protecting apis from mobile threats- beyond oauth
TRANSCRIPT
1
Protecting APIs from Mobile threats - Beyond OAuthSubra Kumaraswamy,
ApigeeCaleb Sima, Bluebox
2©2015 Apigee. All Rights Reserved.
Agenda
1111. API Security – Threats & Protection
Subra Kumaraswamy
2. Mobile Security – Threats & Protection Caleb Sima
Securing the APIs – End-to-End
3
- Managing Identities in world of APIs – Tomorrow @10.50 am - Data Driven Security – Tomorrow @ 11:40 am - Securing the API Lifecycle – Tomorrow @ 2.00 pm
Securing the API – Run-time
4
Secure Your Assets
5
Backend
Mutual TLSIP Access control
Apps
API keyOAuth2
TLSIP Access Control
Hardened App
APIs
Spike ArrestRate Limits
Threat ProtectionIntrusion Detection
DDoS
Secure Your Access
Developers
Federation & SSOAuditing
MediationMasking
RBAC
AccessBlock
RevokeSSO
RBAC
Users
OAuth2MFA
Federated Login
PA I
API Team
©2015 Apigee. All Rights Reserved.
Mobile Security
7
Developer/Debug Screens & Hidden APIs
Static Crypto Keys & CC numbers
Private API tokens & Access to Private Betas
Bypass In-App-Purchase & Cheat in Games
©2015 Apigee. All Rights Reserved.
Demo
12
Mobile App Security : Best Practices
Secure• API key &
OAuth2• Open source
encryption packages like SQL Cipher
• SSL/TLS Pin your connections
Defend•Android: Check your signatures •iOS: Check for Apples signature
Respond• Rotate API Keys• Suspend/Kill App• Detection/
Analysis
Secure data at rest & in transit
Eliminate attack surface & make it expensive for attackers
Real time threat intelligence & response to active attacks
Key Takeaways• Follow API security best practices for both Mobile and API security–SSO, Access control (OAuth, SAML), Two-way TLS –Protect sensitive data stored in mobile end points
•Use Edge Policies to protect your backend from OWASP Top 10 threats.• Augment Mobile data security using Open source or commercial solutions e.g. Bluebox
14
Thank You!
Q&A
Demo of Bluebox at Innovation Labs
APPENDIX
API Specific Threats – How we mitigate?
17
Threats to API Apigee EdgeDoS Attacks Rate Limiting PolicyDeveloper Abuse Quota PolicyToken Harvesting 2-way TLS (Inbound and
Outbound)Key Theft Secure Key StorageXML/JSON Bombs XML/JSON Injection policyRun-time Privilege escalation OAuth with API ProductsManagement Privilege escalation
RBAC for Management Team