Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
APIDays_Design_API_Security.pdf
Search
paraskakis
July 31, 2018
Programming
0
81
APIDays_Design_API_Security.pdf
Keynote at API Days San Francisco, 2018. A Design-First Approach for API Security.
paraskakis
July 31, 2018
Tweet
Share
More Decks by paraskakis
See All by paraskakis
API Best Practices
paraskakis
0
200
Outside-in Development for APIs and Microservices
paraskakis
0
30
Become a Pro at API Management: A declarative approach
paraskakis
0
310
API Design Hands-On Lab
paraskakis
0
47
Bring Design Thinking to your API Lifecycle
paraskakis
0
120
Decomposing Service Descriptions: The Future of API Design
paraskakis
0
820
Have Your Layer Cake and Eat it Too
paraskakis
1
160
Keeping your APIs Honest - Gluecon 2017
paraskakis
0
110
Easy Data Modeling with MSON (Defrag 2016)
paraskakis
0
99
Other Decks in Programming
See All in Programming
htmxって知っていますか?次世代のHTML
hiro_ghap1
0
330
これが俺の”自分戦略” プロセスを楽しんでいこう! - Developers CAREER Boost 2024
niftycorp
PRO
0
190
[JAWS-UG横浜 #76] イケてるアップデートを宇宙いち早く紹介するよ!
maroon1st
0
460
선언형 UI에서의 상태관리
l2hyunwoo
0
150
Jakarta EE meets AI
ivargrimstad
0
240
Effective Signals in Angular 19+: Rules and Helpers @ngbe2024
manfredsteyer
PRO
0
130
Webエンジニア主体のモバイルチームの 生産性を高く保つためにやったこと
igreenwood
0
330
アクターシステムに頼らずEvent Sourcingする方法について
j5ik2o
4
250
コンテナをたくさん詰め込んだシステムとランタイムの変化
makihiro
1
120
MCP with Cloudflare Workers
yusukebe
2
220
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
320
あれやってみてー駆動から成長を加速させる / areyattemite-driven
nashiusagi
1
200
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
Statistics for Hackers
jakevdp
796
220k
Facilitating Awesome Meetings
lara
50
6.1k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
66k
Designing for humans not robots
tammielis
250
25k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
For a Future-Friendly Web
brad_frost
175
9.4k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Faster Mobile Websites
deanohume
305
30k
Building Your Own Lightsaber
phodgson
103
6.1k
Into the Great Unknown - MozCon
thekraken
33
1.5k
Testing 201, or: Great Expectations
jmmastey
40
7.1k
Transcript
Emmanuel Paraskakis @manp A Design-First Approach for Delivering Better API
Security
apiary + 441,401 APIs 3M+ API Consumers 346,105 API Designers
Infosec Goals 1. Confidentiality 2. Integrity 3. Availability
What’s Different About APIs? Attack Surface is Huge!
Defense In-Depth • Enforce CIA at every layer in your
stack • Assume there will be a failure in each
What does Design-First Mean? • Think about Security upfront •
Don’t bolt it on at the end • Buying Silver Bullets won’t save you
Design For API Security • Architecture • Processes • API
Interface
Design your Architecture
Design your Processes
Design your API Interface • Authentication Scheme • Leverage the
Protocol • Data Structures & Validation
openapi: "3.0.1" info: title: Online Store API version: 1.0 …
servers: - url: https://staging.example.com/ description: Staging environment … security: - api_key: [] … x-ibm-configuration: enforced: true cors: enabled: true … paths: /customers/{id}/orders: get: … content: application/json: schema: $ref: "#/components/schemas/Orders" … components: schemas: Orders: … metadata deployment runtime interface schema
Learn More: • OWASP API Security Project • Dredd •
Apiary • Oracle API Platform • Oracle+Dyn (Zenedge)
paraskakis
hiro_ghap1
niftycorp
maroon1st
l2hyunwoo
ivargrimstad
manfredsteyer
igreenwood
j5ik2o
makihiro
yusukebe
kentaroutakeda
nashiusagi
jonrohan
jakevdp
lara
malarkey
tammielis
smashingmag
brad_frost
jnunemaker
deanohume
phodgson
thekraken
jmmastey
