Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
APIDays_Design_API_Security.pdf
Search
paraskakis
July 31, 2018
Programming
0
81
APIDays_Design_API_Security.pdf
Keynote at API Days San Francisco, 2018. A Design-First Approach for API Security.
paraskakis
July 31, 2018
Tweet
Share
More Decks by paraskakis
See All by paraskakis
API Best Practices
paraskakis
0
180
Outside-in Development for APIs and Microservices
paraskakis
0
26
Become a Pro at API Management: A declarative approach
paraskakis
0
300
API Design Hands-On Lab
paraskakis
0
46
Bring Design Thinking to your API Lifecycle
paraskakis
0
120
Decomposing Service Descriptions: The Future of API Design
paraskakis
0
820
Have Your Layer Cake and Eat it Too
paraskakis
1
160
Keeping your APIs Honest - Gluecon 2017
paraskakis
0
110
Easy Data Modeling with MSON (Defrag 2016)
paraskakis
0
99
Other Decks in Programming
See All in Programming
推し活の ハイトラフィックに立ち向かう Railsとアーキテクチャ - Kaigi on Rails 2024
falcon8823
6
2.2k
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
9
4.1k
VR HMDとしてのVision Pro+ゲーム開発について
yasei_no_otoko
0
100
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
210
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
880
RailsのPull requestsのレビューの時に私が考えていること
yahonda
5
1.7k
色々なIaCツールを実際に触って比較してみる
iriikeita
0
270
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220
2万ページのSSG運用における工夫と注意点 / Vue Fes Japan 2024
chinen
3
1.4k
Macとオーディオ再生 2024/11/02
yusukeito
0
210
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
C#/.NETのこれまでのふりかえり
tomokusaba
1
160
Featured
See All Featured
Automating Front-end Workflow
addyosmani
1365
200k
The Language of Interfaces
destraynor
154
24k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Become a Pro
speakerdeck
PRO
24
5k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
A better future with KSS
kneath
238
17k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
41
Building Adaptive Systems
keathley
38
2.2k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
Writing Fast Ruby
sferik
626
61k
Speed Design
sergeychernyshev
24
570
Gamification - CAS2011
davidbonilla
80
5k
Transcript
Emmanuel Paraskakis @manp A Design-First Approach for Delivering Better API
Security
apiary + 441,401 APIs 3M+ API Consumers 346,105 API Designers
Infosec Goals 1. Confidentiality 2. Integrity 3. Availability
What’s Different About APIs? Attack Surface is Huge!
Defense In-Depth • Enforce CIA at every layer in your
stack • Assume there will be a failure in each
What does Design-First Mean? • Think about Security upfront •
Don’t bolt it on at the end • Buying Silver Bullets won’t save you
Design For API Security • Architecture • Processes • API
Interface
Design your Architecture
Design your Processes
Design your API Interface • Authentication Scheme • Leverage the
Protocol • Data Structures & Validation
openapi: "3.0.1" info: title: Online Store API version: 1.0 …
servers: - url: https://staging.example.com/ description: Staging environment … security: - api_key: [] … x-ibm-configuration: enforced: true cors: enabled: true … paths: /customers/{id}/orders: get: … content: application/json: schema: $ref: "#/components/schemas/Orders" … components: schemas: Orders: … metadata deployment runtime interface schema
Learn More: • OWASP API Security Project • Dredd •
Apiary • Oracle API Platform • Oracle+Dyn (Zenedge)