SlideShare uma empresa Scribd logo

How Secure is Your API?

Transferir como PPTX, PDF
M
Mary Joy Sabal

Wellington MuleSoft Meet-up April 2021

Tecnologia
1 de 18
1 ●Name ●Company & role ●What do you want to get out of this session? ●Topics you want to discuss at upcoming events. Attendee Introductions
[21st of April 2021] [Wellington] MuleSoft Meetup Group API and Data Security
3 ●Session will be recorded. Please use the online chat to ask questions. ●Trivia game after the presentation. Winners will get class voucher or certification exam voucher of their choice! ●Fill out the post-event survey to share your feedback with us, and for a chance to win $50 Amazon.com gift card. ●Group picture at the end of the session. Reminders. . .
4 Organizers
5 ❖ Working as Senior Solution Architect at Capgemini. ❖ MuleSoft Ambassador ❖ Surat MuleSoft Meetup Leader. ❖ 12.5+ Years of Experience in Integrations and API Technologies. ❖ Certified MuleSoft Integration Architect and platform Architect. Speaker
6 Agenda Introduction To API and Data Security Threats and Vulnerabilities OAuth 2.0 and JWT Dataweave Crypto Module Data Encryption – JCE and PGP Data Encryption - XML Live Demonstration
What is API Security?
8 API Security is an essentials elements of the applications, especially in regards to APIs where you have hundreds or thousands of calls on daily basis. Everyday new threats and vulnerabilities are created and in such case it is very important to secure the APIs. MuleSoft provided the API manager which can minimize the risks from attacks like DDoS, DoS or any security vulnerabilities. API manager provides option for creating the API proxy for the backend API running on Anypoint platform and thereby secures requests coming into the platform again the API. What is API Security?
9 Different Types of API Attacks API Threats Denial Of Service Distributed Denial Of Service Parameter Tampering CORS/XSS Injection Attacks Sensitive Data Exposure
10 ⮚ Digital Signatures. ⮚ Cryptography like PGP, JCE and XML. ⮚ JWT OAuth or Token Based Authentication ⮚ API Manager Policies like Rate Limiting, XML Threat Protection, JWT Validation etc. ⮚ Anypoint Security and Web Application Firewall in case of Runtime Fabric. Ways to achieve API Security API Security OAuth Rate Limiting Digital Signatures Cryptography Policies like XML Threat Protection, Rate Limiting, CORS etc. Anypoint Security Anypoint API Policies (Security) JWT Validation Policies Basic Authentication – Simple and LDAP XML/JSON Threat Protection Policies IP Whitelisting/Blacklisting Tokenization/Detokenization
11 OAuth Providers Grant Types OAuth Providers & Grant Types OKTA PING OPEN AM Keycloak AWS Cognito Azure IdP Auth0 Google Box GitHub Authorization Code Client Credentials Refresh Token Password Implicit Code
12 OAuth JWT – Authorization Code
13 OAuth JWT – Implicit Code
14 OAuth JWT – Client Credentials
15 1. APIs must be end to end communicated over HTTPS (SSL Tunnelling). 2. APIs must be secured with OAuth 2.0 3. Restrict the size of XML payload to avoid DDoS and DoS. 4. Drop the request coming from IP Address 192.168.* 5. Allow only request from IP starting from 10.1.* Use Cases - Demonstration
Demonstration ● Client Management using OpenId Connect Dynamic Client Registration + OKTA ● Identity Management using OpenId Connect + OKTA ● Identity Management using SAML + OKTA 16
17 API Security Best Practices and Recommendations ❖ Enable Multi-factor Authentication. ❖ Avoid using Basic Authentication when exposing APIs to external consumers. Use OAuth JWT Client Credentials or Authorization Code. ❖ Use TLSv1.2 to secure transport layer. Enable end to end HTTPS secure communication. ❖ Always encrypt the sensitive data like SSN, Password. MuleSoft provides various kind of cryptography techniques like PGP, JCE and XML encrypter and decrypter. ❖ Enable Identity Management or SSO for Anypoint Platform. ❖ Apply API Security policies with API Manager like Rate Limiting, Spike Control, XML Threat Protection. ❖ Secure APIs and Data at transit and rest. ❖ Avoid logging confidential data like password, ssn etc.
Thank you!

