SlideShare uma empresa Scribd logo

API Security In Cloud Native Era

‱
‱
WSO2
WSO2

The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome. In this deck, we discuss: - The need for API/Microservices Security - The importance of delegating security enforcement to an API Gateway - API Authentication and Authorization methodologies - OAuth2 - The de-facto standard of API Authentication - Protection against cyber attacks and anomalies - Security aspects to consider when designing Single Page Applications (SPAs) Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/

Tecnologia
1 de 40
Baixar para ler offline
API Security in a Cloud Native Era Malintha Amarasinghe, Associate Technical Lead, WSO2 Thilini Shanika, Associate Technical Lead, WSO2
Cloud Native at a glance
Monolithic style vs Microservice style
Cloud Native Applications ● Comprised of a collection of loosely coupled lightweight microservices ○ Developed independently ○ Deployed independently ○ Scaled independently ● Decreased Time-To-Market ● Lower costs ● Extensibility and security
Challenges
Challenges in Securing Microservices ● Broader attack surface due to a large number of entry points ○ Security screening should be enforced at each endpoint level ● Performance ● Sharing user context ● Observability ○ Audit and application logging ○ Health check ○ Matrices ● Deployment complexities ○ Provisioning keys
Should we add a complex security stack over microservices themselves? ? A U T H A U T H A U T H A U T H
Should we add a complex security stack over microservices themselves? No A microservice: - performs one and only one business function - Do that one thing best !
API Gateway
● Handling Security is delegated to API Gateway. ● Microservices can focus only about its business logic. ● Solves the multiple entry point problem. API Gateway
● Responsible for three main functionalities in security PoV. ○ Authentication and Authorization ○ Protection against Malicious content ○ Abnormal pattern detection API Gateway
API Authentication and Authorization
● APIs are mostly exposed for external users. ● Three parties are involved ○ API Creator ○ Application Creator ○ End User ● Access Delegation is important.
● OAuth 2.0 is the defacto standard for API security ● Solves the requirement of Access Delegation when three parties are involved. ● Multiple grant types to support various use cases ○ password, client-credentials, authorization-code, .. ● Two types of tokens ○ Self contained access tokens (JWTs) ○ Reference Tokens (Opaque tokens) OAuth 2.0
● Self contained access tokens (JWTs) ○ A JSON payload with header and signature sections ○ Signed using a shared secret or public/private key pair ○ Contains all the information required for validation ○ A better approach for microservice world Self Contained Access Tokens (JWTs)
Self Contained Access Tokens (JWTs)
Reference Tokens
‱ Password Grant – Simple to implement – Less secure – Can be used when Client and Authz Server belongs to the same entity. OAuth 2.0 - Grant Types
‱ Authorization Code – Authenticates the user at the Authorization Server. – User doesn’t pass the credentials to the Client Application – The Client Application can ensure that the access token will be not be exposed to any 3rd party (even the User Agent) – Suitable for traditional web applications OAuth 2.0 - Grant Types
Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (clientId + clientSecret + code) Access Token Access TokenAccess Token Resource Request Prerequisite Client application registered with the Authz Server manually or via Dynamic Client Registration Resource Owner Authorize Request (clientId)
‱ Single Page Apps (SPAs) and Mobile Apps are becoming increasingly popular. ‱ Provide users with a rich and responsive user interface. ‱ The common security mechanism in use: – Authorization Code with a public, untrusted client ‱ Client authentication is not performed. ‱ PKCE (Proof Key for Code Exchange) Securing Single Page Apps and Mobile Apps
‱ OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. Authorization Code with PKCE
Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (code + veriïŹer) Access Token Access Token Access Token Resource Request Resource Owner Authorize Request (clientId + challenge + challenge_method)
‱ Client Credentials ‱ Implicit ‱ JWT Bearer Grant ‱ SAML Bearer Grant OAuth 2.0 - Grant Types Contd..
OAuth 2.0 - Scopes ● Enable ïŹne-grained access control to API resources ● Limit the amount of access granted for an access token ○ i.e: The scopes speciïŹes what the Client Application can do on behalf of the end user.
Demo
Inventory Management System
Other Authentication Mechanisms .. ‱ API Key – A secret token that only the API client and the server knows ‱ Basic Authentication – Standard http Authorization header with base64 encoded username and password value Authorization: Basic base64-encoded(username:password)
Other Authentication Mechanisms .. ● Mutual TLS (Transport Level Security) ○ Service to service authentication in trusted channel
Open Policy Agent (OPA) ● A lightweight general-purpose policy engine that can be co-located with the service ● Can integrate OPA as a library, sidecar, or a host-level daemon
Propagating Trust And User Identity ● API backends might require authenticated user context for internal authentication and business functionalities ● The user context has to be passed from API gateway to backend, after the authentication process ● JWT tokens can be used to propagate – One’s identity – User entitlements, between interested parties
Malicious Contents
Protection Against Malicious Content ‱ Regular expression threat protection ○ Injection attacks(SQL, Javascript, Java, xpath) ‱ XML Schema validation ○ XML bombs ○ Schema poisoning ○ Coercive parsing ○ External entity attacks ‱ JSON Schema validation ○ Coercive parsing ○ Buffer overïŹ‚ow
Abnormal Activity Patterns
Abnormal Activity Patterns ‱ Account takeover with stolen credentials attacks ‱ Login attacks ‱ API takeover attacks ‱ Data extraction or theft ‱ Data scraping ‱ Targeted API DDos attacks ‱ Data deletion/manipulation ‱ Data injection ‱ Malicious code injection
Abnormal pattern detection by AI
Webinars to Follow ● November 19 - Cloud Native APIs: The API Operator for Kubernetes ● November 21 - Mine Your APIs for Gold: API Monetization ● December 03 - Beautifying the Beautiful: Theming WSO2 API Manager ● December 05 - Building a CI/CD Pipeline for APIs
Q & A
THANK YOU wso2.com

