Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
APIDays_Design_API_Security.pdf
Search
Emmanuel Paraskakis
July 31, 2018
Programming
0
89
APIDays_Design_API_Security.pdf
Keynote at API Days San Francisco, 2018. A Design-First Approach for API Security.
Emmanuel Paraskakis
July 31, 2018
Tweet
Share
More Decks by Emmanuel Paraskakis
See All by Emmanuel Paraskakis
The Double Life of the API Product Manager
paraskakis
0
92
The AI-Powered API Builder: Speeding Up API Delivery with AI Tools
paraskakis
0
20
How to break into API Product Management
paraskakis
0
52
API Best Practices
paraskakis
0
250
Outside-in Development for APIs and Microservices
paraskakis
0
47
Become a Pro at API Management: A declarative approach
paraskakis
0
330
API Design Hands-On Lab
paraskakis
0
71
Bring Design Thinking to your API Lifecycle
paraskakis
0
130
Decomposing Service Descriptions: The Future of API Design
paraskakis
0
850
Other Decks in Programming
See All in Programming
開発組織の戦略的な役割と 設計スキル向上の効果
masuda220
PRO
10
1.7k
Amazon Verified Permissions実践入門 〜Cedar活用とAppSync導入事例/Practical Introduction to Amazon Verified Permissions
fossamagna
2
100
React Nativeならぬ"Vue Native"が実現するかも?_新世代マルチプラットフォーム開発フレームワークのLynxとLynxのVue.js対応を追ってみよう_Vue Lynx
yut0naga1_fa
2
1.6k
実践Claude Code:20の失敗から学ぶAIペアプログラミング
takedatakashi
18
8.9k
pnpm に provenance のダウングレード を検出する PR を出してみた
ryo_manba
1
160
フロントエンド開発のためのブラウザ組み込みAI入門
masashi
7
3.6k
Cursorハンズオン実践!
eltociear
2
1.2k
Vueのバリデーション、結局どれを選べばいい? ― 自作バリデーションの限界と、脱却までの道のり ― / Which Vue Validation Library Should We Really Use? The Limits of Self-Made Validation and How I Finally Moved On
neginasu
2
1.6k
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
510
CSC305 Lecture 10
javiergs
PRO
0
270
NIKKEI Tech Talk#38
cipepser
0
270
Reactive Thinking with Signals and the Resource API
manfredsteyer
PRO
0
110
Featured
See All Featured
Mobile First: as difficult as doing things right
swwweet
225
10k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
22k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
238
140k
Unsuck your backbone
ammeep
671
58k
Being A Developer After 40
akosma
91
590k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
A Modern Web Designer's Workflow
chriscoyier
697
190k
BBQ
matthewcrist
89
9.9k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Why Our Code Smells
bkeepers
PRO
340
57k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
253
22k
Transcript
Emmanuel Paraskakis @manp A Design-First Approach for Delivering Better API
Security
apiary + 441,401 APIs 3M+ API Consumers 346,105 API Designers
Infosec Goals 1. Confidentiality 2. Integrity 3. Availability
What’s Different About APIs? Attack Surface is Huge!
Defense In-Depth • Enforce CIA at every layer in your
stack • Assume there will be a failure in each
What does Design-First Mean? • Think about Security upfront •
Don’t bolt it on at the end • Buying Silver Bullets won’t save you
Design For API Security • Architecture • Processes • API
Interface
Design your Architecture
Design your Processes
Design your API Interface • Authentication Scheme • Leverage the
Protocol • Data Structures & Validation
openapi: "3.0.1" info: title: Online Store API version: 1.0 …
servers: - url: https://staging.example.com/ description: Staging environment … security: - api_key: [] … x-ibm-configuration: enforced: true cors: enabled: true … paths: /customers/{id}/orders: get: … content: application/json: schema: $ref: "#/components/schemas/Orders" … components: schemas: Orders: … metadata deployment runtime interface schema
Learn More: • OWASP API Security Project • Dredd •
Apiary • Oracle API Platform • Oracle+Dyn (Zenedge)