SlideShare uma empresa Scribd logo

Takeaways from API Security Breaches Webinar

CA API Management
CA API Management

Examining today's biggest API breaches to mitigate API security vulnerabilities Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position? This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure. You Will Learn -Recent breaches in the news involving APIs -Top attacks that compromise your business -Mitigating steps to protect your business from attacks and unauthorized access -API Management solutions that both enable and protect your business Learn about API Security at http://www.ca.com/api

Tecnologia
1 de 30
Baixar para ler offline
Takeaways  from  API  Security   Breaches   Jaime  Ryan  –  Sr.  Director,  API  Management  Technical  Strategy   Tyson  WhiBen  –  Director,  API  Management  SoluCons  MarkeCng  
2   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Agenda   API  BREACHES   RISK  MITIGATION  STEPS   API  MANAGEMENT  SOLUTIONS   QUESTIONS   1   2   3   4  
3   ©  2015  CA.  ALL  RIGHTS  RESERVED.   APIs  at  the  center   OUTSIDE PARTNERS / DIVISIONS EXTERNAL DEVELOPERS MOBILE APPS CLOUD SERVICES INTERNET OF THINGS API   APPS  
4   ©  2015  CA.  ALL  RIGHTS  RESERVED.   APIs  expose  sensiCve  data   APIs  are  also  the  a<ack  vector  of  choice   for  hackers  to  disrupt  your  service  or  gain   access  to  private  informaIon   API  
5   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Prominent  API  Breaches  
Top  API  VulnerabiliCes  and  MiCgaCon   Steps  
7   ©  2015  CA.  ALL  RIGHTS  RESERVED.   When  an  API  is  hacked  .  .  .     §  API  vulnerabiliCes  surface   –  When  exploits  are  discovered  by  the  API   publisher   –  When  discovered  by  3rd  party   –  When  an  organizaCon  is  actually  hacked   §  Exploits  are  rarely  documented   §  Public  APIs  are  most  scruCnized   §  Private/Hidden  APIs  are  also  vulnerable  
8   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Top-­‐5  vulnerabiliCes/miCgaCons   §  Most  common/current  vulnerabiliCes  and  miCgaCons  for   securing  your  API   –  Client  impersonaCon   –  Phishing   –  Brute  force   –  InjecCons   –  Unauthorized  access/compromised  secrets  
9   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon   §  An  aBacker  reverse-­‐engineers  a  secret  assigned  to  an  app  and  uses  it  to  call  an   API  pretending  to  be  the  legiCmate  app   §  E.g.  TwiBer  OAuth  Keys  Leaked   –  March  2013   §  E.g.  Snapchat   –  December  2013  
10   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon  miCgaCon  #1   §  It’s  either  confidenCal,  or  it  isn’t   –  Don’t  ‘hide’  a  secret  on  a  public  app  store   or  render  it  on  a  web  page   §  Learn  to  ‘let  go’  of  your  app  once   published   –  Design  security  mechanisms  assuming   public  clients   –  Don’t  grant  access  to  resource  based   solely  on  the  app  idenCty  (require  user   auth)  
11   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon  miCgaCon  #2   §  Call  API  from  actual  confidenCal  client   –  Use  frameworks  that  let  you  authoritaCvely  assess  devices,  apps   –  From  server-­‐side  web  app  vs  browser-­‐side  script   –  Provision  app-­‐level  secret  post-­‐installaCon  as  part  of  a  registraCon  step   –  Private  app  stores   API  
12   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Phishing  aBacks   §  Risk  associated  with  redirecCon-­‐based  handshakes   –  Malicious  ‘applicaCon’  pretends  to  be  legiCmate   –  Inserts  its  own  endpoint  in  callback  address   –  Gets  token   §  *E.g.  Facebook  February  2013   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Do  you  authorize  Legi%mate   app  to  access  API  on  your   behalf?     [X]  Yes   [    ]    No   Tricked   you   *hBp://threatpost.com/facebook-­‐patches-­‐oauth-­‐ authenCcaCon-­‐vulnerability-­‐022613/77563   API  
13   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Phishing  miCgaCon  101   §  Register  and  validate  redirecCon  URIs   §  Strict  validaCon  (not  parCal)   §  Never  skip  consent  step   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Error    Invalid  callback   foiledL   (out-­‐of-­‐band)   Register  LegiCmate  app   Callback=foo  API  
