and are essential for modern distributed applications. Enable systems to communicate using a common language for requests and formatting. Accessible to diverse client applications, expanding business capabilities beyond monolithic systems. Smoother transitions when migrating from legacy technology or between protocols. But… nothing is perfect…
loop of hell... Feature deployments get delayed due to the security team's thorough security checks, making continuous delivery impossible. Security teams feel the pressure of being a bottleneck to scalability. New security threats arise every other day. Technical debt keeps piling up making applications unsafe and obsolete very rapidly.
Specialized firewall for web applications, acting as a primary shield between a web application and the internet. Located at the outer edge of the network, at the application layer (layer 7 of the OSI model). Protects web servers by filtering, monitoring, and blocking malicious HTTP and HTTPS traffic. When properly configured, it helps preventing attacks like SQL injection, cross-site scripting (XSS), and HTTP protocol violations. As a bonus, WAFs often come with out-of-the-box OWASP Top 10 mitigation capabilities. WAF extended info About the OSI model
comes to granularity… Rate limit and consumer quota requirements do not follow a "one size fits all" approach. Authentication & pre-authorization processes are best determined at the API level. The payload should be examined based on the expected input. Attribute-based allow-lists for requests can be managed in bulk, but they require fine-tuning to suit various use cases. The open/close settings of WAFs can either leave APIs unprotected or completely stop production.
secures API traffic Set of rules and protocols to protect APIs from unauthorized access and misuse Interface for developers to discover, explore, and consume APIs, often including documentation and testing tools Monitoring and analysis of API usage, performance, and trends for optimization and decision-making End-to-end management of APIs from design and creation to retirement, including versioning, testing, and deployment. Some API management platforms
consumers, according to the presented consumer API keys (not a credential). Front Desk API Gateway controls to handle authentication process. Additionally, traffic management to prevent brute-force. Registration Authentication and Authorization resources the API Gateway interacts with. Credentials would be a client-certificate (mutual TLS), an OAuth Token or other methods. Control Room Analyzing traffic helps to identify and alert about any unusual activities during the authentication and authorization process. Note = Curious about SPA integrations?
Key. > Constitutes the 1st level of pre-authorization > Can be used to classify consumer application groups. > Should not be used as credentials (They are fixed values and are manually rotated) > Should not be stored in the code base nor in browser storage. > Also useful for tracking and managing access to applications by applying additional security policies, namely: consumer quota, spike arrest, throttling, request headers validations, etc.
the client application will have access to. > The 2nd level of pre-authorization. > Configured by defining an API Product and including target API proxies to the product’s bundle. > The API proxies expose a variety of endpoints or resources from a backend application. > They can also include input/output validation, parameters handling and message transformation policies.
and methods that a determined client would be enabled to access to. > The 3rd of pre-authorization. > Independent from both, object / object property level authorization, which is best determined at application level. > Protected resources will require specific authorization, usually in the form of an access_token.
Design, implement and review authentication and authorization processes on every level of the architecture. API Governance > Define API standards, information model approach, security policies and keep a proper inventory and documentation of the API ecosystem. Threat Modeling > Consider threat modeling early in product definition to proactively identify and address security risks Infrastructure security > Protect critical systems and assets against cyber threats such as Server-side request forgery (SSRF) or elevation of privileges. Third party risk management > Apply third-party security assessment (TPSA), to ensure safe interactions with third-parties in any direction. Security Champions Program > Educating and spreading the word about security is always a win!