Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
API Security
Search
API Strategy & Practice Conference
October 24, 2013
Technology
2
160
API Security
By Ryan MacArthur @ API Strategy & Practice Conference
San Francisco, October 23-24-25, 2013
API Strategy & Practice Conference
October 24, 2013
Tweet
Share
More Decks by API Strategy & Practice Conference
See All by API Strategy & Practice Conference
APIStrat 2016 | The end of polling: why and how to transform a REST API into a Data Streaming API (Audrey Neveu)
apistrat
12
270
APIStrat 2016 | OpenAPI Trek: Beyond API Documentation (Arnaud Lauret)
apistrat
5
210
APIStrat 2016 | Flying Dreams: Real-Time Communication from the Edge of Space (Jonathan Barton, Neha Abrol)
apistrat
1
120
APIStrat 2016 | On-prem support? That was so 1982 (Charlie Ozinga)
apistrat
0
86
APIStrat 2016 | Effortless microservices in production with Kubernetes (Ken Wronkiewicz)
apistrat
0
120
Song by Tony Blank
apistrat
0
140
API Lifecycle Manager by Steve Fonseca
apistrat
2
200
APIs In The Enterprise: How Walgreens Formed It's Digital Business by Drew Schweinfurth
apistrat
1
350
Developers Are Difficult by Andrew Noonan
apistrat
0
120
Other Decks in Technology
See All in Technology
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
320
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
3
100
NLP2024 参加報告LT ~RAGの生成評価と懇親戦略~ / nlp2024_attendee_presentation_LT_masuda
taro_masuda
1
200
スタートアップの技術顧問を3年間続けて発生した事と気付き
biwakonbu
0
160
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
5.1k
ChatGPT for IT Service Management (IT Pro)
dahatake
2
130
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
700
普段有償でサポート業務をしているCSAが技術知見を無料で公開する理由
07jp27
1
630
Databricksを活用してDELISH KITCHENのレシピレコメンドを開発した話
furu8
0
250
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
180
強みを伸ばすキャリアデザイン
yug1224
0
200
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.8k
Featured
See All Featured
The Language of Interfaces
destraynor
151
23k
Clear Off the Table
cherdarchuk
83
310k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k
Faster Mobile Websites
deanohume
297
30k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
2k
GitHub's CSS Performance
jonrohan
1023
450k
Adopting Sorbet at Scale
ufuk
67
8.6k
Become a Pro
speakerdeck
PRO
10
4.5k
Bash Introduction
62gerente
604
210k
Facilitating Awesome Meetings
lara
41
5.6k
KATA
mclloyd
14
12k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Transcript
API Security @maceip October 24th 2013 APIStrat
API Security Principals • Traffic Monitoring • Authentication • Throttling/Quotas
• Encryption • Sane Design
Real World • Log Neglect • Where’s the Authorization (AAA!)
• Surgical Theft • I’m not in your TLS – But the NSA probably is • Design once
Information Disclosure • API Design? – Regardless of API Exposure •
Security Staff – Design involvement? – Hire people who relentlessly think like attackers
Example:
Endpoint Returns:
Your (virtual) appliances won’t save you [“mashery”,”apigee”,”3scale”,”fireeye”,”radware”,”f5”,”i mperva”,”trustwave”,”barracuda”,”cloudflare”,”qualys”, ”palo alto”,
“fortinet”, “layer7”, “vordel”, “soa”, “sonicwall”, “mod_security”, “kona”, “whitehat”, “mulesoft”, “ciphercloud”, “skyhigh”]
Questions for Architects • If your API codebase was public,
would you be concerned? – Why? • Have you done an API security audit?
Consumer Concerns • Who has my KEY! – Build support for
external encryption keys • Inter-Provider communication transparency – Box <-> Salesforce – Programmatic log access should be a given
Looking Forward • Hijacking Data – Fake/malicious third party applications •
W0rd app on dropbox is asking for permissions! • API-centric Denial of Service • Better user reputation systems (they all suck) • More context around transactions
Break before you build!
[email protected]