14   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Brute  force   §  E.g.  snapchat  find_friend  exploit   –  December  2013   App  Contacts   Get  list  of  phone   numbers  from  local   contacts     API   Is  contact  a  member?   [for  each  local   contact]   Is  member?   [for  every  possible   phone  number]   Steal  all  phone   numbers  of  members   API  
15   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Brute  force  miCgaCon   Rate  LimiCng,  Quotas,  SLAs   §  Targeted  rate  limiCng  specific  aBack  vectors   –  Limit  access  to  any  resource  granted  without  direct  ownership   –  Limit  failed  authenCcaCon,  limit  password  resets   §  Detect  brute  force  paBern  and  block   §  Correlate  idenCty,  locaCon,  concurrency   §  Rate  limit  to  protect  backend  API   –  Global  limits  to  prevent  DoS   §  Apply  rate-­‐limiCng  with  applicaCon  level  awareness   –  Limit  for  a  specific  operaCon  for  each  user/applicaCon   –  Limit  for  a  specific  input  for  each  user/applicaCon   Captcha?   SupporCng  headless  clients  
16   ©  2015  CA.  ALL  RIGHTS  RESERVED.   InjecCon   §  InjecCon  aBacks,  parCcularly  in  public  clients  scenario  is  at  the  core  of  the  most   common  exploits   –  SQL/LDAP/Xpath/Xquery/Code  injecCons   §  *E.g.  InjecCon  in  query  parameters   GET /history?transactionid=123456 select from table where id=‘[ ]’ GET /history?transactionid=%27+OR+%271%27%3D%271 select from table where id=‘’ or ‘1’=‘1’ *hBp://forums.sugarcrm.com/f6/rest-­‐api-­‐sql-­‐injecCon-­‐ exploit-­‐89589/  
17   ©  2015  CA.  ALL  RIGHTS  RESERVED.   InjecCon  MiCgaCon   §  Input  saniCzaCon   –  Parse  input  parameters  (payload/transport)   –  Apply  paBern  validaCon   –  JSON  Path,  XPath,  XSD,  JSON  Schema,  RegEx,  …   –  Own  and  Cghten  your  metadata   –  Code-­‐level  saniCzaCon  (e.g.  Prepared  Statements)   §  Signature-­‐based  threat  detecCon   –  Look  for  injecCon  paBerns  in  payload  and  at  transport  level  
18   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Unauthorized  access   §  E.g.  Unsecured  API   §  E.g.  AuthenCcated  client  can  access  resource   that  should  be  restricted   §  E.g.  Session  secret  compromised   Balancing  UX  and  Security   More  Convenience   More  Risk   Less  Convenience   Less  Risk   No  credenCals   Device  Passcode   App  security
19   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Unauthorized  Access  MiCgaCon   §  AuthenCcaCon   –  Local  auth,  integraCon  into  exisCng   idenCty  providers   –  Social  provider  integraCon   –  FederaCon,  SAML   §  Token  issuing,  lifecycle   management   –  OAuth,  OpenID  Connect   –  JWT/JWS   –  Token  refresh,  revocaCon   §  Assert  user/app/device  idenCCes   §  Scope   –  User-­‐granted  permissions   §  Resource  Server   –  Map  token  idenCCes  and  resource   ownership   §  IdenCty  mapping   –  SAML/OAuth/local/Kerberos/…   –  RunCme  mapping  internal/external  
How  API  Management  can  help  
21   ©  2015  CA.  ALL  RIGHTS  RESERVED.   CA  API  Management  Manages  &  Secures  APIs     @  Design  &  RunCme   CA API GATEWAY … MOBILE DEVELOPERS MOBILE APPS CA API DEVELOPER PORTAL API   API   Design  Time   RunCme   §  Discover  APIs   §  Self-­‐register   §  Collaborate  &  test   §  AdaptaCon,  mediaCon   §  ThroBling,  caching   §  Policy  &  access  control   §  Create  &  publish  APIs   §  API  Plans  &  pricing   §  Monitoring  &  analyCcs   §  Embed  app  security   §  SSO,  social,  risk   §  OAuth  2.0,  OpenID   Connect,  UMA  
22   ©  2015  CA.  ALL  RIGHTS  RESERVED.   On-­‐Premise     Hybrid   SaaS   The  Gateway  and  Portal  –  Flexible  Delivery  Models     §  Soyware  ownership   §  Highly  customizable  to  match  business  needs   §  Control  over  infrastructure  and  upgrades   §  Flexible  combinaCon  of  on/off  premise   soluCons   §  Provides  business  and  compliance  flexibility   §  Includes  integraCon   §  Faster  deployment/less  customizaCon   §  Reduced  infrastructure/upgrade  costs   §  Simple  scalability   §  Growing  set  of  funcConality   Flexibility  for  iniIal   investment  and  in   the  rate/extent  of   migraIon  to  the   cloud  
