APIDays_Design_API_Security.pdf

Transcript

1. Emmanuel Paraskakis @manp A Design-First Approach for Delivering Better API

   Security

2. apiary + 441,401 APIs 3M+ API Consumers 346,105 API Designers

3. Infosec Goals 1. Confidentiality 2. Integrity 3. Availability

4. What’s Different About APIs? Attack Surface is Huge!

5. Defense In-Depth • Enforce CIA at every layer in your

   stack • Assume there will be a failure in each

6. What does Design-First Mean? • Think about Security upfront •

   Don’t bolt it on at the end • Buying Silver Bullets won’t save you

7. Design For API Security • Architecture • Processes • API

   Interface

8. Design your Architecture

9. Design your Processes

10. Design your API Interface • Authentication Scheme • Leverage the

    Protocol • Data Structures & Validation

11. openapi: "3.0.1" info: title: Online Store API version: 1.0 …

    servers: - url: https://staging.example.com/ description: Staging environment … security: - api_key: [] … x-ibm-configuration: enforced: true cors: enabled: true … paths: /customers/{id}/orders: get: … content: application/json: schema: $ref: "#/components/schemas/Orders" … components: schemas: Orders: … metadata deployment runtime interface schema

12. Learn More: • OWASP API Security Project • Dredd •

    Apiary • Oracle API Platform • Oracle+Dyn (Zenedge)