api security: securing digital channels and mobile apps against hacks

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

API Security:

Securing Digital

Channels and Mobile

Apps Against Hacks

Sachin AgarwalVP, Product Marketing


API and SOA Resources

• Resource Center– http://resource.soa.com/

• Webinar Recording– http://resource.soa.com/resource/webinars

• Follow us on:

www.facebook.com/soasoftware

www.linkedin.com/company/soasoftware

@soasoftwareinc

http://resource.soa.com/resource/webinars



What is an API?

Your ApplicationYour APIYour Customers


APIs – Extend the Reach of your Business


EVOLUTION OF DIGITAL CHANNELS


Client-Server/ Web Applications

• No Programmatic Access

• Security through network isolation

• Limited Users

Access locations and variability of operations were limited


Web Services

The enterprise opened slightly with Web Services/SOAP

• SSL/TLS, Certificate based, PKI, WS-Trust

• Some B2B and Partners applications

• Complex, but quite secure and flexible


And then came APIs

Disrupting how and where information is accessed

• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.

• Focus on human readability, developer adoption


Realizing End-to-End Security

Managing the User Experience

Securing the App - PII, PHI

Enabling Easy Developer Access

Securing the Channel

Securing the Backend


Understanding the Security Landscape

• Protocol specific threats

• Key Management• OAuth• Monitoring• Licensing• Security Token

Mediation

API Specific Security

Single Sign On MDM

ATP, Firewall, VPN etc.


UNDERSTANDING API SECURITY


The API Lifecycle

Transform & Secure

Publish

Monetize

Dev. Adoptio

nAPI

SOAP to RESTMobile- Optimization

OAuthMediation

Analytics API Documentation

Applications and

ServicesApps

API Producers

API Consumers


API Security

1Authentication & Authorization

2 App Key Validation/Licensing

3 Message Security

4 Threat Protection

5 Content Filtering

6 Rate Limiting

Developers


Authentication/Authorization/SSO

Control and restrict access to your APIsMake it easy yet secure


Understanding OAuth

OAuth lets a person delegate constrained access from one app to another

User

Resource Owner

Client App

Resource Server


OAuth Flow


OAuth – You need

• OAuth Clients• Provisioning• Approval Flow

• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh

• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics

OAuth is hard and complicated


Licensing

Package your APIs in different waysUse API keys to restrict what the App can access

The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies


Message and Parameter Security

HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=

mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code

Message Security• Implement HTTPS• For XML payloads encrypt specific parts of the message

http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey







Threat Protection

• Denial of Service• Injection Attacks

– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks

• Cross Site Scripting• Network address and range

blacklists/whitelists • HTTP Parameter Stuffing


Content Filtering

• Provide a content firewall,

protecting against malicious

content

• Validate message content

including message headers,

form and query parameters,

XML and JSON data

structures.

• Policies for XML and JSON

DoS

• Protection against viruses in

attachments and other binary

content via ICAP integration

with leading anti-virus

engines


Quota Management/Rate Limiting

Restrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.


SOA Software API Gateway

Gateway

Security

Authentication

Protection

IAM Integration

Encryption

Mediation

Quality of

Service

Paging/Caching

Orchestration

Scripting


The SOA Software API Platform

Analytics

Developer Engagement

Gateway Services

Service Integration

Lifecycle Management


Flexible Deployment Model


SOA Software API Platform Capabilities

Platform

Licensing

Quota Mgmt.

Partner Mgmt.

PCI Compliance

Provisioning

Policy Mgmt.

Monitoring

OAuth

Federation

Analytics

Lifecycle

API/Services

Application

User

Compliance

Integrations

Gateway

Security

Authentication

Protection

IAM Integration

Encryption

Mediation

Quality of

Service

Paging/Caching

Orchestration

Scripting

API Portal

Search

Documentation

Groups

Social


Questions


API and SOA Resources

• Resource Center– http://resource.soa.com/

• Webinar Recording– http://resource.soa.com/resource/webinars

• Follow us on:

www.facebook.com/soasoftware

www.linkedin.com/company/soasoftware

@soasoftwareinc



api security: securing digital channels and mobile apps against hacks

Technology

oauth oauth

api security copyright

api keys

endtoend security

oauth flowcopyright

complicated oauth clients

message headers

content firewall