23   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Goals  of  the  business,  employee  and  consumer   To  move  seamlessly  and  securely  between  apps  and  devices  
24   ©  2015  CA.  ALL  RIGHTS  RESERVED.   App  Context  IdenCty   2.  User  provides  Enterprise   credenCals   1.  User  taps  one  of  the  four   enterprise  apps   3.  User  can  seamlessly  switch  between     the  four  enterprise  apps  
25   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Discuss  Q4   targets  with  Bob.     Don’t  forget  to   Discuss  Q4   targets  with  Bob.     Don’t  forget  to   cover  incenCves.   1.  Phone  detects  it  is  close  to  tablet   using  Bluetooth  Low  Energy   2.  Session  migrates  to  tablet  so  user   does  not  have  to  reenter  credenCals   App  Context   3.  App  session  context  pushed   to  secure  cloud  storage   Source   Target   4.  Context  can  be  pushed   to  different  target  apps     §  Email   §  Notes   §  …etc.   IdenCty  
26   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Latest analyst reviews: CA API Management is a leader “CA  Technologies  has  strong  API  security,   integraIon,  and  mobile  app  support.    With   Layer  7’s  long  history  as  an  SOA  applicaCon   gateway  provider,  CA’s  soluCon  has  among  the   best  API  security,  message  transformaCon,  and   integraCon  features  in  our  evaluaCon.    Among   the  tradiConal  gateway  vendors,  Layer  7  was   an  early  mover  into  the  API    management   space,  which  has  given  CA  a  head  start  to   round  out  the  features  of  its  portal  and  tooling   for  API  product  managers.    The  gateway’s   mobile  app  support  is  also  among  the  best  in   our  evaluaCon  ..”   The  Forrester  Wave:  API  Management  SoluIons,  Q3  2014.   The  Forrester  Wave™  is  copyrighted  by  Forrester  Research,  Inc.  Forrester  and  Forrester  Wave™  are  trademarks  of  Forrester  Research,  Inc.  The  Forrester  Wave™  is  a  graphical   representaCon  of  Forrester's  call  on  a  market  and  is  ploBed  using  a  detailed  spreadsheet  with  exposed  scores,  weighCngs,  and  comments.  Forrester  does  not  endorse  any  vendor,   product,  or  service  depicted  in  the  Forrester  Wave.  InformaCon  is  based  on  best  available  resources.  Opinions  reflect  judgment  at  the  Cme  and  are  subject  to  change   Forrester  Research  Inc.,  “Forrester  Wave:  API  Management  SoluCons,  Q3  2014”,  September  29,  2014  
27   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Summary   §  Protect  your  APIs   –  But  support  developers   –  Do  not  sacrifice  UX   §  Leverage  API  infrastructure  to  implement  API  security  best   pracCces  
28   ©  2015  CA.  ALL  RIGHTS  RESERVED.   CA  API  Management  at  RSA  
Director  API  Management  Product  MarkeCng   Tyson.WhiBen@ca.com   Tyson  Whi<en           ca.com/api   Sr  Director,  Technical  Strategy   Jaime.Ryan@ca.com   Jaime  Ryan  
30   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Legal  NoCce   ©  Copyright  CA  2015.    All  rights  reserved.  All  trademarks,  trade  names,  service  marks  and  logos  referenced  herein  belong  to  their  respecCve  companies.  No   unauthorized  use,  copying  or  distribuCon  permiBed.     THIS  PRESENTATION  IS  FOR  YOUR  INFORMATIONAL  PURPOSES  ONLY.  CA  assumes  no  responsibility  for  the  accuracy  or  completeness  of  the  informaCon.  TO   THE  EXTENT  PERMITTED  BY  APPLICABLE  LAW,  CA  PROVIDES  THIS  DOCUMENT  “AS  IS”  WITHOUT  WARRANTY  OF  ANY  KIND,  INCLUDING,  WITHOUT   LIMITATION,  ANY  IMPLIED  WARRANTIES  OF  MERCHANTABILITY,  FITNESS  FOR  A  PARTICULAR  PURPOSE,  OR  NONINFRINGEMENT.    In  no  event  will  CA  be   liable  for  any  loss  or  damage,  direct  or  indirect,  in  connecCon  with  this  presentaCon,  including,  without  limitaCon,  lost  profits,  lost  investment,  business   interrupCon,  goodwill,  or  lost  data,  even  if  CA  is  expressly  advised  of  the  possibility  of  such  damages.  

