Emmanuel Paraskakis @manp A Design-First Approach for Delivering Better API Security 

apiary + 441,401 APIs 3M+ API Consumers 346,105 API Designers 

Infosec Goals 1. Confidentiality 2. Integrity 3. Availability 

What’s Different About APIs? Attack Surface is Huge! 

Defense In-Depth • Enforce CIA at every layer in your stack • Assume there will be a failure in each 

What does Design-First Mean? • Think about Security upfront • Don’t bolt it on at the end • Buying Silver Bullets won’t save you 

Design For API Security • Architecture • Processes • API Interface 

Design your Architecture 

Design your Processes 

Design your API Interface • Authentication Scheme • Leverage the Protocol • Data Structures & Validation 

openapi: "3.0.1" info: title: Online Store API version: 1.0 … servers: - url: https://staging.example.com/ description: Staging environment … security: - api_key: [] … x-ibm-configuration: enforced: true cors: enabled: true … paths: /customers/{id}/orders: get: … content: application/json: schema: $ref: "#/components/schemas/Orders" … components: schemas: Orders: … metadata deployment runtime interface schema 

Learn More: • OWASP API Security Project • Dredd • Apiary • Oracle API Platform • Oracle+Dyn (Zenedge)