Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
APIDays_Design_API_Security.pdf
Search
paraskakis
July 31, 2018
Programming
0
81
APIDays_Design_API_Security.pdf
Keynote at API Days San Francisco, 2018. A Design-First Approach for API Security.
paraskakis
July 31, 2018
Tweet
Share
More Decks by paraskakis
See All by paraskakis
API Best Practices
paraskakis
0
200
Outside-in Development for APIs and Microservices
paraskakis
0
30
Become a Pro at API Management: A declarative approach
paraskakis
0
310
API Design Hands-On Lab
paraskakis
0
47
Bring Design Thinking to your API Lifecycle
paraskakis
0
120
Decomposing Service Descriptions: The Future of API Design
paraskakis
0
820
Have Your Layer Cake and Eat it Too
paraskakis
1
160
Keeping your APIs Honest - Gluecon 2017
paraskakis
0
110
Easy Data Modeling with MSON (Defrag 2016)
paraskakis
0
99
Other Decks in Programming
See All in Programming
Monixと常駐プログラムの勘どころ / Scalaわいわい勉強会 #4
stoneream
0
300
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
790
KubeCon + CloudNativeCon NA 2024 Overviewat Kubernetes Meetup Tokyo #68 / amsy810_k8sjp68
masayaaoyama
0
270
【re:Growth 2024】 Aurora DSQL をちゃんと話します!
maroon1st
0
830
Compose UIテストを使った統合テスト
hiroaki404
0
110
React 19でお手軽にCSS-in-JSを自作する
yukukotani
5
430
20年もののレガシープロダクトに 0からPHPStanを入れるまで / phpcon2024
hirobe1999
0
880
Запуск 1С:УХ в крупном энтерпрайзе: мечта и реальность ПМа
lamodatech
0
760
20241217 競争力強化とビジネス価値創出への挑戦:モノタロウのシステムモダナイズ、開発組織の進化と今後の展望
monotaro
PRO
0
120
Androidアプリのモジュール分割における:x:commonを考える
okuzawats
1
230
コンテナをたくさん詰め込んだシステムとランタイムの変化
makihiro
1
160
バグを見つけた?それAppleに直してもらおう!
uetyo
0
190
Featured
See All Featured
Navigating Team Friction
lara
183
15k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Optimising Largest Contentful Paint
csswizardry
33
3k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Done Done
chrislema
182
16k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
920
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Transcript
Emmanuel Paraskakis @manp A Design-First Approach for Delivering Better API
Security
apiary + 441,401 APIs 3M+ API Consumers 346,105 API Designers
Infosec Goals 1. Confidentiality 2. Integrity 3. Availability
What’s Different About APIs? Attack Surface is Huge!
Defense In-Depth • Enforce CIA at every layer in your
stack • Assume there will be a failure in each
What does Design-First Mean? • Think about Security upfront •
Don’t bolt it on at the end • Buying Silver Bullets won’t save you
Design For API Security • Architecture • Processes • API
Interface
Design your Architecture
Design your Processes
Design your API Interface • Authentication Scheme • Leverage the
Protocol • Data Structures & Validation
openapi: "3.0.1" info: title: Online Store API version: 1.0 …
servers: - url: https://staging.example.com/ description: Staging environment … security: - api_key: [] … x-ibm-configuration: enforced: true cors: enabled: true … paths: /customers/{id}/orders: get: … content: application/json: schema: $ref: "#/components/schemas/Orders" … components: schemas: Orders: … metadata deployment runtime interface schema
Learn More: • OWASP API Security Project • Dredd •
Apiary • Oracle API Platform • Oracle+Dyn (Zenedge)