Recomendados

CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
The API Opportunity: Crossing the Digital Divide
The API Opportunity: Crossing the Digital DivideThe API Opportunity: Crossing the Digital Divide
The API Opportunity: Crossing the Digital DivideCA Technologies
 

Recomendados

CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
The API Opportunity: Crossing the Digital Divide
The API Opportunity: Crossing the Digital DivideThe API Opportunity: Crossing the Digital Divide
The API Opportunity: Crossing the Digital DivideCA Technologies
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API ManagementJames Farley-Sutton
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelCA Technologies
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs CA API Management
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
 
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...CA Technologies
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonCA API Management
 
Hello, Dishwasher! The Looming Identity Crisis on the Internet of Things
Hello, Dishwasher! The Looming Identity Crisis on the Internet of ThingsHello, Dishwasher! The Looming Identity Crisis on the Internet of Things
Hello, Dishwasher! The Looming Identity Crisis on the Internet of ThingsCA Technologies
 
CA API Gateway
CA API GatewayCA API Gateway
CA API GatewayJames Farley-Sutton
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
 
Freeing the World from Slow: How Service Virtualization and the Concept of S....
Freeing the World from Slow: How Service Virtualization and the Concept of S....Freeing the World from Slow: How Service Virtualization and the Concept of S....
Freeing the World from Slow: How Service Virtualization and the Concept of S....CA Technologies
 
API Introduction - API Management Workshop Munich from Ronnie Mitra
API Introduction - API Management Workshop Munich from Ronnie MitraAPI Introduction - API Management Workshop Munich from Ronnie Mitra
API Introduction - API Management Workshop Munich from Ronnie MitraCA API Management
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for MobileCA API Management
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
 
Why APIs are not SOA++
Why APIs are not SOA++Why APIs are not SOA++
Why APIs are not SOA++Apigee | Google Cloud
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 

Mais conteúdo relacionado

Mais procurados

Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelCA Technologies
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs CA API Management
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
 
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...CA Technologies
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonCA API Management
 
Hello, Dishwasher! The Looming Identity Crisis on the Internet of Things
Hello, Dishwasher! The Looming Identity Crisis on the Internet of ThingsHello, Dishwasher! The Looming Identity Crisis on the Internet of Things
Hello, Dishwasher! The Looming Identity Crisis on the Internet of ThingsCA Technologies
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
 
Freeing the World from Slow: How Service Virtualization and the Concept of S....
Freeing the World from Slow: How Service Virtualization and the Concept of S....Freeing the World from Slow: How Service Virtualization and the Concept of S....
Freeing the World from Slow: How Service Virtualization and the Concept of S....CA Technologies
 
API Introduction - API Management Workshop Munich from Ronnie Mitra
API Introduction - API Management Workshop Munich from Ronnie MitraAPI Introduction - API Management Workshop Munich from Ronnie Mitra
API Introduction - API Management Workshop Munich from Ronnie MitraCA API Management
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 

Mais procurados (20)

Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at Unum
 
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
TechTalk: Accelerate Mobile Development using SDKs and Open APIs With CA API ...
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop London
 
Hello, Dishwasher! The Looming Identity Crisis on the Internet of Things
Hello, Dishwasher! The Looming Identity Crisis on the Internet of ThingsHello, Dishwasher! The Looming Identity Crisis on the Internet of Things
Hello, Dishwasher! The Looming Identity Crisis on the Internet of Things
 
CA API Gateway
CA API GatewayCA API Gateway
CA API Gateway
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
 
Freeing the World from Slow: How Service Virtualization and the Concept of S....
Freeing the World from Slow: How Service Virtualization and the Concept of S....Freeing the World from Slow: How Service Virtualization and the Concept of S....
Freeing the World from Slow: How Service Virtualization and the Concept of S....
 
API Introduction - API Management Workshop Munich from Ronnie Mitra
API Introduction - API Management Workshop Munich from Ronnie MitraAPI Introduction - API Management Workshop Munich from Ronnie Mitra
API Introduction - API Management Workshop Munich from Ronnie Mitra
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
 
Why APIs are not SOA++
Why APIs are not SOA++Why APIs are not SOA++
Why APIs are not SOA++
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
 

Destaque

API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Not all XML Gateways are Created Equal
Not all XML Gateways are Created EqualNot all XML Gateways are Created Equal
Not all XML Gateways are Created EqualCA API Management
 
Value of SOA Governance for Cloud Computing
Value of SOA Governance for Cloud ComputingValue of SOA Governance for Cloud Computing
Value of SOA Governance for Cloud ComputingCA API Management
 
Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...
Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...
Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...CA API Management
 
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...CA API Management
 
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...CA Technologies
 

Destaque (15)

API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Why API Management is Not Enough
Why API Management is Not EnoughWhy API Management is Not Enough
Why API Management is Not Enough
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Not all XML Gateways are Created Equal
Not all XML Gateways are Created EqualNot all XML Gateways are Created Equal
Not all XML Gateways are Created Equal
 
Value of SOA Governance for Cloud Computing
Value of SOA Governance for Cloud ComputingValue of SOA Governance for Cloud Computing
Value of SOA Governance for Cloud Computing
 
Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...
Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...
Self-Replication, Strandbeest, and the Game of Life What von Neumann, Jansen,...
 
