SlideShare a Scribd company logo

API Security Best Practices & Guidelines

Prabath Siriwardena, profile picture
Prabath Siriwardena

This document provides API security best practices and guidelines. It discusses defining APIs and who may access them, such as employees, partners, customers or the general public. Authentication can be direct, using credentials, or brokered, using a third party. Best practices include using TLS, strong credentials, short-lived tokens, and throttling access. The guidelines aim to prevent attacks like CSRF, authorization code interception, and brute force attacks through measures like state parameters, PKCE, and long random tokens.

Education
1 of 25
Downloaded 131 times
1
2
3
4
5
6
7
8
Most read
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Most read
API Security Best Practices & Guidelines Prabath Siriwardena, WSO2 Twitter: @prabath | Email: prabath@wso2.com
● The Director of Security Architecture, WSO2 ● Authored the book Advanced API Security - and three more
● The definition of the API has evolved over the time. ● It’s not just about the Application Programming Interface. ● Hosted, web-centric and public facing. ● Public facing does not always mean it’s outside your enterprise. ● Expose business functions to the rest of the world. ● Managed APIs ○ Secured ○ Monitored ○ Throttled
● Who’s going to access your API and from where? ○ Employees, within the domain or outside the domain or both. ○ Partners ○ Suppliers ○ Customers ○ General Public
● Is it a human or another system? ○ A user logs into a web app and the web app accesses an API on behalf of the end user. ○ Web app does not worry about the who the end user is when talking to an API
● Who is having control over the system, which talks to the APIs ○ Mobile app talks to an API - the end user has the total control ○ Web app talks to an API the end user has no control ○ SPA talks to an API the end user has no control ○ Trusted clients / public clients
● Direct Authentication ○ Trust the user directly - user could validate the trust by presenting a token known to the user and the service provider (API) both. ○ User credentials are under the control of the service provider. ○ Authenticate to Github API with username/password. ● Brokered Authentication ○ Do not trust each and individual users - but some entity who can assert a legitimate user to access the API. ○ User credentials are not under the control of the service provider. ○ The identity of the asserting entity can be validated by signature verification. ○ Login with Facebook
● Direct Authentication ○ Username/password based authentication (basic auth) ○ OAuth 2.0 ■ Authorization server and the resource server under the same domain. ■ OAuth for authentication? ○ TLS mutual authentication ■ Trusts each certificate ○ JSON Web Token (JWT) ■ Self-issued JWT ○ Kerberos/NTLM ○ Custom API keys
● Brokered Authentication ○ OAuth 2.0 ■ SAML 2.0 grant type ■ JWT grant type ■ …. ○ TLS mutual authentication ■ Trusts the issuer ○ JSON Web Token (JWT) ■ Trusts the issuer
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
SAML Grant Type
JWT Grant Type
Self-Contained Access Tokens
Self-Issued Access Tokens
Token Exchange
API Security Best Practices & Guidelines
XACML
● Use TLS in all the flows (bearer tokens) ● Store access tokens/refresh tokens/client credentials in a secure storage (at the client side) ● Store hashed access tokens/refresh tokens/client credentials in a secure storage (at the server side) ● Make sure access tokens/refresh tokens have the proper length to tolerate brute-force attacks. ○ The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence ● Use strong client credentials ○ Use short-lived assertions as the client_secret ● Use OAuth state parameter to tolerate CSRF attacks. ● Use scoped access tokens. ● Use PKCE to tolerate authorization code interception attacks (native mobile apps)
● Enable throttling by user by application ● Use TLS token binding to tolerate token exports ● Restrict clients by grant types ● Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. ● Short-lived access tokens ● Long-lived refresh tokens ● The token expiration time would depend on the following parameters. ○ risk associated with token leakage ○ duration of the underlying access grant ○ time required for an attacker to guess or produce a valid token ● One time access tokens (based on the use case) ● Client should validate the token audience
API Security Best Practices & Guidelines

More Related Content

PPTX
Rest API Security
Stormpath
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PPT
Application Security
Reggie Niccolo Santos
 
PPSX
Docker Kubernetes Istio
Araf Karsh Hamid
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PPTX
API Security Fundamentals
José Haro Peralta
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
Rest API Security
Stormpath
 
OWASP API Security Top 10 - API World
42Crunch
 
Application Security
Reggie Niccolo Santos
 
Docker Kubernetes Istio
Araf Karsh Hamid
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Security Fundamentals
José Haro Peralta
 
OAuth2 - Introduction
Knoldus Inc.
 
