Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
API Security
Search
API Strategy & Practice Conference
October 24, 2013
Technology
2
170
API Security
By Ryan MacArthur @ API Strategy & Practice Conference
San Francisco, October 23-24-25, 2013
API Strategy & Practice Conference
October 24, 2013
Tweet
Share
More Decks by API Strategy & Practice Conference
See All by API Strategy & Practice Conference
APIStrat 2016 | The end of polling: why and how to transform a REST API into a Data Streaming API (Audrey Neveu)
apistrat
12
280
APIStrat 2016 | OpenAPI Trek: Beyond API Documentation (Arnaud Lauret)
apistrat
5
220
APIStrat 2016 | Flying Dreams: Real-Time Communication from the Edge of Space (Jonathan Barton, Neha Abrol)
apistrat
1
120
APIStrat 2016 | On-prem support? That was so 1982 (Charlie Ozinga)
apistrat
0
99
APIStrat 2016 | Effortless microservices in production with Kubernetes (Ken Wronkiewicz)
apistrat
0
130
Song by Tony Blank
apistrat
0
150
API Lifecycle Manager by Steve Fonseca
apistrat
2
220
APIs In The Enterprise: How Walgreens Formed It's Digital Business by Drew Schweinfurth
apistrat
1
360
Developers Are Difficult by Andrew Noonan
apistrat
0
120
Other Decks in Technology
See All in Technology
ハイテク休憩
sat
PRO
2
170
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
300
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
290
TSKaigi 2024 の登壇から広がったコミュニティ活動について
tsukuha
0
160
DevFest 2024 Incheon / Songdo - Compose UI 조합 심화
wisemuji
0
120
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
170
LINEヤフーのフロントエンド組織・体制の紹介【24年12月】
lycorp_recruit_jp
0
530
Amazon Kendra GenAI Index 登場でどう変わる? 評価から学ぶ最適なRAG構成
naoki_0531
0
120
終了の危機にあった15年続くWebサービスを全力で存続させる - phpcon2024
yositosi
19
18k
社外コミュニティで学び社内に活かす共に学ぶプロジェクトの実践/backlogworld2024
nishiuma
0
270
成果を出しながら成長する、アウトプット駆動のキャッチアップ術 / Output-driven catch-up techniques to grow while producing results
aiandrox
0
360
小学3年生夏休みの自由研究「夏休みに Copilot で遊んでみた」
taichinakamura
0
170
Featured
See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
53
5k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.3k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
Visualization
eitanlees
146
15k
Fireside Chat
paigeccino
34
3.1k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Automating Front-end Workflow
addyosmani
1366
200k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
170
Transcript
API Security @maceip October 24th 2013 APIStrat
API Security Principals • Traffic Monitoring • Authentication • Throttling/Quotas
• Encryption • Sane Design
Real World • Log Neglect • Where’s the Authorization (AAA!)
• Surgical Theft • I’m not in your TLS – But the NSA probably is • Design once
Information Disclosure • API Design? – Regardless of API Exposure •
Security Staff – Design involvement? – Hire people who relentlessly think like attackers
Example:
Endpoint Returns:
Your (virtual) appliances won’t save you [“mashery”,”apigee”,”3scale”,”fireeye”,”radware”,”f5”,”i mperva”,”trustwave”,”barracuda”,”cloudflare”,”qualys”, ”palo alto”,
“fortinet”, “layer7”, “vordel”, “soa”, “sonicwall”, “mod_security”, “kona”, “whitehat”, “mulesoft”, “ciphercloud”, “skyhigh”]
Questions for Architects • If your API codebase was public,
would you be concerned? – Why? • Have you done an API security audit?
Consumer Concerns • Who has my KEY! – Build support for
external encryption keys • Inter-Provider communication transparency – Box <-> Salesforce – Programmatic log access should be a given
Looking Forward • Hijacking Data – Fake/malicious third party applications •
W0rd app on dropbox is asking for permissions! • API-centric Denial of Service • Better user reputation systems (they all suck) • More context around transactions
Break before you build!
[email protected]