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
 
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
 

Semelhante a Takeaways from API Security Breaches Webinar

5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
American Family Insurance Shifts to a Mobile-First Development Strategy with ...
American Family Insurance Shifts to a Mobile-First Development Strategy with ...American Family Insurance Shifts to a Mobile-First Development Strategy with ...
American Family Insurance Shifts to a Mobile-First Development Strategy with ...CA Technologies
 
Hands-On Lab: Using CA Mobile Application Analytics REST APIs
Hands-On Lab: Using CA Mobile Application Analytics REST APIsHands-On Lab: Using CA Mobile Application Analytics REST APIs
Hands-On Lab: Using CA Mobile Application Analytics REST APIsCA Technologies
 
API Best Practices
API Best PracticesAPI Best Practices
API Best PracticesSai Koppala
 
Technology Primer: Customize CA Application Performance Management With Tip...
Technology Primer: Customize CA Application Performance Management With Tip...Technology Primer: Customize CA Application Performance Management With Tip...
Technology Primer: Customize CA Application Performance Management With Tip...CA Technologies
 
Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...
Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...
Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...CA Technologies
 
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...CA Technologies
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCA Technologies
 
API Management SaaS 2.0: Growing with the Digital Economy
API Management SaaS 2.0: Growing with the Digital EconomyAPI Management SaaS 2.0: Growing with the Digital Economy
API Management SaaS 2.0: Growing with the Digital EconomyCA Technologies
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...CA Technologies
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
Technology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned WayTechnology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned WayCA Technologies
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...APIsecure_ Official
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session ManagementTech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session ManagementCA Technologies
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
CA Gen Exploration – What's New and Cool in Application Development
CA Gen Exploration – What's New and Cool in Application DevelopmentCA Gen Exploration – What's New and Cool in Application Development
CA Gen Exploration – What's New and Cool in Application DevelopmentCA Technologies
 
Putting Security in Identity-as-a-Service
Putting Security in Identity-as-a-ServicePutting Security in Identity-as-a-Service
Putting Security in Identity-as-a-ServiceCA Technologies
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?Colin McGovern
 

Semelhante a Takeaways from API Security Breaches Webinar (20)

5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
American Family Insurance Shifts to a Mobile-First Development Strategy with ...
American Family Insurance Shifts to a Mobile-First Development Strategy with ...American Family Insurance Shifts to a Mobile-First Development Strategy with ...
American Family Insurance Shifts to a Mobile-First Development Strategy with ...
 
Hands-On Lab: Using CA Mobile Application Analytics REST APIs
Hands-On Lab: Using CA Mobile Application Analytics REST APIsHands-On Lab: Using CA Mobile Application Analytics REST APIs
Hands-On Lab: Using CA Mobile Application Analytics REST APIs
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
 
Technology Primer: Customize CA Application Performance Management With Tip...
Technology Primer: Customize CA Application Performance Management With Tip...Technology Primer: Customize CA Application Performance Management With Tip...
Technology Primer: Customize CA Application Performance Management With Tip...
 
Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...
Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...
Hands-On Lab: Quickly and Easily Monitor Applications using CA Application Pe...
 
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
 
API Management SaaS 2.0: Growing with the Digital Economy
API Management SaaS 2.0: Growing with the Digital EconomyAPI Management SaaS 2.0: Growing with the Digital Economy
API Management SaaS 2.0: Growing with the Digital Economy
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
Technology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned WayTechnology Primer: Building Applications the New-Fashioned Way
Technology Primer: Building Applications the New-Fashioned Way
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application Security
 
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session ManagementTech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
CA Gen Exploration – What's New and Cool in Application Development
CA Gen Exploration – What's New and Cool in Application DevelopmentCA Gen Exploration – What's New and Cool in Application Development
CA Gen Exploration – What's New and Cool in Application Development
 
Putting Security in Identity-as-a-Service
Putting Security in Identity-as-a-ServicePutting Security in Identity-as-a-Service
Putting Security in Identity-as-a-Service
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?
 