Recomendados

Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
Mary Joy Sabal
 
MuleSoft Slack Integration - meetup
MuleSoft Slack Integration - meetupMuleSoft Slack Integration - meetup
MuleSoft Slack Integration - meetup
Karthik Venkata T
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
D.Rajesh Kumar
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetup
Sandeep Deshmukh
 
MuleSoft Meetup Bangalore - March 6 2021
MuleSoft Meetup Bangalore - March 6 2021MuleSoft Meetup Bangalore - March 6 2021
MuleSoft Meetup Bangalore - March 6 2021
Nagaraju K R
 
Meetup bangalore-may22nd2021
Meetup bangalore-may22nd2021Meetup bangalore-may22nd2021
Meetup bangalore-may22nd2021
pruthviraj krishnam
 
Meetup milano #3 all you need to know before creating your vpc
Meetup milano #3 all you need to know before creating your vpcMeetup milano #3 all you need to know before creating your vpc
Meetup milano #3 all you need to know before creating your vpc
Gonzalo Marcos Ansoain
 
#3 calicut meetup - understanding slb, dlb and web sockets
#3 calicut meetup - understanding slb, dlb and web sockets#3 calicut meetup - understanding slb, dlb and web sockets
#3 calicut meetup - understanding slb, dlb and web sockets
JohnMathewPhilip
 

Recomendados

Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
Mary Joy Sabal
 
MuleSoft Slack Integration - meetup
MuleSoft Slack Integration - meetupMuleSoft Slack Integration - meetup
MuleSoft Slack Integration - meetup
Karthik Venkata T
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
D.Rajesh Kumar
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetup
Sandeep Deshmukh
 
MuleSoft Meetup Bangalore - March 6 2021
MuleSoft Meetup Bangalore - March 6 2021MuleSoft Meetup Bangalore - March 6 2021
MuleSoft Meetup Bangalore - March 6 2021
Nagaraju K R
 
Meetup bangalore-may22nd2021
Meetup bangalore-may22nd2021Meetup bangalore-may22nd2021
Meetup bangalore-may22nd2021
pruthviraj krishnam
 
Meetup milano #3 all you need to know before creating your vpc
Meetup milano #3 all you need to know before creating your vpcMeetup milano #3 all you need to know before creating your vpc
Meetup milano #3 all you need to know before creating your vpc
Gonzalo Marcos Ansoain
 
#3 calicut meetup - understanding slb, dlb and web sockets
#3 calicut meetup - understanding slb, dlb and web sockets#3 calicut meetup - understanding slb, dlb and web sockets
#3 calicut meetup - understanding slb, dlb and web sockets
JohnMathewPhilip
 
Indianapolis mulesoft meetup_sep_11_2021
Indianapolis mulesoft meetup_sep_11_2021Indianapolis mulesoft meetup_sep_11_2021
Indianapolis mulesoft meetup_sep_11_2021
ikram_ahamed
 
Mule meetup 25thjan
Mule meetup 25thjanMule meetup 25thjan
Mule meetup 25thjan
pruthviraj krishnam
 
20210916 mule soft_meetup_nz_online_uploadedversion
20210916 mule soft_meetup_nz_online_uploadedversion20210916 mule soft_meetup_nz_online_uploadedversion
20210916 mule soft_meetup_nz_online_uploadedversion
MizuhoHoshino
 
MuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_CharlotteMuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_Charlotte
Subhash Patel
 
Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)
D.Rajesh Kumar
 
Custom MuleSoft connector using Java SDK
Custom MuleSoft connector using Java SDKCustom MuleSoft connector using Java SDK
Custom MuleSoft connector using Java SDK
Amit Singh
 
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
Jitendra Bafna
 
Mule soft mcia-level-1 Dumps
Mule soft mcia-level-1 DumpsMule soft mcia-level-1 Dumps
Mule soft mcia-level-1 Dumps
Armstrongsmith
 
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load BalancerNashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Jitendra Bafna
 
MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...
MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...
MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...
Jitendra Bafna
 
Ahmadabad mule soft_meetup_6march2021_azure_CICD
Ahmadabad mule soft_meetup_6march2021_azure_CICDAhmadabad mule soft_meetup_6march2021_azure_CICD
Ahmadabad mule soft_meetup_6march2021_azure_CICD
Shekh Muenuddeen
 
Mule ESB- Data Validation- Best Practices
Mule ESB- Data Validation- Best PracticesMule ESB- Data Validation- Best Practices
Mule ESB- Data Validation- Best Practices
Coforge (Erstwhile WHISHWORKS)
 
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLBMuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
Jitendra Bafna
 
