ebook img

Securing the API Stronghold: The Ultimate Guide to API Security PDF

96 Pages·2015·2.54 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Securing the API Stronghold: The Ultimate Guide to API Security

Securing The API Stronghold The Ultimate Guide to API Security Nordic APIs © 2015 Nordic APIs AB Table of Contents Preface 1. Introducing API Security Concepts 1.1 Identity is at the Forefront of API Security 1.2 Neo-Security Stack 1.3 OAuth Basics 1.4 OpenID Connect 1.5 JSON Identity Suite 1.6 Neo-Security Stack Protocols Increase API Security 1.7 The Myth of API Keys 1.8 Access Management 1.9 IoT Security 1.10 Using Proven Standards 2. The 4 Defenses of The API Stronghold 2.1 Balancing Access and Permissions 2.2 Authentication: Identity 2.3 Authorization: Access 2.4 Federation: Reusing Credentials & Spreading Resources 2.5 Delegation: The Signet of (Limited) Power 2.6 Holistic Security vs. Singular Approach 2.7 Application For APIs 3. Equipping Your API With the Right Armor: 3 Approaches to Provisioning 3.1 Differences In API Approaches: Private, Public, & Partner APIs 3.2 Considerations and Caveats 3.3 So Where Is The Middle Ground? 3.4 Real-World Failure 3.5 Two Real-World Successes 3.6 Conclusion 4. Your API is Vulnerable: 4 Top Security Risks to Mitigate 4.1 Gauging Vulnerabilities 4.2 Black Hat vs. White Hat Hackers 4.3 Risk 1 - Security Relies on the Developer 4.4 Risk 2 - “Just Enough” Coding 4.5 Risk 3 - Misunderstanding Your Ecosystem 4.6 Risk 4 - Trusting the API Consumer With Too Much Control 4.7 Conclusion 5. Deep Dive into OAuth and OpenID Connect 5.1 OAuth and OpenID Connect in Context 5.2 Start with a Secure Foundation 5.3 Overview of OAuth 5.4 Actors in OAuth 5.5 Scopes 5.6 Kinds of Tokens 5.7 Passing Tokens 5.8 Profiles of Tokens 5.9 Types of Tokens 5.10 OAuth Flow 5.11 Improper and Proper Uses of OAuth 5.12 Building OpenID Connect Atop OAuth 5.13 Conclusion 6. Unique Authorization Applications of OpenID Connect 6.1 How OpenID Connect Enables Native SSO 6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD 6.3 How OpenID Connect Enables the Internet of Things 7. How To Control User Identity Within Microservices 7.1 What Are Microservices, Again? 7.2 Great, So What’s The Problem? 7.3 The Solution: OAuth As A Delegation Protocol 7.4 The Simplified OAuth 2 Flow 7.5 The OpenID Connect Flow 7.6 Using JWT For OAuth Access Tokens 7.7 Let All Microservices Consume JWT 7.8 Why Do This? 8. Data Sharing in the IoT 8.1 A New Economy Based on Shared, Delegated Ownership 8.2 Connected Bike Lock Example IoT Device 8.3 How This Works 8.4 Option #1: Access Tables 8.5 Option #2: Delegated Tokens: OpenID Connect 8.6 Review: 9. Securing Your Data Stream with P2P Encryption 9.1 Why Encrypt Data? 9.2 Defining Terms 9.3 Variants of Key Encryption 9.4 Built-in Encryption Solutions 9.5 External Encryption Solutions 9.6 Use-Case Scenarios 9.7 Example Code Executions 9.8 Conclusion 10. Day Zero Flash Exploits and Versioning Techniques 10.1 Short History of Dependency-Centric Design Architecture 10.2 The Hotfix — Versioning 10.3 Dependency Implementation Steps: EIT 10.4 Lessons Learned 10.5 Conclusion 11. Fostering an Internal Culture of Security 11.1 Holistic Security — Whose Responsibility? 11.2 The Importance of CIA: Confidentiality, Integrity, Availability 11.3 4 Aspects of a Security Culture 11.4 Considering “Culture” 11.5 All Organizations Should Perpetuate an Internal Culture of Security Resources API Themed Events API Security Talks: Follow the Nordic APIs Blog More eBooks by Nordic APIs: Endnotes Preface As the world becomes more and more connected, digital security becomes an increasing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, the proper access management needs to be seriously addressed to ensure web assets are securely distributed. During the Nordic APIs World Tour - a five day international conference we held in May 2015 - our speakers consistently reiterated the importance of API security. So, to help providers secure their systems, we at Nordic APIs have collated our most helpful advice on API security into this eBook; a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies such as OAuth and OpenID Connect. Founded on insights from identity experts and security specialists, this knowledge is crucial for most web service platforms that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we’ll dive into specific considerations such as: Vulnerabilities and what whitehackers look for How to implement a secure versioning strategy The three distinct approaches to API licensing and availability Performing