Upload
apigee
View
933
Download
1
Tags:
Embed Size (px)
Citation preview
Agile API Security
Apigee@apigee
Subra Kumaraswamy@subrak
youtube.com/apigee
slideshare.net/apigee
@Subrak Subra Kumaraswamy
Agenda
• Why Agile Security matters• Agile API Security enablers and approaches• Key takeaways• Q&A
Why Agile security?
6
Deve
loper
Ag
ility
Secu
rity
Risk
s
API security stakeholders
7
Product ManagerHow can I release features with built-in security?
How I can reduce the release cycle?
Business ownerHow to reduce risk while expanding API exposure?
How to meet compliance?
OpsHow do I enforce consistent security policy across APIs?What controls I have to mitigate attacks like DoS?
App DeveloperWhat options I have to secure data in rest and transit?How to I enable Social login?How can I manage and revoke keys?
Have implemented layers of security to protect crown jewels..
Security layers – good enough?
That’s not enough, need security, with flexibility
9
A new approach is required
Agile API security
11
API First Architecture with built-in Security
Data Security governance
Security for API exposure
Security for consumption (Apps)
Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
API-first architecture
API Tier
All Apps
Analytics
App Servers ESB
Social Apps
Web Apps
Mobile Apps
BackendServices
OrchestrationPersistence Security
Internet
Consistent security policies & access
control(Exposure)
Flexible security for Apps �
(Consumption)
Developers
IT security architect
API security architecture
Policy Store Log Store
API Security
Authentication
Authorization
TrafficManagement
Logging & Auditing
Identity for API Management
User Management RBAC Management
Policy Management
Certificate Management
Keys/Token Management
Threat Protection TLS DDoS Rate Limiting &
Quota Payload Protection Analytics
Compliance (SOC 2, PCI DSS, HIPAA)
Developers
Apps
IT Security /Architect
Key Store
Policy Enforcement
Identity landscape in the API world
15
þ API First Architecture with Security
Data Security governance
Security for API exposure
Security for consumption (Apps)
Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
Security Design
Agile SDLC – Focus on automation
Threat Assessment
Secure Coding Testing Verification
API Threat Modeling
Secure Coding Practices
Static Analysis
Security Unit Testing
Dynamic Analysis
Secure Development Training
Black Box Pen Testing
Continuous Security
Monitoring
• API product centric
• Aligned with Epic and stories
• Integrated into Development using Maven and Jenkin plugins
• Vulnerabilities prioritized based in criticality and threat model requirements
• Blackbox testing aligned with major release
• Monitoring of API to verify policies
• What categories of developers or applications do you have? – internal developers
– partners (at various service levels)
– public developers (open adoption) • What APIs should each class of developers or applications have
access to?• What Authentication and Authorization schemes are supported by
Apps to consume APIs?• What type of data is exposed via API?• What threats do you want protect against?
API Product security design considerations
API threats• Spoofing of identity • Denial of service • Network eavesdropping (App-to-API)• Replay attacks• Unauthorized access to management system and configuration data• Man-in-the-middle attacks• Velocity attack using legitimate API keys• Elevation of privilege by applications and developers• Disclosure of confidential data stored and processed in mobile, API, and
backend services• Theft of credentials, API keys, tokens, or encryption keys
19
þ API First Architecture with Security
Data Security Governance
Security for API exposure
Security for consumption (Apps)
þ Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
Centralize API security for exposure
20
Backend �Service
Authentication & Authorization
Identity Services (IdP)
Logging & Auditing
Security Analytics
Authentication & Authorization
Secure API Exposure
TLS
AppsSecurity & Identity"
Capabilities
21
API exposure – security checklistAPI Security
API Developer Securityþ Authentication & SSO (SAML, OAuth)þ API Management Roles (RBAC)þ Internal Vs External Developerþ Data Maskingþ Logging and auditing
Governance & Compliance
þ Policy Enforcementþ PCI/HIPAA Compliance
API (Backend) Securityþ Secure communication (TLS – 1 way or 2 way)þ Authentication (TLS, OAuth, SAML) þ Versioningþ Integration with Enterprise identity providersþ Logging and auditing
Analytics
þ Run time detection reports (Volume based, Traffic properties)
22
þ API First Architecture with Security
Data Security Governance
þ Security for API exposure
Security for Consumption (Apps)
þ Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
Standardize App security for consumption
Security & Identity" Capabilities
Threat Protection
Application Security
Security for Consumption
Authentication & Authorization
TLS
Developers
Backend �Services
Apps
24
API consumption – security checklistAPI Security
App Developer Securityþ Developer Key Management (Workflow,
Governance)þ Developer provisioning þ Authentication & SSO (SAML, OAuth)þ Internal Vs External Developerþ Developer permission (RBAC)
App Securityþ Secure communication (TLS – 1 way or 2 way)
– Mobile Vs Partner þ Authentication (OAuth patterns) þ API key with Product Scopeþ Quota Enforcementþ IP Based Whitelist/Blacklist
Threat Protection
þ XML/JSON Poisoning/Injection þ SQL Injectionþ DDoS/App-DoS Attacksþ Spike Arrest
25
þ API First Architecture with Security
Data Security Focused – API Products
þ Security for API exposure
þ Security for App Standardized
þ Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
26
• Organize your APIs as API products for fine granular data security management• Central mechanism for authorization and access control to your APIs• API products with Key and OAuth Scope protects your API
• Protect payload data using encryption, hashing and secure key management• Improve API agility by aligning Secure SDLC with data security sensitivity
API data security
Key takeaways
27
þ Practice API First Architecture for �security with flexibility
þ Use API Products to enable tiered � security
þ Centralize your API security for � consistent policy enforcement
þ Standardize App security across � channels for frictionless user experience
þ Implement SDLC with automation for agilityThreat
AssessmentSecure Coding Testing Verification
@Subrak Subra Kumaraswamy
Thank You
Questions?
Thank You
Apigee@apigee