Source Code Analysis with SAST
Blueinfy Solutions
 

What's hot (20)

PPTX
REST API Design & Development
Ashok Pundit
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
PDF
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PDF
Keycloak Single Sign-On
Ravi Yasas
 
PPSX
Microservices, DevOps & SRE
Araf Karsh Hamid
 
PPTX
Secure your app with keycloak
Guy Marom
 
PPTX
OpenId Connect Protocol
Michael Furman
 
PPSX
Event Sourcing & CQRS, Kafka, Rabbit MQ
Araf Karsh Hamid
 
PPTX
Building secure applications with keycloak
Abhishek Koserwal
 
PDF
How to migrate an application in IBM APIc, and preserve its client credential
Shiu-Fun Poon
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PPTX
API Security : Patterns and Practices
Prabath Siriwardena
 
KEY
Web API Basics
LearnNowOnline
 
PPTX
What's New in API Connect & DataPower Gateway in 1H 2018
IBM API Connect
 
PDF
Apigee Demo: API Platform Overview
Apigee | Google Cloud
 
PPTX
API Security Lifecycle
Apigee | Google Cloud
 
PDF
Designing APIs with OpenAPI Spec
Adam Paxton
 
PDF
Terraform -- Infrastructure as Code
Martin Schütte
 
PDF
Microservices Design Patterns | Edureka
Edureka!
 
REST API Design & Development
Ashok Pundit
 
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Keycloak Single Sign-On
Ravi Yasas
 
Microservices, DevOps & SRE
Araf Karsh Hamid
 
Secure your app with keycloak
Guy Marom
 
OpenId Connect Protocol
Michael Furman
 
Event Sourcing & CQRS, Kafka, Rabbit MQ
Araf Karsh Hamid
 
Building secure applications with keycloak
Abhishek Koserwal
 
How to migrate an application in IBM APIc, and preserve its client credential
Shiu-Fun Poon
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
API Security : Patterns and Practices
Prabath Siriwardena
 
Web API Basics
LearnNowOnline
 
What's New in API Connect & DataPower Gateway in 1H 2018
IBM API Connect
 
Apigee Demo: API Platform Overview
Apigee | Google Cloud
 
API Security Lifecycle
Apigee | Google Cloud
 
Designing APIs with OpenAPI Spec
Adam Paxton
 
Terraform -- Infrastructure as Code
Martin Schütte
 
Microservices Design Patterns | Edureka
Edureka!
 
Ad

Similar to API Security Best Practices & Guidelines (20)

PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
PDF
API Security In Cloud Native Era
WSO2
 
PDF
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PDF
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
PPTX
How to Build a Fortress with the Security of a Tent - Jacob Ideskog, Curity
Nordic APIs
 
PPTX
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
PDF
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
WSO2
 
PDF
OAuth 2.0 Threat Landscapes
Prabath Siriwardena
 
PDF
Talk Microservices to Me: The Role of IAM in Microservice Architecture
WSO2
 
PDF
Spring Security
Knoldus Inc.
 
PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
PPTX
Oauth 2.0 security
vinoth kumar
 
PDF
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
PDF
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
PDF
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2
 
PDF
Introduction to the Globus Platform for Developers
Globus
 
PPTX
How to build Simple yet powerful API.pptx
Channa Ly
 
PDF
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
Nordic APIs
 
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
API Security In Cloud Native Era
WSO2
 
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
How to Build a Fortress with the Security of a Tent - Jacob Ideskog, Curity
Nordic APIs
 
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
WSO2
 
OAuth 2.0 Threat Landscapes
Prabath Siriwardena
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
WSO2
 
Spring Security
Knoldus Inc.
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Oauth 2.0 security
vinoth kumar
 
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2
 
Introduction to the Globus Platform for Developers
Globus
 
How to build Simple yet powerful API.pptx
Channa Ly
 
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
Nordic APIs
 
Ad

More from Prabath Siriwardena (20)

PDF
Microservices Security Landscape
Prabath Siriwardena
 
PDF
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
PDF
Identity is Eating the World!
Prabath Siriwardena
 
PPTX
Microservices Security Landscape
Prabath Siriwardena
 
PPTX
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
PDF
GDPR for Identity Architects
Prabath Siriwardena
 
PDF
Blockchain-based Solutions for Identity & Access Management
Prabath Siriwardena
 
PDF
Identity Management for Web Application Developers
Prabath Siriwardena
 
PDF
Open Standards in Identity Management
Prabath Siriwardena
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Connected Identity : The Role of the Identity Bus
Prabath Siriwardena
 
