Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API securing principles as a software developer at Cloud Era

API securing principles as a software developer at Cloud Era

In this session, we will see some real practices of developing APIs using microservice architecture, which go beyond HTTP verbs and Status Code. We will show some principles inherent in the API First methodology until the deployment of the API in production, including security details, that is, how to protect your API using Service Mesh infrastructure and/or API gateway, focusing on the day-to-day life of a software developer.


Luram Archanjo

April 16, 2021


  1. API securing as a so ware developer at Cloud Era

    Cláudio Oliveira & Luram Archanjo
  2. Who am I? Luram Archanjo Software Engineer MBA in Java

    projects Java and Microservice enthusiastic 2
  3. Who am I? Cláudio E. de Oliveira APIs Tech Lead

    at LuizaLabs Golang, Java, microservices & k8s 3
  4. Agenda API First Principles of security as a developer Responsibilities

    - Traffic North & South - Traffic East & West Demo 4
  5. 5 Why talk about it?

  6. 6 API First An API-first approach means that for any

    given development project, your APIs are treated as “first-class citizens.” That everything about a project revolves around the idea that the end product will be consumed by mobile devices, and that APIs will be consumed by client applications. Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/
  7. 7 API First - Step Back Backend

  8. 8 API First #1 Development teams can work in parallel

    #2 Reduces the cost of developing apps #3 Increases the speed to market #4 Ensures good developer experiences Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/
  9. 9 Principles of security as a developer

  10. 10 Authentication Authentication is the act of validating that users

    are whom they claim to be. This is the first step in any security process. Example: Employees in a company are required to authenticate through the network before accessing their company email
  11. 11 Authorization Authorization in a system security is the process

    of giving the user permission to access a specific resource or function. In secure environments, authorization must always follow authentication. Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access
  12. 12 Ownership of data Ownership of data is a part

    of data security and is related to the proper handling of data. It is the process of check the ownership of the data! Example: After an employee successfully authenticates, the employee can only manipulate data that is yours.
  13. 13 Authentication Authorization Confirms users who are they say there

    are Gives users permission to access a resource Ownership Confirms users data and permissions to handle it
  14. 14 Cloud Native Security Principles

  15. 15 Basics knowledge for API Security • HTTPS • ssl/tls

    • Metrics • OpenID Connect
  16. 16 Perimeter Security

  17. 17 Perimeter Security • Defense-in-depth multiple layers of security •

    Should be easy to integrate with in place systems like VPN, Firewall etc... • Multiple Policy Enforcement Points increase security
  18. 18 Infrastructure Security • Language agnostic • Infrastructure is secure

    (platforms) • Increase governance level • “Hot deployment”
  19. 19

  20. Traffic Types 20

  21. 21 North-South traffic

  22. 22 North-South Traffic • Clients is unknown in general •

    Best place to put Bot detection and treat abusive traffic • API Products expose business through APIs
  23. 23 East-West traffic

  24. 24 Zero Trusted Network • The cloud environment is heterogeneous

    • Different types of workloads • Integrate with Defense-in-depth concept • All elements in network is untrusted • All systems should get kind of grant before call others systems
  25. 25 A of them are open-source

  26. 26 Big Picture

  27. 27 Demo time

  28. 28

  29. 29 Securing East-West

  30. 30 mTLS

  31. 31 Extracted from https://github.com/smallstep/autocert/blob/master/examples/hello-mtls/README.md

  32. 32

  33. 33

  34. 34 Demo time

  35. 35

  36. Authn 36

  37. 37 Every sidecar can check jwt token and validate token

  38. 38 RequestAuthentication is for Identity and AuthorizationPolicy is the rule

  39. 39 Ok...service mesh is enough to improve secure???

  40. 40

  41. 41 Turns to!!!

  42. 42

  43. 43 “Micro” Gateway can help us! Hiding implementation details and

    acting as Bounded Context https://www.solo.io/blog/challenges-of-adopting-service-mesh-in-enterprise-organizations/
  44. 44

  45. 45 Demo time

  46. 46

  47. 47 Securing North-South

  48. 48 Securing North-South #1 Micro gateway vs Enterprise Gateway #2

    OpenID Connect for external clients (end-users) #3 Handle abusive traffic rate limiting #4 API Products
  49. 49

  50. 50 Demo time

  51. 51

  52. 52

  53. Thanks! Any questions? You can find us at 53 claudioed

    claudioed luramarchanjo luram_archanjo
  54. 54 API First - Step Forward Frontend Team Backend Team

    Mock Backend Frontend
  55. 55 Authentication Authorization Confirms users who are they say there

    are Gives users permission to access a resource ??? ???
  56. 56 What is PeP?? The Policy Enforcement Point (PEP) is

    the piece of network or security equipment that controls user access and ensures the authorization decision made by the Policy Decision Point (PDP).
  57. 57 https://www.manning.com/books/microservices-security-in-action

  58. 58 Infrastructure Security

  59. 59 How mTLS works in Istio / Envoy 1. Service

    account token is assigned to Istio Proxy 2. Pilot agent send Token and CSR to Istiod 3. Istiod validate k8s token 4. The istiod signs the certificate and provides it to pilot agent 5. The pilot agent calls Envoy SDS to configure it https://www.manning.com/books/istio-in-action