Mais de CA API Management

Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?CA API Management
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
 
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureMapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureCA API Management
 
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...CA API Management
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...CA API Management
 

Mais de CA API Management (10)

Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
 
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureMapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
 
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 

Último

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Último (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Takeaways from API Security Breaches Webinar

  • 1. Takeaways  from  API  Security   Breaches   Jaime  Ryan  –  Sr.  Director,  API  Management  Technical  Strategy   Tyson  WhiBen  –  Director,  API  Management  SoluCons  MarkeCng  
  • 2. 2   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Agenda   API  BREACHES   RISK  MITIGATION  STEPS   API  MANAGEMENT  SOLUTIONS   QUESTIONS   1   2   3   4  
  • 3. 3   ©  2015  CA.  ALL  RIGHTS  RESERVED.   APIs  at  the  center   OUTSIDE PARTNERS / DIVISIONS EXTERNAL DEVELOPERS MOBILE APPS CLOUD SERVICES INTERNET OF THINGS API   APPS  
  • 4. 4   ©  2015  CA.  ALL  RIGHTS  RESERVED.   APIs  expose  sensiCve  data   APIs  are  also  the  a<ack  vector  of  choice   for  hackers  to  disrupt  your  service  or  gain   access  to  private  informaIon   API  
  • 5. 5   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Prominent  API  Breaches  
  • 6. Top  API  VulnerabiliCes  and  MiCgaCon   Steps  
  • 7. 7   ©  2015  CA.  ALL  RIGHTS  RESERVED.   When  an  API  is  hacked  .  .  .     §  API  vulnerabiliCes  surface   –  When  exploits  are  discovered  by  the  API   publisher   –  When  discovered  by  3rd  party   –  When  an  organizaCon  is  actually  hacked   §  Exploits  are  rarely  documented   §  Public  APIs  are  most  scruCnized   §  Private/Hidden  APIs  are  also  vulnerable  
  • 8. 8   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Top-­‐5  vulnerabiliCes/miCgaCons   §  Most  common/current  vulnerabiliCes  and  miCgaCons  for   securing  your  API   –  Client  impersonaCon   –  Phishing   –  Brute  force   –  InjecCons   –  Unauthorized  access/compromised  secrets  
  • 9. 9   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon   §  An  aBacker  reverse-­‐engineers  a  secret  assigned  to  an  app  and  uses  it  to  call  an   API  pretending  to  be  the  legiCmate  app   §  E.g.  TwiBer  OAuth  Keys  Leaked   –  March  2013   §  E.g.  Snapchat   –  December  2013  
  • 10. 10   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon  miCgaCon  #1   §  It’s  either  confidenCal,  or  it  isn’t   –  Don’t  ‘hide’  a  secret  on  a  public  app  store   or  render  it  on  a  web  page   §  Learn  to  ‘let  go’  of  your  app  once   published   –  Design  security  mechanisms  assuming   public  clients   –  Don’t  grant  access  to  resource  based   solely  on  the  app  idenCty  (require  user   auth)  
  • 11. 11   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon  miCgaCon  #2   §  Call  API  from  actual  confidenCal  client   –  Use  frameworks  that  let  you  authoritaCvely  assess  devices,  apps   –  From  server-­‐side  web  app  vs  browser-­‐side  script   –  Provision  app-­‐level  secret  post-­‐installaCon  as  part  of  a  registraCon  step   –  Private  app  stores   API  
  • 12. 12   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Phishing  aBacks   §  Risk  associated  with  redirecCon-­‐based  handshakes   –  Malicious  ‘applicaCon’  pretends  to  be  legiCmate   –  Inserts  its  own  endpoint  in  callback  address   –  Gets  token   §  *E.g.  Facebook  February  2013   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Do  you  authorize  Legi%mate   app  to  access  API  on  your   behalf?     [X]  Yes   [    ]    No   Tricked   you   *hBp://threatpost.com/facebook-­‐patches-­‐oauth-­‐ authenCcaCon-­‐vulnerability-­‐022613/77563   API  