Recomendados

Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 

Recomendados

Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways AnywhereWSO2
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivitysatyasekhar123
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers Ivo Andreev
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API SecurityApigee | Google Cloud
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 

Mais conteĂșdo relacionado

Mais procurados

[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways AnywhereWSO2
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivitysatyasekhar123
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers Ivo Andreev
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 

Mais procurados (20)

[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
 
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
[WSO2Con EU 2018] Hybrid Cloud API Management - API Microgateways Anywhere
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 

Semelhante a API Security In Cloud Native Era

WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity ManagementDamian T. Gordon
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2
 
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...WSO2
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in MicroservicesWSO2
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at PostmanAnkit Muchhala
 
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3 The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3 SSH Communications Security
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven IntegrationWSO2
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)Narudom Roongsiriwong, CISSP
 
IoT Security Issues and MQTT
IoT Security Issues and MQTTIoT Security Issues and MQTT
IoT Security Issues and MQTTHiveMQ
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 

Semelhante a API Security In Cloud Native Era (20)

WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best Practices
 
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in Microservices
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices Security
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at Postman
 
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3 The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
IoT Security Issues and MQTT
IoT Security Issues and MQTTIoT Security Issues and MQTT
IoT Security Issues and MQTT
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 

Mais de WSO2

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 

Mais de WSO2 (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Último

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vĂĄzquez
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Christopher Logan Kennedy
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Último (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

