Adding layers of security to an API in real-time

Dec 19, 20183 likes410 views

The document discusses security layers for APIs, including transport layer security using mutual TLS (mTLS) for client authentication, OAuth for client authorization, and JSON Web Tokens (JWT) for message integrity, confidentiality, and non-repudiation. It then demonstrates adding these security layers to an open banking API, covering mTLS, OAuth2.0, and additional message security, and discusses other security aspects to consider like multi-factor authentication, injection, and request overload protection. The conclusion notes that while API security involves multiple specifications, excellent tools exist to help implement it securely.

1© 2018 Rogue Wave Software, Inc. All Rights Reserved.

2© 2018 Rogue Wave Software, Inc. All Rights Reserved.
API Security Layers
Transport layer
Client authentication
and authorization
Content security

3© 2018 Rogue Wave Software, Inc. All Rights Reserved.
In summary…
• mTLS: ensures client authenticity
• OAuth: ensures client authorization
• JWT: ensures message integrity, confidentiality,
and non-repudiation.
Ensure that each request is coming from a trusted source

5© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Add layers of security to an API
- let’s see it for real!

6© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Demo overview
• API: open banking Accounts-and-Transactions
– Apply mutual TLS
– Apply Oauth2.0
– Apply JOSE Security / Open Banking security
– Apply additional message security

7© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Additional security aspects to
consider
• MFA (SCA)
User authentication: can we trust the user?
• Injection
• Cross-site scripting
• Request overload
• …
Can we trust what the user is doing?

8© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Conclusion
API security: There’s quite a lot to it
…but there’s useful specifications to help you out.
Implementing security standards is far
from trivial
…don’t do it yourself
…excellent tools in the market to help you

9© 2018 Rogue Wave Software, Inc. All Rights Reserved.

10© 2018 Rogue Wave Software, Inc. All Rights Reserved.

Presented at APIdays Paris. API security is the principal concern when it comes to establishing a trusted API ecosystem. Rightly so, because opening up business systems through APIs by definition expands the attack surface that can be exploited. Although many threat vectors and vulnerabilities are well known, we have to remain on the lookout for new threats continuously. On the positive side, open standards that help defend against security threats are constantly being created and refined. What is even more helpful are the specifications that aggregate relevant standards into a comprehensive API security profile. Excellent examples of these are the current specifications that support open banking initiatives like UK Open Banking and PSD2. Could these specifications not have a wider applicability? In other words, would we be able to benefit from the security guidelines captured in these specifications in other verticals like logistics, retail, energy, healthcare and government, too? In this talk, we will compare security guidelines covered in the specifications and see to what extent they may benefit the wider enterprise API developer community.

Securing APIs with oAuth2Michae Blakeney

Understanding the oAuth2 flows can be challenging. At some point we have probably interacted with one, most of us struggle with how they work, and often times they leaves us very confused. Whether you are on the frontend or backend, understanding oAuth2 can take your skills to the next level. Learn how to secure your APIs through the oAuth2 flows using express. We will dive into the different oAuth flows, the use of scopes, and validating Json Web Tokens (JWT). Each step along the way will be illustrated with code examples using express. Finally, we will touch on the challenges with integration testing and local development.

API Security In Cloud Native EraWSO2

The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome. In this deck, we discuss: - The need for API/Microservices Security - The importance of delegating security enforcement to an API Gateway - API Authentication and Authorization methodologies - OAuth2 - The de-facto standard of API Authentication - Protection against cyber attacks and anomalies - Security aspects to consider when designing Single Page Applications (SPAs) Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/

OWASP ASVS 3 - What's new for level 1?Boy Baukema

Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud

This document discusses securing APIs and mobile applications from threats. It covers API security topics like OAuth, mutual TLS, rate limiting and intrusion detection. For mobile security, it addresses threats involving developer screens, hardcoded keys, bypassing purchases and demoing Bluebox mobile security solutions. The key takeaways are to follow best practices for API and mobile security, use edge policies to protect backends, and augment mobile data security with solutions like Bluebox.

apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays

Introduction to stable proxies.stableproxies

Proxy servers act as intermediaries for requests from clients to access resources from other servers. They can be used to share an internet connection on a local area network when multiple computers need access. Proxy servers also cache requests to speed up internet surfing for clients and can hide a client's IP address for anonymity and security reasons. Private proxies are exclusively used by one client to hide their public IP address, while shared proxies have multiple users accessing the same server and can transmit large amounts of data in a cost effective manner.

