How to Build an Effective API Security Strategy
Download as PPTX, PDF2 likes767 views
The document discusses building an effective API security strategy, emphasizing the importance of considering potential threats and user access in the API lifecycle. It outlines a maturity model for API development, integrating internal systems, managing access to partners, and evolving APIs into marketable products. Key considerations include limiting data exposure, following security standards, and continuously monitoring for vulnerabilities.
How to Build an Effective API Security Strategy
- 1. When Failure Looks Like Success Building an Effective API Security Strategy D. Keith Casey, Jr. API Problem Solver @CaseySoftware
- 2. © Okta and/or its affiliates. All rights reserved. Okta Confidential 2 Who Am I?
- 3. © Okta and/or its affiliates. All rights reserved. Okta Confidential 3 Who Am I?
- 4. © Okta and/or its affiliates. All rights reserved. Okta Confidential 4 Who Am I?
- 5. © Okta and/or its affiliates. All rights reserved. Okta Confidential 5 Who Am I?
- 6. © Okta and/or its affiliates. All rights reserved. Okta Confidential 6 Who Am I?
- 7. So let’s talk about Failure
- 8. You?
- 9. © Okta and/or its affiliates. All rights reserved. Okta Confidential 9 API Journey: A Maturity Model Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1
- 10. © Okta and/or its affiliates. All rights reserved. Okta Confidential 10 API Journey: A Maturity Model Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. The security issue was always there Phase 1
- 11. How do we secure our APIs?
- 12. Aspect #1: Only expose the interfaces we need.
- 13. Aspect #2: Only collect and share the data we need.
- 14. Aspect #3: Only grant access to the people and systems we need.
- 15. Aspect #0: Think like a Bad Guy.
- 16. © Okta and/or its affiliates. All rights reserved. Okta Confidential • Read the news, look at competitors • Talk to your legal/compliance teams • Talk to your developers about their horror stories • Write a Black Mirror episode How do I think like a Bad Guy?
- 17. © Okta and/or its affiliates. All rights reserved. Okta Confidential • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
- 19. Full Lifecycle API Management Lifecycle What state is it in? • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Management Capabilities
- 20. Full Lifecycle API Management Lifecycle What state is it in? • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Management Capabilities
- 21. Full Lifecycle API Management Lifecycle What state is it in? • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Management Capabilities
- 23. © Okta and/or its affiliates. All rights reserved. Okta Confidential Be Smarter about Data • Don’t collect it if you don’t have to • Secure it in flight (SSL/TLS) • Encrypt it at rest 23 Ref: https://www.bbc.com/news/technology-46401890
- 26. © Okta and/or its affiliates. All rights reserved. Okta Confidential 26 • OpenID Connect Core 1.0 (spec) • Authorization Code, Implicit, and Hybrid flows • OpenID Provider Metadata (spec) • OAuth 2.0 (RFC 6749) • Authorization Code, Implicit, Resource Owner Password, Client Credentials • JSON Web Token (RFC 7519) • OAuth 2.0 Dynamic Client Registration (RFC 7591) • OAuth 2.0 Authorization Server Metadata (spec) • OAuth 2.0 Bearer Token Usage (RFC 6750) • OAuth 2.0 Multiple Response Types (spec) • OAuth 2.0 Form Response Mode (spec) • OAuth 2.0 Token Revocation (RFC 7009) • OAuth 2.0 Token Introspection (RFC 7662) • Proof Key for Code Exchange for OAuth Public Clients (RFC 7636) Common OAuth/OIDC Specifications
- 29. Closing Thoughts
- 30. © Okta and/or its affiliates. All rights reserved. Okta Confidential Questions to Ask • What is the worst thing someone can do with our API? • What happens if our competitors get our data? • What data do we need to collect & expose? • Who are your users now? In a year? • How are we monitoring for anomalies and bad behavior?
- 31. When Failure Looks Like Success Building an Effective API Security Strategy D. Keith Casey, Jr. API Problem Solver @CaseySoftware
Editor's Notes
- #2: This deck is intended as a general overview of thinking about API security.
- #11: So we need to step back and figure out how to secure our API from beginning to end, whether it’s inside our firewall or not.
- #19: Alright, so let’s do something useful.. Let’s use an API Management Platform or API Gateway
- #20: An API gateway does a ton of things, in this conversation, we only care about a couple of them.. Single point of access
- #21: First, the interface management helps us choose which endpoints we’re sharing and how to interact with them. Going back to our three aspects, this addresses the first two very directly: This lets us choose and define the interfaces to share.. So we can choose whether we expose a way to delete users or just create them. Second, this lets us accept or reject input. If we’re a bank and accept pictures of receipts for processing, we can reject mp3 files or youtube videos. If we’re a major US credit reporting agency, we can detect when people are downloading our entire database user by user.
- #22: The third aspect – only granting access to users we intend - is handled by the access management portion. Every gateway has its own user information so you can quickly add users and get started with it. Now, there is a drawback of having Yet Another User Database that we have to keep up to date but we’ll address that in a bit..
- #23: Alright, so let’s do something useful.. Let’s use an API Management Platform or API Gateway
- #25: The most common approach is an API key “Effectively a password sent on every request used to validate access” – Validate access could mean anything from “yes, this is a valid account” for a free API to “yes, this is a valid account and it has a positive balance” for a paid API like Mailchimp or Twilio
- #28: The most common approach is an API key “Effectively a password sent on every request used to validate access” – Validate access could mean anything from “yes, this is a valid account” for a free API to “yes, this is a valid account and it has a positive balance” for a paid API like Mailchimp or Twilio
- #32: This deck is intended as a general overview of how API Access Management fits within API Gateways.