API Security In Cloud Native Era

  • 1. API Security in a Cloud Native Era Malintha Amarasinghe, Associate Technical Lead, WSO2 Thilini Shanika, Associate Technical Lead, WSO2
  • 2. Cloud Native at a glance
  • 3. Monolithic style vs Microservice style
  • 4. Cloud Native Applications ● Comprised of a collection of loosely coupled lightweight microservices ○ Developed independently ○ Deployed independently ○ Scaled independently ● Decreased Time-To-Market ● Lower costs ● Extensibility and security
  • 6. Challenges in Securing Microservices ● Broader attack surface due to a large number of entry points ○ Security screening should be enforced at each endpoint level ● Performance ● Sharing user context ● Observability ○ Audit and application logging ○ Health check ○ Matrices ● Deployment complexities ○ Provisioning keys
  • 7. Should we add a complex security stack over microservices themselves? ? A U T H A U T H A U T H A U T H
  • 8. Should we add a complex security stack over microservices themselves? No A microservice: - performs one and only one business function - Do that one thing best !
  • 10. ● Handling Security is delegated to API Gateway. ● Microservices can focus only about its business logic. ● Solves the multiple entry point problem. API Gateway
  • 11. ● Responsible for three main functionalities in security PoV. ○ Authentication and Authorization ○ Protection against Malicious content ○ Abnormal pattern detection API Gateway
  • 13. ● APIs are mostly exposed for external users. ● Three parties are involved ○ API Creator ○ Application Creator ○ End User ● Access Delegation is important.
  • 14. ● OAuth 2.0 is the defacto standard for API security ● Solves the requirement of Access Delegation when three parties are involved. ● Multiple grant types to support various use cases ○ password, client-credentials, authorization-code, .. ● Two types of tokens ○ Self contained access tokens (JWTs) ○ Reference Tokens (Opaque tokens) OAuth 2.0
  • 15. ● Self contained access tokens (JWTs) ○ A JSON payload with header and signature sections ○ Signed using a shared secret or public/private key pair ○ Contains all the information required for validation ○ A better approach for microservice world Self Contained Access Tokens (JWTs)
  • 16. Self Contained Access Tokens (JWTs)
  • 18. ‱ Password Grant – Simple to implement – Less secure – Can be used when Client and Authz Server belongs to the same entity. OAuth 2.0 - Grant Types
  • 19. ‱ Authorization Code – Authenticates the user at the Authorization Server. – User doesn’t pass the credentials to the Client Application – The Client Application can ensure that the access token will be not be exposed to any 3rd party (even the User Agent) – Suitable for traditional web applications OAuth 2.0 - Grant Types
  • 20. Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (clientId + clientSecret + code) Access Token Access TokenAccess Token Resource Request Prerequisite Client application registered with the Authz Server manually or via Dynamic Client Registration Resource Owner Authorize Request (clientId)
  • 21. ‱ Single Page Apps (SPAs) and Mobile Apps are becoming increasingly popular. ‱ Provide users with a rich and responsive user interface. ‱ The common security mechanism in use: – Authorization Code with a public, untrusted client ‱ Client authentication is not performed. ‱ PKCE (Proof Key for Code Exchange) Securing Single Page Apps and Mobile Apps
  • 22. ‱ OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. Authorization Code with PKCE
  • 23. Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq (code + veriïŹer) Access Token Access Token Access Token Resource Request Resource Owner Authorize Request (clientId + challenge + challenge_method)
  • 24. ‱ Client Credentials ‱ Implicit ‱ JWT Bearer Grant ‱ SAML Bearer Grant OAuth 2.0 - Grant Types Contd..
  • 25. OAuth 2.0 - Scopes ● Enable ïŹne-grained access control to API resources ● Limit the amount of access granted for an access token ○ i.e: The scopes speciïŹes what the Client Application can do on behalf of the end user.
  • 26. Demo
  • 28. Other Authentication Mechanisms .. ‱ API Key – A secret token that only the API client and the server knows ‱ Basic Authentication – Standard http Authorization header with base64 encoded username and password value Authorization: Basic base64-encoded(username:password)
  • 29. Other Authentication Mechanisms .. ● Mutual TLS (Transport Level Security) ○ Service to service authentication in trusted channel
  • 30. Open Policy Agent (OPA) ● A lightweight general-purpose policy engine that can be co-located with the service ● Can integrate OPA as a library, sidecar, or a host-level daemon
  • 31. Propagating Trust And User Identity ● API backends might require authenticated user context for internal authentication and business functionalities ● The user context has to be passed from API gateway to backend, after the authentication process ● JWT tokens can be used to propagate – One’s identity – User entitlements, between interested parties
  • 32.
  • 34. Protection Against Malicious Content ‱ Regular expression threat protection ○ Injection attacks(SQL, Javascript, Java, xpath) ‱ XML Schema validation ○ XML bombs ○ Schema poisoning ○ Coercive parsing ○ External entity attacks ‱ JSON Schema validation ○ Coercive parsing ○ Buffer overïŹ‚ow
  • 36. Abnormal Activity Patterns ‱ Account takeover with stolen credentials attacks ‱ Login attacks ‱ API takeover attacks ‱ Data extraction or theft ‱ Data scraping ‱ Targeted API DDos attacks ‱ Data deletion/manipulation ‱ Data injection ‱ Malicious code injection
  • 38. Webinars to Follow ● November 19 - Cloud Native APIs: The API Operator for Kubernetes ● November 21 - Mine Your APIs for Gold: API Monetization ● December 03 - Beautifying the Beautiful: Theming WSO2 API Manager ● December 05 - Building a CI/CD Pipeline for APIs
  • 39. Q & A