Security components in mule esbhimajareddys

Anypoint platform provides several security components including Anypoint Enterprise Security, API Security Manager, and Virtual Private Cloud. Enterprise Security includes modules like Mule Secure Token Service and security for REST APIs. It ensures APIs are properly protected by authentication and authorization schemes like SAML, OAuth 2, WS-Security, and PingFederate. Enterprise Security applies inbound, process-level, and outbound security across experience, process, and system APIs. Combining HTTPS and OAuth 2.0 is a best practice, with HTTPS providing basic authentication and OAuth 2.0 used to issue and validate tokens to control API access.

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz

This document discusses OAuth2 profiles like OpenID Connect and UMA and why they should be adopted for IoT. OpenID Connect provides identity while UMA provides access control. Both standards have been in development for 10 years based on prior experience. They are a perfect fit for IoT use cases as they standardize interfaces without assuming cloud, are proven usable by developers, are small, scale well, and have industry consensus with Google and Microsoft supporting OpenID Connect. UMA 1.0 will be announced in April 2015.

Gravitee.ioKnoldus Inc.

This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.

Best Practices for API SecurityMuleSoft

APIs have become a strategic necessity for your business. They facilitate agility and innovation. However, the financial incentive associated with this agility is often tempered with the fear of undue exposure of the valuable information that these APIs expose. With data breaches now costing $400m or more, senior IT decision makers are right to be concerned about API security. In this SlideShare, you'll learn: -The top API security concerns -How the IT industry is dealing with those concerns -How Anypoint Platform ensures the three qualifications needed to keep APIs secure

Building better security for your API platform using Azure API ManagementEldert Grootenboer

This document discusses API security and how Azure API Management can help. It notes that APIs are vulnerable targets for attacks and data breaches. The document outlines best practices for API security including encryption, authentication, authorization, data validation, throttling, and logging. It then demonstrates how common API security issues like broken authentication, excessive data exposure, and lack of throttling can be addressed. Finally, it summarizes how Azure API Management can help implement OWASP API security standards and prevent common attacks through features like authentication, throttling, logging, and lifecycle management.

Security in mulesoftakshay yeluru

MuleSoft's Anypoint platform provides several security components for APIs built with Mule, including Enterprise Security, API Security Manager, and Virtual Private Cloud. It also includes security modules like Mule Secure Token Service and supports authentication and authorization standards like SAML, OAuth 2.0, WS-Security, and PingFederate. APIs should apply the right authentication, authorization, and security at different layers - inbound security at the experience layer, fine-grained security at the process layer, and outbound security at the system connectivity layer. The best practices for securing APIs in Anypoint include using HTTPS for basic authentication and OAuth 2.0 for authorization.

apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays

Identiverse - Microservices SecurityBertrand Carlier

This document discusses security approaches for microservices architectures. It begins by defining microservices as an application that calls API endpoints which then call other API endpoints. It then discusses four options for securing communication between microservices: 1) passing cleartext headers, 2) transmitting tokens, 3) using OAuth scopes, and 4) token exchange. Each option has advantages and disadvantages for security and complexity. The document also provides examples of microservices security architectures for three different companies. It concludes that the main challenge is implementing microservices security without mistakes by balancing requirements, capabilities, and choosing appropriate solutions.

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays

The document discusses API security from a hacker's perspective. It notes that exploiting APIs has become easier as infrastructure security has improved, but APIs themselves are often not properly secured. The main API vulnerabilities discussed are rate limiting issues, misconfigurations, injections, authentication and authorization bypassing, and flaws in business logic flows. Critical vulnerabilities that can give attackers control include authentication/authorization issues and business logic flows. The document emphasizes that penetration testing alone is not sufficient and continuous assessment of API security is needed to identify and address vulnerabilities.

apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays

Advanced API Security Patterns42Crunch

Financial Grade OAuth & OpenID ConnectNat Sakimura

1. In the era of mobile, OAuth 2.0 is the protocol of the choice. 2. However, RFC6749 is a framework and needs to be profiled appropriately for use cases. 3. FAPI WG @ OIDF is taking such task for Financial APIs and securing it using RFC7636, JWT Client Authentication/TLS Client Authentication, OpenID Connect, etc. 4. FAPI WG is collaborating with many stakeholders including financial institutions and fintech companies, etc. 5. Read only security profile going to OIDF votes. 6. Overview of the requirements for Read Only and Write Access security profiles are discussed.