  • 13. 13   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Phishing  miCgaCon  101   §  Register  and  validate  redirecCon  URIs   §  Strict  validaCon  (not  parCal)   §  Never  skip  consent  step   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Error    Invalid  callback   foiledL   (out-­‐of-­‐band)   Register  LegiCmate  app   Callback=foo  API  
  • 14. 14   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Brute  force   §  E.g.  snapchat  find_friend  exploit   –  December  2013   App  Contacts   Get  list  of  phone   numbers  from  local   contacts     API   Is  contact  a  member?   [for  each  local   contact]   Is  member?   [for  every  possible   phone  number]   Steal  all  phone   numbers  of  members   API  
  • 15. 15   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Brute  force  miCgaCon   Rate  LimiCng,  Quotas,  SLAs   §  Targeted  rate  limiCng  specific  aBack  vectors   –  Limit  access  to  any  resource  granted  without  direct  ownership   –  Limit  failed  authenCcaCon,  limit  password  resets   §  Detect  brute  force  paBern  and  block   §  Correlate  idenCty,  locaCon,  concurrency   §  Rate  limit  to  protect  backend  API   –  Global  limits  to  prevent  DoS   §  Apply  rate-­‐limiCng  with  applicaCon  level  awareness   –  Limit  for  a  specific  operaCon  for  each  user/applicaCon   –  Limit  for  a  specific  input  for  each  user/applicaCon   Captcha?   SupporCng  headless  clients  
  • 16. 16   ©  2015  CA.  ALL  RIGHTS  RESERVED.   InjecCon   §  InjecCon  aBacks,  parCcularly  in  public  clients  scenario  is  at  the  core  of  the  most   common  exploits   –  SQL/LDAP/Xpath/Xquery/Code  injecCons   §  *E.g.  InjecCon  in  query  parameters   GET /history?transactionid=123456 select from table where id=‘[ ]’ GET /history?transactionid=%27+OR+%271%27%3D%271 select from table where id=‘’ or ‘1’=‘1’ *hBp://forums.sugarcrm.com/f6/rest-­‐api-­‐sql-­‐injecCon-­‐ exploit-­‐89589/  
  • 17. 17   ©  2015  CA.  ALL  RIGHTS  RESERVED.   InjecCon  MiCgaCon   §  Input  saniCzaCon   –  Parse  input  parameters  (payload/transport)   –  Apply  paBern  validaCon   –  JSON  Path,  XPath,  XSD,  JSON  Schema,  RegEx,  …   –  Own  and  Cghten  your  metadata   –  Code-­‐level  saniCzaCon  (e.g.  Prepared  Statements)   §  Signature-­‐based  threat  detecCon   –  Look  for  injecCon  paBerns  in  payload  and  at  transport  level  
  • 18. 18   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Unauthorized  access   §  E.g.  Unsecured  API   §  E.g.  AuthenCcated  client  can  access  resource   that  should  be  restricted   §  E.g.  Session  secret  compromised   Balancing  UX  and  Security   More  Convenience   More  Risk   Less  Convenience   Less  Risk   No  credenCals   Device  Passcode   App  security
  • 19. 19   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Unauthorized  Access  MiCgaCon   §  AuthenCcaCon   –  Local  auth,  integraCon  into  exisCng   idenCty  providers   –  Social  provider  integraCon   –  FederaCon,  SAML   §  Token  issuing,  lifecycle   management   –  OAuth,  OpenID  Connect   –  JWT/JWS   –  Token  refresh,  revocaCon   §  Assert  user/app/device  idenCCes   §  Scope   –  User-­‐granted  permissions   §  Resource  Server   –  Map  token  idenCCes  and  resource   ownership   §  IdenCty  mapping   –  SAML/OAuth/local/Kerberos/…   –  RunCme  mapping  internal/external  
  • 20. How  API  Management  can  help  
  • 21. 21   ©  2015  CA.  ALL  RIGHTS  RESERVED.   CA  API  Management  Manages  &  Secures  APIs     @  Design  &  RunCme   CA API GATEWAY … MOBILE DEVELOPERS MOBILE APPS CA API DEVELOPER PORTAL API   API   Design  Time   RunCme   §  Discover  APIs   §  Self-­‐register   §  Collaborate  &  test   §  AdaptaCon,  mediaCon   §  ThroBling,  caching   §  Policy  &  access  control   §  Create  &  publish  APIs   §  API  Plans  &  pricing   §  Monitoring  &  analyCcs   §  Embed  app  security   §  SSO,  social,  risk   §  OAuth  2.0,  OpenID   Connect,  UMA  
  • 22. 22   ©  2015  CA.  ALL  RIGHTS  RESERVED.   On-­‐Premise     Hybrid   SaaS   The  Gateway  and  Portal  –  Flexible  Delivery  Models     §  Soyware  ownership   §  Highly  customizable  to  match  business  needs   §  Control  over  infrastructure  and  upgrades   §  Flexible  combinaCon  of  on/off  premise   soluCons   §  Provides  business  and  compliance  flexibility   §  Includes  integraCon   §  Faster  deployment/less  customizaCon   §  Reduced  infrastructure/upgrade  costs   §  Simple  scalability   §  Growing  set  of  funcConality   Flexibility  for  iniIal   investment  and  in   the  rate/extent  of   migraIon  to  the   cloud  
