O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

API Security Lifecycle

722 visualizações

Publicada em

Apigee engineers on the API Lifecycle and API Security at I Love APIs 2015. The role of Apigee Sense in API Security

Publicada em: Software
  • Seja o primeiro a comentar

API Security Lifecycle

  1. 1. 1 API Security Lifecycle Joel D’sa Product Security Engineering at Apigee Chris Von See Global Architect at Apigee
  2. 2. Agenda 2 Secure API design Secure API implementation Demo Facilitating Security for API Consumers Operationalizing API Security and Mitigating Threats Mitigating Security Breaches ©2015 Apigee. All Rights Reserved.
  3. 3. Apigee Sense 3©2015 Apigee. All Rights Reserved.
  4. 4. API Security Lifecycle Lifecycle Design Implement Run-time Security Access managemen t Audit Monitor/Re sponse 4 Design Design for secure exposure of private and public APIs Implementation Out of the box policies in edge to improve API security Run-time Security Threat protection policies and token management Access management RBAC for API team, deployment environments, logging, secure debugging Audit Secure logging and forwarding events Monitoring & Response Breach detection & Mitigation
  5. 5. Leveraging API Façades 5 • Hide API back-end implementation details • Configure security constraints and other processing based on API consumer • Carefully manage return of sensitive, inappropriate or unauthorized data by APIs • track device usage info and correlation to specific users API Façade http://www.theage.com.au/ffximage/2008/01/03/rg_sewage_wideweb__470x335,0.jpg
  6. 6. Design considerations • Classify your APIs – use API products • Classify your resources – use OAuth2 scopes – Restricted Resources – Private Resources – Public Resources • Establish and enforce SLAs – Quota and Spike Arrest – Prevent Application denial of service – Edge out of the box security policies – Prevent injection attacks, data leaks • Inbound and Outbound communications security – Edge SSL APIs – Manage your transport security • Logging and Auditing – Log access – Edge message logging – Follow through with an audit policy 6
  7. 7. Security policies in Apigee Edge 7 Secure APIs and protect back-end systems from attack Secure interactions with API consumers and optimize performance
  8. 8. Securing the API – Run-time 8
  9. 9. Threat Protection – Best practices • Use Conditionals and Fault Rules to reject input before it reaches the southbound service • Use the Extract Variables policy so that JSON and XML variables are parsed and made available using secure parsers already built into Edge • Use the JSON and XML Threat protection policies to establish content-level limits on JSON and XML structures. • Use the Regular Expression Protection policy to protect against SQL Injection, Cross site and reflected cross site scripting attacks • Use the SOAP Message Validation policy to validate a SOAP message against a schema or WSDL 9
  10. 10. SSL 10©2015 Apigee. All Rights Reserved. • Ensure that certificates are setup correctly – Signed by a trusted CA – Certificate key sizes must be 2048 bits or higher • Follow NIST recommendations for protocol and cipher configurations • Run SSL scans from nessus or qualys to ensure that your configuration is secure • Apigee EDGE helps – API to configure certificates and trust for incoming and outgoing TLS – Configuration options for choosing the correct protocols and algorithms
  11. 11. Demo 11©2015 Apigee. All Rights Reserved.
  12. 12. Securing the Edge instance 12©2015 Apigee. All Rights Reserved. Organization Trust Boundary Environment Trust Boundary
  13. 13. Mitigating risks from compromised applications – Monitor for unusual activity (traffic volume/source, excessive authentication calls, etc.) – Revoke/re-approve/delete an API key – Regenerate API keys and secrets – Revoke/re-approve/delete some or all active OAuth access and refresh tokens – Dynamic invalidation via code in API proxies, based on user IDs, device identifiers or other criteria 13 When this happens… What do you do?
  14. 14. Questions? 14©2015 Apigee. All Rights Reserved.
  15. 15. Thank you 15©2015 Apigee. All Rights Reserved.

×