Managing Identities in the World of APIsApigee | Google Cloud

Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Mike Schwartz

Trust elevation allows increasing authentication strength to enable higher-risk transactions. It involves tradeoffs between security and usability. OAuth2 and OpenID Connect provide standard authentication frameworks for apps and APIs, supporting a range of authentication methods from passwords to biometrics. User managed access (UMA) further extends OAuth2 to implement policy-based access control. To enable cross-domain trust elevation, organizations can participate in federated identity systems like SAML and OAuth2 federations, which standardize technical and legal integration between identity providers. Emerging areas involve authentication for IoT devices and fine-grained access control over distributed data.

API IN(SECURITY)OWASP Khartoum

Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud

This document discusses data-driven security and Apigee's approach. It begins by outlining the challenges posed by adaptive threats to APIs. Then it describes why data-driven security is needed and how current security approaches are not adaptive enough. The document introduces Apigee Sense, a new adaptive API security product that detects threat patterns at the API layer using machine learning algorithms. It analyzes billions of events to identify anomalous behavior patterns and detect bot attacks in order to stop bots and protect APIs from sophisticated threats.

apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...apidays

apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society December 8, 9 & 10, 2020 Data Gateways: building “Data-as-a-Service” for the Hybrid Cloud Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Deep-Dive: API Security in the Digital AgeApigee | Google Cloud

What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management? Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can - provide visibility for all security threats targeting their backend services - control access to sensitive data - end-to-end - enable developers to build secure apps with secure APIs - facilitate secure access with partners and developers

Building APIs in a Cloud Native EraNuwan Dias

Cryptzone: The Software-Defined PerimeterCryptzone

API Security using MulesoftPritam Prakash

Best Practices for API SecurityBui Kiet

1. The document discusses best practices for API security using MuleSoft's Anypoint Platform. It covers identity management, main security concerns around integrity, confidentiality and availability, and security capabilities of Mule runtime and Anypoint Platform. 2. A scenario is presented of a retail company using Anypoint Platform to securely enable an omnichannel digital customer experience through various APIs and systems. Security measures include identity federation, access token validation, client authentication, encryption, and availability through high availability clusters. 3. In conclusion, Anypoint Platform provides features to ensure confidentiality, reliability and availability of APIs, and is trusted for security by industries requiring high standards like banking, insurance, and healthcare.

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity

The document discusses securing APIs and provides an overview of Ping Identity's API security solutions. It begins with an agenda that covers API security best practices, standards, and using AI/ML to detect attacks. It then discusses stakeholders in API security and drivers like digital transformation. The rest of the document demonstrates Ping Identity's API security platform, which uses standards-based approaches like OAuth 2.0 and OpenID Connect for authentication and authorization. It also leverages AI/ML for attack detection, API traffic visibility and reporting.

More Related Content

What's hot (20)

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz

Gravitee.ioKnoldus Inc.

Best Practices for API SecurityMuleSoft

Building better security for your API platform using Azure API ManagementEldert Grootenboer

Security in mulesoftakshay yeluru

apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays

Identiverse - Microservices SecurityBertrand Carlier

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays

apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays

Advanced API Security Patterns42Crunch

Financial Grade OAuth & OpenID ConnectNat Sakimura

Managing Identities in the World of APIsApigee | Google Cloud

Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Mike Schwartz

API IN(SECURITY)OWASP Khartoum

Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud

apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...apidays

Deep-Dive: API Security in the Digital AgeApigee | Google Cloud

Building APIs in a Cloud Native EraNuwan Dias

Cryptzone: The Software-Defined PerimeterCryptzone

API Security using MulesoftPritam Prakash

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz

Gravitee.ioKnoldus Inc.