  • 23. 23   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Goals  of  the  business,  employee  and  consumer   To  move  seamlessly  and  securely  between  apps  and  devices  
  • 24. 24   ©  2015  CA.  ALL  RIGHTS  RESERVED.   App  Context  IdenCty   2.  User  provides  Enterprise   credenCals   1.  User  taps  one  of  the  four   enterprise  apps   3.  User  can  seamlessly  switch  between     the  four  enterprise  apps  
  • 25. 25   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Discuss  Q4   targets  with  Bob.     Don’t  forget  to   Discuss  Q4   targets  with  Bob.     Don’t  forget  to   cover  incenCves.   1.  Phone  detects  it  is  close  to  tablet   using  Bluetooth  Low  Energy   2.  Session  migrates  to  tablet  so  user   does  not  have  to  reenter  credenCals   App  Context   3.  App  session  context  pushed   to  secure  cloud  storage   Source   Target   4.  Context  can  be  pushed   to  different  target  apps     §  Email   §  Notes   §  …etc.   IdenCty  
  • 26. 26   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Latest analyst reviews: CA API Management is a leader “CA  Technologies  has  strong  API  security,   integraIon,  and  mobile  app  support.    With   Layer  7’s  long  history  as  an  SOA  applicaCon   gateway  provider,  CA’s  soluCon  has  among  the   best  API  security,  message  transformaCon,  and   integraCon  features  in  our  evaluaCon.    Among   the  tradiConal  gateway  vendors,  Layer  7  was   an  early  mover  into  the  API    management   space,  which  has  given  CA  a  head  start  to   round  out  the  features  of  its  portal  and  tooling   for  API  product  managers.    The  gateway’s   mobile  app  support  is  also  among  the  best  in   our  evaluaCon  ..”   The  Forrester  Wave:  API  Management  SoluIons,  Q3  2014.   The  Forrester  Wave™  is  copyrighted  by  Forrester  Research,  Inc.  Forrester  and  Forrester  Wave™  are  trademarks  of  Forrester  Research,  Inc.  The  Forrester  Wave™  is  a  graphical   representaCon  of  Forrester's  call  on  a  market  and  is  ploBed  using  a  detailed  spreadsheet  with  exposed  scores,  weighCngs,  and  comments.  Forrester  does  not  endorse  any  vendor,   product,  or  service  depicted  in  the  Forrester  Wave.  InformaCon  is  based  on  best  available  resources.  Opinions  reflect  judgment  at  the  Cme  and  are  subject  to  change   Forrester  Research  Inc.,  “Forrester  Wave:  API  Management  SoluCons,  Q3  2014”,  September  29,  2014  
  • 27. 27   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Summary   §  Protect  your  APIs   –  But  support  developers   –  Do  not  sacrifice  UX   §  Leverage  API  infrastructure  to  implement  API  security  best   pracCces  
  • 28. 28   ©  2015  CA.  ALL  RIGHTS  RESERVED.   CA  API  Management  at  RSA  
  • 29. Director  API  Management  Product  MarkeCng   Tyson.WhiBen@ca.com   Tyson  Whi<en           ca.com/api   Sr  Director,  Technical  Strategy   Jaime.Ryan@ca.com   Jaime  Ryan  
  • 30. 30   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Legal  NoCce   ©  Copyright  CA  2015.    All  rights  reserved.  All  trademarks,  trade  names,  service  marks  and  logos  referenced  herein  belong  to  their  respecCve  companies.  No   unauthorized  use,  copying  or  distribuCon  permiBed.     THIS  PRESENTATION  IS  FOR  YOUR  INFORMATIONAL  PURPOSES  ONLY.  CA  assumes  no  responsibility  for  the  accuracy  or  completeness  of  the  informaCon.  TO   THE  EXTENT  PERMITTED  BY  APPLICABLE  LAW,  CA  PROVIDES  THIS  DOCUMENT  “AS  IS”  WITHOUT  WARRANTY  OF  ANY  KIND,  INCLUDING,  WITHOUT   LIMITATION,  ANY  IMPLIED  WARRANTIES  OF  MERCHANTABILITY,  FITNESS  FOR  A  PARTICULAR  PURPOSE,  OR  NONINFRINGEMENT.    In  no  event  will  CA  be   liable  for  any  loss  or  damage,  direct  or  indirect,  in  connecCon  with  this  presentaCon,  including,  without  limitaCon,  lost  profits,  lost  investment,  business   interrupCon,  goodwill,  or  lost  data,  even  if  CA  is  expressly  advised  of  the  possibility  of  such  damages.