Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Security

API Security

By Ryan MacArthur @ API Strategy & Practice Conference
San Francisco, October 23-24-25, 2013

More Decks by API Strategy & Practice Conference

Other Decks in Technology

Transcript

  1. Real World •  Log Neglect •  Where’s the Authorization (AAA!)

    •  Surgical Theft •  I’m not in your TLS – But the NSA probably is •  Design once
  2. Information Disclosure •  API Design? – Regardless of API Exposure • 

    Security Staff – Design involvement? – Hire people who relentlessly think like attackers
  3. Your (virtual) appliances won’t save you [“mashery”,”apigee”,”3scale”,”fireeye”,”radware”,”f5”,”i mperva”,”trustwave”,”barracuda”,”cloudflare”,”qualys”, ”palo alto”,

    “fortinet”, “layer7”, “vordel”, “soa”, “sonicwall”, “mod_security”, “kona”, “whitehat”, “mulesoft”, “ciphercloud”, “skyhigh”]
  4. Questions for Architects •  If your API codebase was public,

    would you be concerned? – Why? •  Have you done an API security audit?
  5. Consumer Concerns •  Who has my KEY! – Build support for

    external encryption keys •  Inter-Provider communication transparency – Box <-> Salesforce – Programmatic log access should be a given
  6. Looking Forward •  Hijacking Data – Fake/malicious third party applications • 

    W0rd app on dropbox is asking for permissions! •  API-centric Denial of Service •  Better user reputation systems (they all suck) •  More context around transactions