authentication & Authorization
2 App Key Validation/Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO
Control and restrict access to your APIsMake it easy yet secure
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Understanding OAuth
OAuth lets a person delegate constrained access from one app to another
User
Resource Owner
Client App
Resource Server
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth Flow
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
OAuth – You need
• OAuth Clients• Provisioning• Approval Flow
• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics
OAuth is hard and complicated
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing
Package your APIs in different waysUse API keys to restrict what the App can access
The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Message and Parameter Security
HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=
mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security• Implement HTTPS• For XML payloads encrypt specific parts of the message
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Threat Protection
• Denial of Service• Injection Attacks
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks
• Cross Site Scripting• Network address and range
blacklists/whitelists • HTTP Parameter Stuffing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Content Filtering
• Provide a content firewall,
protecting against malicious
content
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures.
• Policies for XML and JSON
DoS
• Protection against viruses in
attachments and other binary
content via ICAP integration
with leading anti-virus
engines
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management/Rate Limiting
Restrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Gateway
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The SOA Software API Platform
Analytics
Developer Engagement
Gateway Services
Service Integration
Lifecycle Management
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Flexible Deployment Model
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software API Platform Capabilities
Platform
Licensing
Quota Mgmt.
Partner Mgmt.
PCI Compliance
Provisioning
Policy Mgmt.
Monitoring
OAuth
Federation
Analytics
Lifecycle
API/Services
Application
User
Compliance
Integrations
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of
Service
Paging/Caching
Orchestration
Scripting
API Portal
Search
Documentation
Groups
Social
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Questions
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API and SOA Resources
• Resource Center– http://resource.soa.com/
• Webinar Recording– http://resource.soa.com/resource/webinars
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/soasoftware
@soasoftwareinc