Download pdf - Open APIs - Risks and Rewards (Øredev 2013)

Open APIs - Risks & Rewards

Hampus BrynolfAndreas Krohn

Travis Spencer


Andreas Krohndopter

Application Programming

Interface

API

API

‣ HTTP Request

‣ Machine readable response

‣ JSON

‣ XML

API

‣ HTTP Methods

‣ GET, POST etc

‣ HTTP Headers

‣ URI

‣ Query Parameters

‣ Body

Open API‣ “Not closed”

‣ Anyone can use it

‣ Free or paid

https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow


























Hampus Brynolfintellecta

TWITTER IN SWEDEN

Not

Fin

nish

?

Method

Finnish? 2. Check language

3. Save

1. Get from

queueBlock

4. Add friends

and followers

Language analysis

• N-gram-based text-categorization– Searches for three letter combinations in

words– Considered stable–Worse result with few tweets

– http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.9367

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.9367




Some data…

• 6,171,929 accounts analyzed• < 100 tweets per account analyzed• 15,410,436 swedish tweets identified

and downloaded

600 000

46%active

17%very active

Registrations per month

Words in description

Force atlas graph

Danmark

Sweden

Finland

celebs

sport

teens

IT/techmedia & politics

education

manga/anime

sports

entertainment

IT/business/media

media & politics

churches

librarians

celebs

sport

entertainment

IT/tech

media & politics

Gamers

nationalist

Hiphop

regional clusters

TACK @dreadnallen // Christofer Laurin

10.000+ available

Open APIs

‣ Google

‣ Salesforce

‣ Paypal

‣ Amazon

‣ ProgrammableWeb

http://www.programmableweb.com/apis/directory

http://www.programmableweb.com/apis/directory

why?

Open APIs

‣ External Innovation

‣ Enable Partnerships

‣ Make Money

‣ Save Money

‣ Marketing

Internal APIs

‣ More common than Open APIs

‣ System Architecture

‣ Partnerships

‣ Speed to Market

‣ Mobile Applications

more than just http

Package an API

‣ Security concerns

‣ Statistics

‣ Developer Portal

‣ Documentation

‣ Community

‣ Pricing & Legal

all but the data

API Management

‣ Security

‣ Developer Portal

‣ Monetization

‣ Statistics

‣ Layer 7, 3scale, Apigee, Mashery...

http://www.layer7tech.com/

http://www.layer7tech.com/

http://www.3scale.net/

http://www.3scale.net/

http://apigee.com/

http://apigee.com/

http://www.mashery.com/

http://www.mashery.com/


Travis Spencertwobo technologies

Agenda

Problem: the risks & security challenges

Solution: the “Neo-security Stack” Result: a secure platform for data access

Copyright © 2013 Twobo Technologies AB. All rights reserved

Threats, Dangers & Challenges


Identity is Central to a Solution


Mobile Security

API Security

Enterprise Security

Identity

Venn diagram by Gunnar Peterson

SAML / OpenID Connect

SCIM

JSON Identity Suite

OAuth

XACML

Federation

Provisioning

Identity

Delegated Access

Authorization

The Neo-security Stack



SCIM

JSON Identity Suite

OAuth

XACML

The Neo-security Stack


SAML

SAML: proven technology for identity federation and Web SSO

Profiles, bindings, protocols, assertions & metadata

V. 2.1 in the works


Service Provider (SP)

Identity Provider (IdP)

OpenID Connect

New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user data


Grandpa SAML & junior

SCIM

Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID Connect


OAuth

OAuth 2 is the new protocol of protocols

Composed in useful ways Addresses old requirements and

solves new ones Delegated access No password sharing Revocation of access


JSON Identity Protocol Suite

Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA)

Lightweight tokens passed in HTTP headers & query strings

Akin to SAML tokens


The Neo-security Platform

Identity Management

System

API Management

System

Entitlement Management

System



SCIM JSON Identity Suite

OAuth XACML

Building on the Platform


Identity Management

System

API Management

System

Entitlement Management

System

Solutions must be ”baked”


Solutions must be ”baked”

Web SSO Account

Management & Provisioning

Authorization Social Media Aggregation

API Security


using open apis

Get Started

‣ Use API without authentication

‣ Nobel Prize API

‣ Make request

‣ Parse response

http://www.nobelprize.org/nobel_organizations/nobelmedia/nobelprize_org/developer/

http://www.nobelprize.org/nobel_organizations/nobelmedia/nobelprize_org/developer/

using open apis

Get Started

‣ cURL

‣ Postman

‣ Unirest

‣ Java, .NET, Python...

http://www.getpostman.com/

http://www.getpostman.com/

http://unirest.io

http://unirest.io

publishing open apis

Get Started

‣ Identify source

‣ Design based on external reqs.

‣ Do NOT mimic internal structures

‣ Mashape

‣ Use your own API!

https://www.mashape.com/

https://www.mashape.com/

publishing open apis

Get Started

Pro

‣ Business case, marketing plan etc

‣ Analyze requirements

‣ What to build & what to buy

‣ Build a community!

Thank younordicapis.com/oredev2013