Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Slides:

Advertisements

Similar presentations

Managing Service-Oriented Architectures Jim Bole VP Professional Services Infravio, Inc June 7,

Advertisements

The How of OAuth OAuth Hackathon – Six Apart

Secure Single Sign-On Across Security Domains

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

Govern the Flow of Data: Moving from Chaos to Control

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1.

Why Eve & Mallory Love Android

FI-WARE Testbed Access Control temporary solution.

Oracle IDM at First National Bank

Secure Lync mobile Authentication

Secure SharePoint mobile connectivity

Lecture 23 Internet Authentication Applications

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Securing Insecure Prabath Siriwardena, WSO2 Twitter

WSO2 Identity Server Road Map

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

quick audience poll an IT Pro or a developer or neither?

CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

T Sponsors Kent Weare Integration MVP, Author API Management Part 1 – An Introduction to Azure API Management BizTalk Summit 2015 – London ExCeL London.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

A Digital and Technology Getting Started with Microsoft Azure API Management Ed Jones,

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.

© 2009 IBM Corporation 1 The API Economy and Cast Iron Web API Andrew Daniel – Cast Iron UI Developer Andrew Daniel – Cast Iron Web API Software Engineer.

Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Deconstructing API Security

EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist

The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.

Building consumer apps with Azure AD B2C

Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

Business of APIs The API Economy Brad Brozek

Security Solutions Rachana Ananthakrishnan University of Chicago.

User and Device Management

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Secure Mobile Development with NetIQ Access Manager

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

REST API to develop application for mobile devices Mario Torrisi Dipartimento di Fisica e Astronomia – Università degli Studi.

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Azure Active Directory - Business 2 Consumer

Consuming OAuth Services in Alfresco Share

Do you know who your employees are sharing their credentials with

SaaS Application Deep Dive

Cisco ISE 1.2 Mobile Device Management Integration

Secure communication among services

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

API (Application Programming Interface)

Ashish Pandit Louis Zelus

CLIENT ZipDial.

Matthew Levy Azure AD B2B vs B2C Matthew Levy

SharePoint Online Authentication Patterns

Western Mass Microsoft Technology Users Group

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway

About me Co-founder of Vordel (SOA/API Gateways) –Acquired by Axway in 2012 VP Innovation at Axway Based in Boston, MA Blog: 2

Agenda APIs for Mobile –“Digital Business” Security issues for APIs –Data harvesting –API Key sniffing –Insecure use of plain HTTP OAuth –What can go wrong? –OAuth model applied to Mobile Solutions –API Management –“Certificate Pinning” 3

“Digital Business” Creating new channels for revenue –Cloud, Mobile, Social –Over 3 hours per day on smartphones [Analysys Mason]

5 Where do APIs fit in? Enabling mobile apps Health Records… Utility Metering…Payments All get their data through APIs

APIs – A soft underbelly? Security vulnerabilities related to APIs

API Security Axway #APIWorkshops

Identity - Key Users often allow the app to interact with APIs on their behalf e.g. call the Twitter API to send tweets Protection of OAuth credentials is important “Permission-based Web”

| |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | | | | | | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token | | | | | | | | | |--(E)----- Access Token >| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | OAuth Actor Model applied to Mobile: Count the credentials… App Developer Resource Owner Authorization Server Resource Server Client API Business Owner The App The User The API Developer Portal Developer Portal CredentialsClient API CredentialsResource Owner Credentials Access TokenRefresh Token

More API Misuse – Why throttling is needed

Insecure use of plain HTTP Source: 11

Weak API Key Authentication 12 Problem: API Keys are often simply passed in URLs &APIKey= Vulnerable to sniffing if SSL isn’t used (often it is not..) Amazon uses two keys: Secret Key ID to perform HMAC signing With detection of replay attacks Access Key ID to identify the client

Self-service internal and external developers to use APIs Manage and Secure API, SOA and XML traffic API Portal API GatewayAPI Manager Publish and Manage API Consumption by internal and external partners Enter API Management… On Premise

API First Axway #APIWorkshops The API is the contract …And the product WSDL is the Contract Backend App is the Product APIs SOA/ESB Courtesy of Kevin Kohut, Accenture )

API Catalog Lifecycle Management of APIs Versioning “Single Store of Truth” The API Catalog is the modern-day Registry Repository Version Lifecycle Info

Self Service Self-Service Developer Enrollment Registration workflows

In-place API Testing Test-as-you-go “Try it out” for API Methods Including using API Keys…

Stakeholders in API Management Client Applications REST API SOAP/XML/REST/JSON API Manager Services Applications Data Application Developers API Portal API API Registration & Lifecycle API Catalog Partner & Policy Administration Self-Service API consumption Build developer community New channel to market brand API Developers API Administrators Self-register to resources Browse and learn APIs Manage application credentials RESTREST SOAP Web Services POX, JMS, FTP Integration with non- REST API services Policy Enforcement API Gateway Register and manage API lifecycle Perform partner, policy and process admin Monitor and report API use Policy Developers Create and extend policies Integrate with applications and infrastructure

Managing mobile app access to APIs 19

Mobile App Monitoring in Action 20

Managing API Keys and OAuth 21

Quota Management for APIs 22 Managing usage quotas for APIs on an app-by-app basis

Certificate Pinning 23 Problem: API Keys are vulnerably when stored on the client Solution: “Certificate Pinning”: Leverages native mobile OS support for protecting certificates Uses Mutual SSL End-user credentials (e.g. username/password) then sent over this Mutual SSL connection

Further Visit us at the Axway Booth Thank you!