Enterprise API adoption has gone beyond predictions. It has become the ‘coolest’ way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed. This talk focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question – and you need to deal with it quite carefully to identify and isolate the tradeoffs.
Security is not an afterthought. It has to be an integral part of any development project – so as for APIs. API security has evolved a lot in last five years. The growth of standards, out there, has been exponential. The talk will elaborate how to build an ecosystem for API security around OAuth 2.0, OpenID Connect, UMA, SAML, SCIM and XACML.
A Journey Into the Emotions of Software Developers
Api security-eic-prabath
1. Best Practices in Building an API
Security Ecosystem
Prabath Siriwardena, Director of Security, WSO2
Twitter : @prabath
2. About Me
• Director Security @ WSO2
• Lead Architect WSO2 Identity Server
• Apache Axis PMC Member
• Blog : http://blog.facilelogin.com
• Twitter : @prabath
4. Gateway Pattern - Benefits
• Decouple clients from the actual API implementation
• No point-to-point to connection
• Centralized security enforcing
• Centralized auditing & monitoring
• Version controlling
9. TLS Mutual Authentication
Gateway itself does the certificate validation
Fine-grained access validations can be done by the authorization server.
curl -k --cert client.pem https://localhost:8443/recipe
19. OAuth & XACML
A given access token has a scope associated with it and it
governs the access token’s capabilities
A user delegates access to his Facebook profile to a third party,
under the scope “user_activities”. This provides access to the
user's list of activities as the activities’ connection. To achieve
fine-grained access control, this can be represented in an
XACML policy.
token=gfgew789hkhjkew87
resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
25. User Managed Access
• PAT (Protection API Token) : Token issued to the
Resource Server to access the Protection API
(Authorization Server) with the approval of the Resource
Owner.
• AAT (Authorization API Token) : Token issued to the
Client to access the Authorization API (Authorization
Server)
• RPT (Requesting Party Token) : Token issued to the
Client to access the Protected Resource on behalf of the
Requesting Party by the Authorization Server.