Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
How Secure is Your API?
1. 1
●Name
●Company & role
●What do you want to get out of this session?
●Topics you want to discuss at upcoming events.
Attendee Introductions
2. [21st of April 2021]
[Wellington] MuleSoft Meetup Group
API and Data Security
3. 3
●Session will be recorded. Please use the online chat to ask questions.
●Trivia game after the presentation. Winners will get class voucher or certification exam voucher
of their choice!
●Fill out the post-event survey to share your feedback with us, and for a chance to win $50
Amazon.com gift card.
●Group picture at the end of the session.
Reminders. . .
5. 5
❖ Working as Senior Solution Architect at Capgemini.
❖ MuleSoft Ambassador
❖ Surat MuleSoft Meetup Leader.
❖ 12.5+ Years of Experience in Integrations and API Technologies.
❖ Certified MuleSoft Integration Architect and platform Architect.
Speaker
6. 6
Agenda
Introduction To
API and Data
Security
Threats and
Vulnerabilities
OAuth 2.0 and
JWT
Dataweave
Crypto Module
Data Encryption
– JCE and PGP
Data Encryption -
XML
Live
Demonstration
8. 8
API Security is an essentials elements of the applications, especially in regards to APIs where
you have hundreds or thousands of calls on daily basis.
Everyday new threats and vulnerabilities are created and in such case it is very important to
secure the APIs.
MuleSoft provided the API manager which can minimize the risks from attacks like DDoS, DoS or
any security vulnerabilities.
API manager provides option for creating the API proxy for the backend API running on Anypoint
platform and thereby secures requests coming into the platform again the API.
What is API Security?
9. 9
Different Types of API Attacks
API Threats
Denial Of
Service
Distributed
Denial Of
Service
Parameter
Tampering
CORS/XSS
Injection
Attacks
Sensitive
Data
Exposure
10. 10
⮚ Digital Signatures.
⮚ Cryptography like PGP, JCE and XML.
⮚ JWT OAuth or Token Based Authentication
⮚ API Manager Policies like Rate Limiting, XML Threat Protection, JWT Validation etc.
⮚ Anypoint Security and Web Application Firewall in case of Runtime Fabric.
Ways to achieve API Security
API
Security
OAuth
Rate Limiting
Digital
Signatures
Cryptography
Policies like
XML Threat
Protection,
Rate Limiting,
CORS etc.
Anypoint
Security
Anypoint API Policies
(Security)
JWT Validation Policies
Basic Authentication –
Simple and LDAP
XML/JSON Threat Protection
Policies
IP Whitelisting/Blacklisting Tokenization/Detokenization
11. 11
OAuth Providers
Grant Types
OAuth Providers & Grant Types
OKTA PING OPEN AM Keycloak AWS
Cognito
Azure IdP Auth0 Google Box GitHub
Authorization
Code
Client
Credentials
Refresh
Token
Password Implicit
Code
15. 15
1. APIs must be end to end communicated over HTTPS (SSL Tunnelling).
2. APIs must be secured with OAuth 2.0
3. Restrict the size of XML payload to avoid DDoS and DoS.
4. Drop the request coming from IP Address 192.168.*
5. Allow only request from IP starting from 10.1.*
Use Cases - Demonstration
16. Demonstration
● Client Management using OpenId Connect Dynamic Client Registration + OKTA
● Identity Management using OpenId Connect + OKTA
● Identity Management using SAML + OKTA
16
17. 17
API Security Best Practices and Recommendations
❖ Enable Multi-factor Authentication.
❖ Avoid using Basic Authentication when exposing APIs to external consumers. Use OAuth JWT Client Credentials
or Authorization Code.
❖ Use TLSv1.2 to secure transport layer. Enable end to end HTTPS secure communication.
❖ Always encrypt the sensitive data like SSN, Password. MuleSoft provides various kind of cryptography techniques
like PGP, JCE and XML encrypter and decrypter.
❖ Enable Identity Management or SSO for Anypoint Platform.
❖ Apply API Security policies with API Manager like Rate Limiting, Spike Control, XML Threat Protection.
❖ Secure APIs and Data at transit and rest.
❖ Avoid logging confidential data like password, ssn etc.