Solace PubSub+ MuleSoft Connector for Mule 4
Solace PubSub+ MuleSoft Connector for Mule 4Solace PubSub+ MuleSoft Connector for Mule 4
Solace PubSub+ MuleSoft Connector for Mule 4
Manish Kumar Yadav
 
Mulesoft KL Meetup 2
Mulesoft KL Meetup 2Mulesoft KL Meetup 2
Mulesoft KL Meetup 2
NitushreeJena
 
Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4
Tejas Purohit
 
MuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.io
MuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.ioMuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.io
MuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.io
Jitendra Bafna
 
Melbourne Virtual MuleSoft Meetup October 2021
Melbourne Virtual MuleSoft Meetup October 2021Melbourne Virtual MuleSoft Meetup October 2021
Melbourne Virtual MuleSoft Meetup October 2021
Daniel Soffner
 
MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...
MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...
MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...
Jitendra Bafna
 
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys MeetupsMetadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Angel Alberici
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
Jitendra Bafna
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 

Mais conteúdo relacionado

Mais procurados

Solace PubSub+ MuleSoft Connector for Mule 4
Solace PubSub+ MuleSoft Connector for Mule 4Solace PubSub+ MuleSoft Connector for Mule 4
Solace PubSub+ MuleSoft Connector for Mule 4
Manish Kumar Yadav
 
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys MeetupsMetadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Angel Alberici
 

Mais procurados (20)

Indianapolis mulesoft meetup_sep_11_2021
Indianapolis mulesoft meetup_sep_11_2021Indianapolis mulesoft meetup_sep_11_2021
Indianapolis mulesoft meetup_sep_11_2021
 
Mule meetup 25thjan
Mule meetup 25thjanMule meetup 25thjan
Mule meetup 25thjan
 
20210916 mule soft_meetup_nz_online_uploadedversion
20210916 mule soft_meetup_nz_online_uploadedversion20210916 mule soft_meetup_nz_online_uploadedversion
20210916 mule soft_meetup_nz_online_uploadedversion
 
MuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_CharlotteMuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_Charlotte
 
Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)
 
Custom MuleSoft connector using Java SDK
Custom MuleSoft connector using Java SDKCustom MuleSoft connector using Java SDK
Custom MuleSoft connector using Java SDK
 
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
 
Mule soft mcia-level-1 Dumps
Mule soft mcia-level-1 DumpsMule soft mcia-level-1 Dumps
Mule soft mcia-level-1 Dumps
 
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load BalancerNashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
 
MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...
MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...
MuleSoft Surat Virtual Meetup#15 - Caching Scope, Caching Strategy and Jenkin...
 
Ahmadabad mule soft_meetup_6march2021_azure_CICD
Ahmadabad mule soft_meetup_6march2021_azure_CICDAhmadabad mule soft_meetup_6march2021_azure_CICD
Ahmadabad mule soft_meetup_6march2021_azure_CICD
 
Mule ESB- Data Validation- Best Practices
Mule ESB- Data Validation- Best PracticesMule ESB- Data Validation- Best Practices
Mule ESB- Data Validation- Best Practices
 
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLBMuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
 
Solace PubSub+ MuleSoft Connector for Mule 4
Solace PubSub+ MuleSoft Connector for Mule 4Solace PubSub+ MuleSoft Connector for Mule 4
Solace PubSub+ MuleSoft Connector for Mule 4
 
Mulesoft KL Meetup 2
Mulesoft KL Meetup 2Mulesoft KL Meetup 2
Mulesoft KL Meetup 2
 
Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4
 
MuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.io
MuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.ioMuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.io
MuleSoft Surat Virtual Meetup#4 - Anypoint Monitoring and MuleSoft dataloader.io
 
Melbourne Virtual MuleSoft Meetup October 2021
Melbourne Virtual MuleSoft Meetup October 2021Melbourne Virtual MuleSoft Meetup October 2021
Melbourne Virtual MuleSoft Meetup October 2021
 
MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...
MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...
MuleSoft Surat Live Demonstration Virtual Meetup#3 - Building JWT OAuth 2.0 C...
 
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys MeetupsMetadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
Metadata definition between flows on Studio 7 : MuleSoft Virtual Muleys Meetups
 

Semelhante a How Secure is Your API?

