API IN(SECURITY)
1 like250 views
The document discusses the importance of API security in modern e-commerce, social, mobile, and IoT applications, highlighting common vulnerabilities and defense strategies. Key security measures include access control, input validation, output encoding, and encryption to protect against various attacks. It emphasizes integrating security during development and performing regular security tests to mitigate risks associated with API usage.
![API IN(SECURITY)
Asim Jaweesh
Asim [dot] Jaweesh (at) owasp [dot] org](https://image.slidesharecdn.com/apiinsecurity-170730110432/85/API-IN-SECURITY-1-320.jpg)
![THANK YOU
Asim [dot] Jaweesh (at) owasp [dot] org
@jaw33sh](https://image.slidesharecdn.com/apiinsecurity-170730110432/85/API-IN-SECURITY-17-320.jpg)
API IN(SECURITY)
- 1. API IN(SECURITY) Asim Jaweesh Asim [dot] Jaweesh (at) owasp [dot] org
- 2. AGENDA and technical knowledge History Rank Issues? defense resource Finish
- 3. BRIEF HISTORY 0 1 2 3 4 5 6 7 E-Commerce Social Mobile IoT Time
- 4. IMPORTANCE • Integration with other systems. • Control of UI/UX. • Cheap tweaks and change requests. • Saving time and effort.
- 5. WHAT COULD GO WRONG?
- 6. MOST VULNERABLE TO HAX
- 7. COMMON API HACKS OF 2014
- 8. THINK LIKE A HACKER PROTECTOR • Access control • Input validation • Output encoding • Cryptography • Message integrity • confidentiality
- 9. ACCESS CONTROLS • Anti-framing • Protect HTTP methods • Whitelist allowable methods • Protect privileged actions. • Protect against CSRF • Protect against IDOR • API rate limits
- 10. INPUT VALIDATION • Input sanitization • Secure parsing • Strong typing • Validate incoming content-type • Validate response-type • XML input validation • Framework-Provided validation
- 11. OUTPUT ENCODING • Send secure headers • JSON encoding • XML encoding
- 12. CRYPTOGRAPHY • Data in transit • Data in storage
- 13. MESSAGE INTEGRITY • In addition to HTTPS, JSON Web Token (JWT) • JWT guarantee message integrity and authenticate both sender/ receiver
- 14. CONFIDENTIALITY • RESTful web services can leak credentials, tokens and API keys • https://example.com/resourceCollection/<id>/action • https://Twitter.com/Jaweesh/lists • https://example.com/controller/<id>/action?apikey=12345678 • http://example.com/controller/<id>/action?apikey=987654321
- 15. RESOURCES • OWASP cheat sheet • History of API • Internet of things definition • SmartBear Practical tips for API security
- 16. RECAP • API new business technology. • Gaining popularity and trending. • Can easily wreck your business. • Good API helps your business. • Integrate security in development. • Do periodic security tests. • Spread awareness.
- 17. THANK YOU Asim [dot] Jaweesh (at) owasp [dot] org @jaw33sh