delegation of user identity across microservices and IoT devices Using the Neo-Security stack to handle identity and access control with OAuth 2.0 and OpenID workflows Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each Using OpenID Connect for Native Single Sign On (SSO) and Mobile Identity Management (MIM) Ways to introduce a culture of security into your organization Securing your data stream at the point-to-point level And more… Please read on, share, and enjoy the 5th free eBook from the Nordic APIs team! – Bill Doerrfeld, Editor in Chief, Nordic APIs Connect with Nordic APIs: Facebook | Twitter | Linkedin | Google+ | YouTube Blog | Home | Newsletter | Contact 1. Introducing API Security Concepts “Knowing who has the right to do what with your API is key to success” - Andreas Krohn, Dopter “Design all API security with public access in mind” - Phillipp Schöne, Axway Application Programming Interfaces or APIs are not only an extension of the social web, but continue to seriously disrupt entire industries, change how Business-to-business (B2B) communication is throttled, spark innovation, and even inspire social change. Simply put by TechCrunch, “APIs fuel the software that’s eating the world.” Within this vibrant and quickly expanding economy, an increasing amount of data is being funneled through systems not designed with the scale of protection that is necessary. The risk of cyber threat is now the highest it has ever been, and it won’t stop anytime soon. To combat this threat we must take the smart precautions to arm our systems. We build with the assumption that even private APIs will sooner or later become exposed to the public, and embrace proper security implementation as a top concern. 1.1 Identity is at the Forefront of API Security API security isn’t just about the API itself, but also about the security of entire organizations and mobile products when they intersect with APIs. When developing an API, the security of the mobile device matters just as much as the security of the API. Does it have anti-virus software installed? Is it enrolled in a mobile device management solution (MDM)? Does it have mobile application management software (MAM) installed? You also need to worry about enterprise security. Are the servers secure? Do your machines have intrusion detection? At this junction of APIs, business, and mobile, lies the individual. Only when you know who is at this core will you know what they should be accessing and how they should be accessing it. 1.2 Neo-Security Stack When we start to expose high-value information and resources, we need to have high-level assurance of who is accessing them. API security is comprised of a number of protocols, which Twobo Technologies refers to as the Neo-Security stack. This standards-based cloud security suite is usually comprised of these protocols and technologies: OAuth 2: The open standard for secure, delegated access OpenID Connect: For federation which allows for the secure exchange of user authentication data JSON Identity Suite: The collection of JSON-based protocols for representing the identity of users SCIM: System for Cross-domain Identity Management for user account provisioning and deprovisioning U2F: Universal 2-factor authentication for asymmetrically identifying users with a high degree of confidence that they really are who they say they are ALFA: For defining fine-grained authorization rules in a JSON-like policy language (which compiles down into XACML) While the Neo-Security stack creates a comprehensive security solution for mobility, it is a great challenge for API developers to manage a myriad of specifications themselves. 1.3 OAuth Basics As the risk associated with an individual’s online identity increases, we need to ask permission before exposing identity and any vulnerable resources with an API. OAuth is a framework used to build API security solutions - a framework or meta-protocol under which we create other protocols to define how tokens are handled. Despite its name, OAuth is not for authentication, federation, or even authorization; it helps delegate access, ie. giving an app access to your data or service. A benefit of using OAuth is that somebody else authenticates users.

Description:
Introducing the most comprehensive dive into the core tenants of modern web API security. Learn the techniques and technologies required to evolve into an API stronghold. As digital security is more and more a pressing concern throughout the API, IoT, & microservice space, the proper access manageme
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.