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
ForgeRock
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
CODE BLUE
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
ForgeRock
 

Semelhante a How Secure is Your API? (20)

MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
 
API Security using Mulesoft
API Security using MulesoftAPI Security using Mulesoft
API Security using Mulesoft
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Internet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-AInternet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-A
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

How Secure is Your API?

  • 1. 1 ●Name ●Company & role ●What do you want to get out of this session? ●Topics you want to discuss at upcoming events. Attendee Introductions
  • 2. [21st of April 2021] [Wellington] MuleSoft Meetup Group API and Data Security
  • 3. 3 ●Session will be recorded. Please use the online chat to ask questions. ●Trivia game after the presentation. Winners will get class voucher or certification exam voucher of their choice! ●Fill out the post-event survey to share your feedback with us, and for a chance to win $50 Amazon.com gift card. ●Group picture at the end of the session. Reminders. . .
  • 5. 5 ❖ Working as Senior Solution Architect at Capgemini. ❖ MuleSoft Ambassador ❖ Surat MuleSoft Meetup Leader. ❖ 12.5+ Years of Experience in Integrations and API Technologies. ❖ Certified MuleSoft Integration Architect and platform Architect. Speaker
  • 6. 6 Agenda Introduction To API and Data Security Threats and Vulnerabilities OAuth 2.0 and JWT Dataweave Crypto Module Data Encryption – JCE and PGP Data Encryption - XML Live Demonstration
  • 7. What is API Security?
  • 8. 8 API Security is an essentials elements of the applications, especially in regards to APIs where you have hundreds or thousands of calls on daily basis. Everyday new threats and vulnerabilities are created and in such case it is very important to secure the APIs. MuleSoft provided the API manager which can minimize the risks from attacks like DDoS, DoS or any security vulnerabilities. API manager provides option for creating the API proxy for the backend API running on Anypoint platform and thereby secures requests coming into the platform again the API. What is API Security?
  • 9. 9 Different Types of API Attacks API Threats Denial Of Service Distributed Denial Of Service Parameter Tampering CORS/XSS Injection Attacks Sensitive Data Exposure
  • 10. 10 ⮚ Digital Signatures. ⮚ Cryptography like PGP, JCE and XML. ⮚ JWT OAuth or Token Based Authentication ⮚ API Manager Policies like Rate Limiting, XML Threat Protection, JWT Validation etc. ⮚ Anypoint Security and Web Application Firewall in case of Runtime Fabric. Ways to achieve API Security API Security OAuth Rate Limiting Digital Signatures Cryptography Policies like XML Threat Protection, Rate Limiting, CORS etc. Anypoint Security Anypoint API Policies (Security) JWT Validation Policies Basic Authentication – Simple and LDAP XML/JSON Threat Protection Policies IP Whitelisting/Blacklisting Tokenization/Detokenization
  • 11. 11 OAuth Providers Grant Types OAuth Providers & Grant Types OKTA PING OPEN AM Keycloak AWS Cognito Azure IdP Auth0 Google Box GitHub Authorization Code Client Credentials Refresh Token Password Implicit Code
  • 12. 12 OAuth JWT – Authorization Code
  • 13. 13 OAuth JWT – Implicit Code
  • 14. 14 OAuth JWT – Client Credentials
  • 15. 15 1. APIs must be end to end communicated over HTTPS (SSL Tunnelling). 2. APIs must be secured with OAuth 2.0 3. Restrict the size of XML payload to avoid DDoS and DoS. 4. Drop the request coming from IP Address 192.168.* 5. Allow only request from IP starting from 10.1.* Use Cases - Demonstration
  • 16. Demonstration ● Client Management using OpenId Connect Dynamic Client Registration + OKTA ● Identity Management using OpenId Connect + OKTA ● Identity Management using SAML + OKTA 16
  • 17. 17 API Security Best Practices and Recommendations ❖ Enable Multi-factor Authentication. ❖ Avoid using Basic Authentication when exposing APIs to external consumers. Use OAuth JWT Client Credentials or Authorization Code. ❖ Use TLSv1.2 to secure transport layer. Enable end to end HTTPS secure communication. ❖ Always encrypt the sensitive data like SSN, Password. MuleSoft provides various kind of cryptography techniques like PGP, JCE and XML encrypter and decrypter. ❖ Enable Identity Management or SSO for Anypoint Platform. ❖ Apply API Security policies with API Manager like Rate Limiting, Spike Control, XML Threat Protection. ❖ Secure APIs and Data at transit and rest. ❖ Avoid logging confidential data like password, ssn etc.