Agile Information Sharing Through API Management with The J.M. Smucker Company
How to Achieve Agile API Security
-
Upload
apigee -
Category
Technology
-
view
933 -
download
1
Transcript of How to Achieve Agile API Security
![Page 1: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/1.jpg)
Agile API Security
Apigee@apigee
Subra Kumaraswamy@subrak
![Page 2: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/2.jpg)
youtube.com/apigee
![Page 3: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/3.jpg)
slideshare.net/apigee
![Page 4: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/4.jpg)
@Subrak Subra Kumaraswamy
![Page 5: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/5.jpg)
Agenda
• Why Agile Security matters• Agile API Security enablers and approaches• Key takeaways• Q&A
![Page 6: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/6.jpg)
Why Agile security?
6
Deve
loper
Ag
ility
Secu
rity
Risk
s
![Page 7: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/7.jpg)
API security stakeholders
7
Product ManagerHow can I release features with built-in security?
How I can reduce the release cycle?
Business ownerHow to reduce risk while expanding API exposure?
How to meet compliance?
OpsHow do I enforce consistent security policy across APIs?What controls I have to mitigate attacks like DoS?
App DeveloperWhat options I have to secure data in rest and transit?How to I enable Social login?How can I manage and revoke keys?
![Page 8: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/8.jpg)
Have implemented layers of security to protect crown jewels..
Security layers – good enough?
![Page 9: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/9.jpg)
That’s not enough, need security, with flexibility
9
![Page 10: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/10.jpg)
A new approach is required
![Page 11: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/11.jpg)
Agile API security
11
API First Architecture with built-in Security
Data Security governance
Security for API exposure
Security for consumption (Apps)
Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
![Page 12: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/12.jpg)
API-first architecture
API Tier
All Apps
Analytics
App Servers ESB
Social Apps
Web Apps
Mobile Apps
BackendServices
OrchestrationPersistence Security
Internet
Consistent security policies & access
control(Exposure)
Flexible security for Apps �
(Consumption)
Developers
IT security architect
![Page 13: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/13.jpg)
API security architecture
Policy Store Log Store
API Security
Authentication
Authorization
TrafficManagement
Logging & Auditing
Identity for API Management
User Management RBAC Management
Policy Management
Certificate Management
Keys/Token Management
Threat Protection TLS DDoS Rate Limiting &
Quota Payload Protection Analytics
Compliance (SOC 2, PCI DSS, HIPAA)
Developers
Apps
IT Security /Architect
Key Store
Policy Enforcement
![Page 14: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/14.jpg)
Identity landscape in the API world
![Page 15: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/15.jpg)
15
þ API First Architecture with Security
Data Security governance
Security for API exposure
Security for consumption (Apps)
Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
![Page 16: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/16.jpg)
Security Design
Agile SDLC – Focus on automation
Threat Assessment
Secure Coding Testing Verification
API Threat Modeling
Secure Coding Practices
Static Analysis
Security Unit Testing
Dynamic Analysis
Secure Development Training
Black Box Pen Testing
Continuous Security
Monitoring
• API product centric
• Aligned with Epic and stories
• Integrated into Development using Maven and Jenkin plugins
• Vulnerabilities prioritized based in criticality and threat model requirements
• Blackbox testing aligned with major release
• Monitoring of API to verify policies
![Page 17: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/17.jpg)
• What categories of developers or applications do you have? – internal developers
– partners (at various service levels)
– public developers (open adoption) • What APIs should each class of developers or applications have
access to?• What Authentication and Authorization schemes are supported by
Apps to consume APIs?• What type of data is exposed via API?• What threats do you want protect against?
API Product security design considerations
![Page 18: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/18.jpg)
API threats• Spoofing of identity • Denial of service • Network eavesdropping (App-to-API)• Replay attacks• Unauthorized access to management system and configuration data• Man-in-the-middle attacks• Velocity attack using legitimate API keys• Elevation of privilege by applications and developers• Disclosure of confidential data stored and processed in mobile, API, and
backend services• Theft of credentials, API keys, tokens, or encryption keys
![Page 19: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/19.jpg)
19
þ API First Architecture with Security
Data Security Governance
Security for API exposure
Security for consumption (Apps)
þ Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
![Page 20: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/20.jpg)
Centralize API security for exposure
20
Backend �Service
Authentication & Authorization
Identity Services (IdP)
Logging & Auditing
Security Analytics
Authentication & Authorization
Secure API Exposure
TLS
AppsSecurity & Identity"
Capabilities
![Page 21: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/21.jpg)
21
API exposure – security checklistAPI Security
API Developer Securityþ Authentication & SSO (SAML, OAuth)þ API Management Roles (RBAC)þ Internal Vs External Developerþ Data Maskingþ Logging and auditing
Governance & Compliance
þ Policy Enforcementþ PCI/HIPAA Compliance
API (Backend) Securityþ Secure communication (TLS – 1 way or 2 way)þ Authentication (TLS, OAuth, SAML) þ Versioningþ Integration with Enterprise identity providersþ Logging and auditing
Analytics
þ Run time detection reports (Volume based, Traffic properties)
![Page 22: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/22.jpg)
22
þ API First Architecture with Security
Data Security Governance
þ Security for API exposure
Security for Consumption (Apps)
þ Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
![Page 23: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/23.jpg)
Standardize App security for consumption
Security & Identity" Capabilities
Threat Protection
Application Security
Security for Consumption
Authentication & Authorization
TLS
Developers
Backend �Services
Apps
![Page 24: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/24.jpg)
24
API consumption – security checklistAPI Security
App Developer Securityþ Developer Key Management (Workflow,
Governance)þ Developer provisioning þ Authentication & SSO (SAML, OAuth)þ Internal Vs External Developerþ Developer permission (RBAC)
App Securityþ Secure communication (TLS – 1 way or 2 way)
– Mobile Vs Partner þ Authentication (OAuth patterns) þ API key with Product Scopeþ Quota Enforcementþ IP Based Whitelist/Blacklist
Threat Protection
þ XML/JSON Poisoning/Injection þ SQL Injectionþ DDoS/App-DoS Attacksþ Spike Arrest
![Page 25: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/25.jpg)
25
þ API First Architecture with Security
Data Security Focused – API Products
þ Security for API exposure
þ Security for App Standardized
þ Secure and Agile SDLC Threat Assessment
Secure Coding Testing Verification
Agile API security
![Page 26: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/26.jpg)
26
• Organize your APIs as API products for fine granular data security management• Central mechanism for authorization and access control to your APIs• API products with Key and OAuth Scope protects your API
• Protect payload data using encryption, hashing and secure key management• Improve API agility by aligning Secure SDLC with data security sensitivity
API data security
![Page 27: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/27.jpg)
Key takeaways
27
þ Practice API First Architecture for �security with flexibility
þ Use API Products to enable tiered � security
þ Centralize your API security for � consistent policy enforcement
þ Standardize App security across � channels for frictionless user experience
þ Implement SDLC with automation for agilityThreat
AssessmentSecure Coding Testing Verification
![Page 28: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/28.jpg)
@Subrak Subra Kumaraswamy
Thank You
Questions?
![Page 29: How to Achieve Agile API Security](https://reader033.fdocuments.us/reader033/viewer/2022042701/55a769e51a28ab195c8b481f/html5/thumbnails/29.jpg)
Thank You
Apigee@apigee