Best Practices for API SecurityMuleSoft

Building better security for your API platform using Azure API ManagementEldert Grootenboer

Security in mulesoftakshay yeluru

apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays

Identiverse - Microservices SecurityBertrand Carlier

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays

apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays

Advanced API Security Patterns42Crunch

Financial Grade OAuth & OpenID ConnectNat Sakimura

Managing Identities in the World of APIsApigee | Google Cloud

Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Mike Schwartz

API IN(SECURITY)OWASP Khartoum

Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud

apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...apidays

Deep-Dive: API Security in the Digital AgeApigee | Google Cloud

Building APIs in a Cloud Native EraNuwan Dias

Cryptzone: The Software-Defined PerimeterCryptzone

API Security using MulesoftPritam Prakash

Similar to Adding layers of security to an API in real-time (20)

Best Practices for API SecurityBui Kiet

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity

apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays

apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance April 21 & 22, 2021 Novel approaches in API security Dr Tal Steinherz, CTO at Syber.ai ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

KubeConRecap_nakamura.pdfHitachi, Ltd. OSS Solution Center.

The document describes a session from the KubeCon EU 2023 conference on Keycloak, an open-source identity and access management solution. It provides an overview of the session which was presented by Alexander Schwartz from Red Hat and Yuuichi Nakamura from Hitachi and demonstrated how Keycloak can be used to securely authenticate users to applications like Grafana. It also discusses Keycloak's support for advanced security specifications like FAPI and efforts by the FAPI-SIG working group to promote features needed for compliance.

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official

Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.

This document discusses the differences between assertion-based access tokens and handle-based access tokens in OAuth 2.0. Assertion-based tokens are parsable tokens like JWTs that contain user and client information, while handle-based tokens are opaque references. Assertion-based tokens have advantages for performance and scalability but require cryptographic protection, while handle-based tokens require validation through the authorization server. The document then examines scenarios where handle-based tokens could cause problems, such as with multiple authorization servers, and outlines secure validation steps for assertion-based tokens.

Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.

This document discusses implementing a lightweight zero-trust network using the open source tools Keycloak and NGINX. It begins by explaining the transition from a traditional network security model with clear boundaries between public and private networks to a zero-trust model where security boundaries are defined individually for each service or pod. It then covers how to implement the underlying technologies of JWT validation, mutual TLS authentication, and OAuth MTLS using Keycloak as an authorization server and NGINX as an API gateway. Additional topics discussed include how to secure east-west internal traffic and resolve potential policy decision point chokepoints.

Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...CA API Management

APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays

Protecting Microservices APIs with 42Crunch API Firewall42Crunch

In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We’ll use a mix of slides and demos to present: (1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security) (2) Which threat protections must be put in place in a microservices architecture, and where (3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time (4) How to automate threat protection deployment

[WSO2 Integration Summit London 2019] Identity and Access Management in an AP...WSO2

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management

The document discusses best practices for securing APIs and identifies three key areas: parameterization, identity, and cryptography. It notes that APIs have a larger attack surface than traditional web apps due to more direct parameterization. It recommends rigorous input and output validation, schema validation, and constraining HTTP methods and URIs. For identity, it advises using real security tokens like OAuth instead of API keys alone. It also stresses the importance of proper cryptography, like using SSL everywhere and following best practices for key management and PKI. The overall message is that APIs require different security practices than traditional web apps.

APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays

apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays

December 14, 15 & 16, 2022 Securing APIs in Open Banking - FAPI and its implementation to OSS Takashi Norimatsu, Senior Engineer at Hitachi, Ltd. ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management

Understanding how emerging standards like OAuth and OpenID Connect impact federation Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience. This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards. You Will Learn Best practices for federating identity across mobile and cloud How emerging identity federation standards will impact your infrastructure How to implement an identity-centric API security and management infrastructure Presenters Ehud Amiri Director, Product Management, CA Technologies Francois Lascelles Chief Architect, Layer 7

London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud

The document discusses securing APIs and presents examples of security issues with Snapchat, Nissan Leaf, and other APIs. It outlines approaches to API security used by large enterprises, distinguishing between internal and external APIs. The presentation emphasizes establishing security at multiple layers, with a focus on the API management layer. It provides examples of security measures like mutual TLS, rate limiting, input validation, OAuth 2.0, and monitoring for anomalies. Governance techniques like flow hooks are also presented. Live demos illustrate bot detection, proof of work, and extending OAuth with techniques like token binding and proof of key for JWTs.

Virtual Meetup - API Security Best PracticesJimmy Attia

Catalyst 2015: Patrick HardingPing Identity

Enhancing your Security APIsApigee | Google Cloud

What is API Security and How Does It Keep Apps Safe_.pdfCyberPro Magazine