PPTX
Connected Identity : Benefits, Risks & Challenges
Prabath Siriwardena
 
PPTX
The Evolution of Internet Identity
Prabath Siriwardena
 
PPTX
Next-Gen Apps with IoT and Cloud
Prabath Siriwardena
 
PPTX
Securing Insecure
Prabath Siriwardena
 
PPTX
Evolution of Internet Identity
Prabath Siriwardena
 
PPTX
Securing the Insecure
Prabath Siriwardena
 
PPTX
WSO2Con USA 2014 - Identity Server Tutorial
Prabath Siriwardena
 
PDF
Advanced API Security
Prabath Siriwardena
 
PPTX
Deep dive into Java security architecture
Prabath Siriwardena
 
Microservices Security Landscape
Prabath Siriwardena
 
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Identity is Eating the World!
Prabath Siriwardena
 
Microservices Security Landscape
Prabath Siriwardena
 
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
GDPR for Identity Architects
Prabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Prabath Siriwardena
 
Identity Management for Web Application Developers
Prabath Siriwardena
 
Open Standards in Identity Management
Prabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Prabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Prabath Siriwardena
 
The Evolution of Internet Identity
Prabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Prabath Siriwardena
 
Securing Insecure
Prabath Siriwardena
 
Evolution of Internet Identity
Prabath Siriwardena
 
Securing the Insecure
Prabath Siriwardena
 
WSO2Con USA 2014 - Identity Server Tutorial
Prabath Siriwardena
 
Advanced API Security
Prabath Siriwardena
 
Deep dive into Java security architecture
Prabath Siriwardena
 

Recently uploaded (20)

PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
master seminar digital applications in india
ananyaray35
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 

API Security Best Practices & Guidelines

  • 1. API Security Best Practices & Guidelines Prabath Siriwardena, WSO2 Twitter: @prabath | Email: prabath@wso2.com
  • 2. ● The Director of Security Architecture, WSO2 ● Authored the book Advanced API Security - and three more
  • 3. ● The definition of the API has evolved over the time. ● It’s not just about the Application Programming Interface. ● Hosted, web-centric and public facing. ● Public facing does not always mean it’s outside your enterprise. ● Expose business functions to the rest of the world. ● Managed APIs ○ Secured ○ Monitored ○ Throttled
  • 4. ● Who’s going to access your API and from where? ○ Employees, within the domain or outside the domain or both. ○ Partners ○ Suppliers ○ Customers ○ General Public
  • 5. ● Is it a human or another system? ○ A user logs into a web app and the web app accesses an API on behalf of the end user. ○ Web app does not worry about the who the end user is when talking to an API
  • 6. ● Who is having control over the system, which talks to the APIs ○ Mobile app talks to an API - the end user has the total control ○ Web app talks to an API the end user has no control ○ SPA talks to an API the end user has no control ○ Trusted clients / public clients
  • 7. ● Direct Authentication ○ Trust the user directly - user could validate the trust by presenting a token known to the user and the service provider (API) both. ○ User credentials are under the control of the service provider. ○ Authenticate to Github API with username/password. ● Brokered Authentication ○ Do not trust each and individual users - but some entity who can assert a legitimate user to access the API. ○ User credentials are not under the control of the service provider. ○ The identity of the asserting entity can be validated by signature verification. ○ Login with Facebook
  • 8. ● Direct Authentication ○ Username/password based authentication (basic auth) ○ OAuth 2.0 ■ Authorization server and the resource server under the same domain. ■ OAuth for authentication? ○ TLS mutual authentication ■ Trusts each certificate ○ JSON Web Token (JWT) ■ Self-issued JWT ○ Kerberos/NTLM ○ Custom API keys
  • 9. ● Brokered Authentication ○ OAuth 2.0 ■ SAML 2.0 grant type ■ JWT grant type ■ …. ○ TLS mutual authentication ■ Trusts the issuer ○ JSON Web Token (JWT) ■ Trusts the issuer
  • 22. XACML
  • 23. ● Use TLS in all the flows (bearer tokens) ● Store access tokens/refresh tokens/client credentials in a secure storage (at the client side) ● Store hashed access tokens/refresh tokens/client credentials in a secure storage (at the server side) ● Make sure access tokens/refresh tokens have the proper length to tolerate brute-force attacks. ○ The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence ● Use strong client credentials ○ Use short-lived assertions as the client_secret ● Use OAuth state parameter to tolerate CSRF attacks. ● Use scoped access tokens. ● Use PKCE to tolerate authorization code interception attacks (native mobile apps)
  • 24. ● Enable throttling by user by application ● Use TLS token binding to tolerate token exports ● Restrict clients by grant types ● Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. ● Short-lived access tokens ● Long-lived refresh tokens ● The token expiration time would depend on the following parameters. ○ risk associated with token leakage ○ duration of the underlying access grant ○ time required for an attacker to guess or produce a valid token ● One time access tokens (based on the use case) ● Client should validate the token audience