Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Paris 2024 - Reconciling Zero-Trust API...

apidays
PRO
December 22, 2024
Programming
0
4

apidays Paris 2024 - Reconciling Zero-Trust APIs and Developer eXperience, Romain Quinio and Kevin Viet, Amadeus

Reconciling Zero-Trust APIs and Developer eXperience
Romain Quinio, Lead Principal Engineer at Amadeus
Kevin Viet, Lead Principal Engineer at Amadeus

apidays Paris 2024 - The Future API Stack for Mass Innovation
December 3 - 5, 2024

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

December 22, 2024
Tweet

More Decks by apidays

See All by apidays
apidays Paris 2024 - Success Stories of API Integration, Harry Bouras and Josef Glemba, DHL IT Services
apidays
PRO
0
1
apidays Paris 2024 - Military-Grade Security for APIs, Michał Trojanowski, Curity
apidays
PRO
0
2
apidays Paris 2024 - Integration Platform using Open-Source, Magnus Hedner, Benify
apidays
PRO
0
2
Green IO Conference at apidays Paris - Start at the end, Hannah Smith, Green Web Foundation
apidays
PRO
0
2
Green IO Conference at apidays Paris 2024 - From Watts to Action, Pierre Segonne & Marcus Garsdal, Electricity Maps
apidays
PRO
0
2
apidays Paris 2024 - Walk the OpenAPI Talk, Moonwalk the Developer Experience!, Oleg Nenashev, Gradle
apidays
PRO
0
2
apidays Paris 2024 - Five Essential Design Assets for Successful APIs, Mike Amundsen
apidays
PRO
0
2
apidays Paris 2024 - AI In My API Gateway ... But Why?, Mathieu Ancelin, APIM
apidays
PRO
0
2
apidays Paris 2024 - An Operating Model for API Platforms, Ikenna Nwaiwu, Ikenna Consulting
apidays
PRO
0
2

Other Decks in Programming

See All in Programming
range over funcの使い道と非同期N+1リゾルバーの夢 / about a range over func
mackee
0
110
テストコードのガイドライン 〜作成から運用まで〜
riku929hr
3
390
Итераторы в Go 1.23: зачем они нужны, как использовать, и насколько они быстрые?
lamodatech
0
770
htmxって知っていますか?次世代のHTML
hiro_ghap1
0
330
20年もののレガシープロダクトに 0からPHPStanを入れるまで / phpcon2024
hirobe1999
0
470
競技プログラミングへのお誘い@阪大BOOSTセミナー
kotamanegi
0
360
KubeCon + CloudNativeCon NA 2024 Overview at Kubernetes Meetup Tokyo #68 / amsy810_k8sjp68
masayaaoyama
0
250
useSyncExternalStoreを使いまくる
ssssota
6
1k
PHPで作るWebSocketサーバー ~リアクティブなアプリケーションを知るために~ / WebSocket Server in PHP - To know reactive applications
seike460
PRO
2
300
create_tableをしただけなのに〜囚われのuuid編〜
daisukeshinoku
0
240
クリエイティブコーディングとRuby学習 / Creative Coding and Learning Ruby
chobishiba
0
3.9k
Keeping it Ruby: Why Your Product Needs a Ruby SDK - RubyWorld 2024
envek
0
190

Featured

See All Featured
Making Projects Easy
brettharned
116
5.9k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
98
Code Review Best Practice
trishagee
65
17k
Code Reviewing Like a Champion
maltzj
520
39k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
132
33k
Designing Experiences People Love
moore
138
23k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Why Our Code Smells
bkeepers
PRO
335
57k
Automating Front-end Workflow
addyosmani
1366
200k
How to Ace a Technical Interview
jacobian
276
23k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k

Transcript

  1. © Amadeus IT Group and its affiliates and subsidiaries Reconciling

    Zero-Trust APIs and Developer eXperience Romain Quinio Kevin Viet

  2. © Amadeus IT Group and its affiliates and subsidiaries 1.

    Broken Object Level Authorization 2. Broken Authentication 3. Broken Object Property Level Authorization 4. Unrestricted Resource Consumption 5. Broken Function Level Authorization

  3. © Amadeus IT Group and its affiliates and subsidiaries We

    connect the travel ecosystem Amadeus. It’s how travel works better. 3 Romain Quinio Kevin Viet rquinio rquinio vietk vietk Lead Principal Engineer Lead Principal Engineer

  4. © Amadeus IT Group and its affiliates and subsidiaries Agile

    hardware & software Transformation: zero trust & secured APIs • Public cloud: Defense in depth to protect against potential attackers because IaaS/PaaS can be compromised • Microservice architecture: Loosely coupled services that need to implement security requirements  Who is responsible for security requirements? 4

  5. © Amadeus IT Group and its affiliates and subsidiaries Identity

    provider Secured APIs in the cloud Frontend JWT Travel Search JWT 5

  6. © Amadeus IT Group and its affiliates and subsidiaries How

    to test a secured API? Component Dev Mode Local dev Production Integration Mock OIDC protocol? Use containerized OIDC provider? Use production OIDC provider? Enable security Disable security 6 Containerized mock

  7. © Amadeus IT Group and its affiliates and subsidiaries Microcks

    Secured APIs in dev mode Quarkus Swagger UI JWT Travel Search JWT 7

  8. © Amadeus IT Group and its affiliates and subsidiaries Demo

    8

  9. © Amadeus IT Group and its affiliates and subsidiaries Key

    takeaways Shift-left Zero trust APIs • Avoid design choice to workaround security • Test security requirements as early as possible • DevSecOps mindset – Security becomes the responsibility of the developer, not “application security” team. Developer eXperience: treat OIDC as any other API • Consider same mocking tool in all phases, thanks to containers • Microcks example: https://github.com/microcks/microcks- quickstarters/tree/main/oidc/example.com 9