En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Similar documents
SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

Security

DreamFactory Security Guide

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

TIBCO Cloud Integration Security Overview

Managing API Security in the Connected Digital Economy

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

IBM SmartCloud Notes Security

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Introduction. The Safe-T Solution

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Sentinet for BizTalk Server SENTINET

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

API Best Practices. Managing APIs holistically across the enterprise

Forum XWall and Oracle Application Server 10g

Securing ArcGIS Services

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Imperva Incapsula Website Security

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Exploiting and Defending: Common Web Application Vulnerabilities

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Copyright

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

App Gateway Deployment Guide

Security+ SY0-501 Study Guide Table of Contents

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

GOING WHERE NO WAFS HAVE GONE BEFORE

Solutions Business Manager Web Application Security Assessment

ADC im Cloud - Zeitalter

Verasys Enterprise Security and IT Guide

Security Best Practices. For DNN Websites

Designing an Enterprise GIS Security Strategy

Title: Planning AWS Platform Security Assessment?

Liferay Security Features Overview. How Liferay Approaches Security

SAP Security in a Hybrid World. Kiran Kola

Securing ArcGIS Server Services An Introduction

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Configuring BIG-IP ASM v12.1 Application Security Manager

O365 Solutions. Three Phase Approach. Page 1 34

How were the Credit Card Numbers Published on the Web? February 19, 2004

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Citrix NetScaler AppFirewall and Web App Security Service

Cloud Customer Architecture for Securing Workloads on Cloud Services

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

Evaluating the Security Risks of Static vs. Dynamic Websites

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Advanced Diploma on Information Security

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Office 365 and Azure Active Directory Identities In-depth

Microsoft Architecting Microsoft Azure Solutions.

API Standard and Guidelines Part B - Technical. Version 1.0

Google Identity Services for work

Security Specification

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

PRESENTED BY:

Providing Secure, Fast and Available

Protecting Your Cloud

F5 Big-IP Application Security Manager v11

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Who s Protecting Your Keys? August 2018

Dealing with Application Programming Interface threats: Are you ready? cybersecurity & risk services

Security and Compliance at Mavenlink

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Fortify Software Security Content 2017 Update 4 December 15, 2017

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

Welcome to the OWASP TOP 10

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

C1: Define Security Requirements

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

AGILE AND CONTINUOUS THREAT MODELS

epldt Web Builder Security March 2017

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CSWAE Certified Secure Web Application Engineer

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

OWASP TOP OWASP TOP

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Secure Development Guide

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Securing Your Amazon Web Services Virtual Networks

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

Applications Security

How to Configure Authentication and Access Control (AAA)

All-in one security for large and medium-sized businesses.

How NOT To Get Hacked

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Single Sign-On Best Practices

HikCentral V.1.1.x for Windows Hardening Guide

Transcription:

SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security Genève, Hôtel Warwick, 21.09.16 En partenariat avec CA Technologies

AGENDA Transforming your business in the digital era API Security challenges 15 min Best practices 5 min API security for digital transformation - SIGS 2

DIGITAL TRANSFORMATION IS THEIR KEY TO SURVIVAL API security for digital transformation - SIGS 3

SMOKE SIGNALS FOR DIGITAL TRANSFORMATION building apps for our new cloud platform... a mandate to double mobile revenue a big UX/CX initiative in the works need to improve the customer experience massive CMS and commerce re-platform speed up our market responsiveness catch up with X and future-proof our business shift customers to the secure digital solution hacked our connected product API security for digital transformation - SIGS 4

APIS: THE BUILDING BLOCKS OF DIGITAL TRANSFORMATION Cloud External Developers Mobile Data Data Your Digital Business Partners/External Divisions IOT Devices APIs API security for digital transformation - SIGS 5

WHAT ARE APIS Your App REQUEST API Their App DATA Application Programming Interfaces (APIs) are plugs that allow software applications to share data and functionality. API security for digital transformation - SIGS 6

API 101 PRIMER AFTER "alerts": [{ type": FLW "description": Flood Watch" Integration Experience Speed Monetization Internet of Things API security for digital transformation - SIGS 7

WHY MODERNIZE? WHY USE APIS? APIs have become the industry standard for system interfaces of all kinds. Hide complexity; expose existing functionality Use APIs as the basis for porting systems/functionality into the cloud Make it easier for other business units and business partners to access systems and data, but maintain security Next step in evolution of SOA/Integration platforms Want to have benefits of APIs API security for digital transformation - SIGS 8

BUSINESS CHALLENGES Project Business Team : How can I make my business data available through a mobile app? Do I need to copy my data to a mobile phone? IT Security Officer I know that consuming data from a mobile app contains some risk. How to reduce risk while expanding API exposure? How to meet compliance? Developer What options I have to secure data in rest and transit? How can I securely manage keys? How to manage authentication within the app? Operations IT Team How do I enforce consistent security policy across APIs? What controls I have to mitigate attacks like DoS on our back-end? Privacy Officer How do I govern APIs exposed to internal and external developers (third-party or agency)? How do I manage the PII life cycle of data exposed via APIs API security for digital transformation - SIGS 9

AGENDA Transforming your business in the digital era API Security challenges 15 min Best practices 5 min API security for digital transformation - SIGS 10

API BREACHES API security for digital transformation - SIGS 11

API SECURITY IS UNIQUE Your APIs are vulnerable to the typical OWASP Top 10 attacks IN ADDITION, you have to worry about: Hackers reverse engineering apps to access private APIs API key theft looks like legit usage! Traffic spike protection by way of bots or DoS attacks Identity tracking across API sessions XML/JSON injection-type attacks Token harvesting due to insecure communication or storage API security for digital transformation - SIGS 12

SECURE WHAT? Mobile Device Management API Management Protect data at-rest Protect data source / data in-motion Mobile browser Web Any other app APIs API security for digital transformation - SIGS 13

FOR EXAMPLE: https://api.services.elca.ch/employees/john { "firstname": John ", "lastname" : Williams", title" : VP of engineering, "address" : { "streetaddress": 21 Avenue de la Harpe", "city" : Lausanne", prov" : VD", "postalcode" : 1001" }, "phonenumber": [ { "type" : office", "number": 0216132136" }, { "type" : home", "number": xxxxxxx" } ] } Without proper authentication/authorization, a corporate directory can be leaked over the internet!

SECURING YOUR DIGITAL CHANNELS Authenticate the user Control what the App can access Rate Limit access Protect from hackers PCI compliance Quota Management Protection Licensing Au/Az/SSO API security for digital transformation - SIGS 15

DEFENSE IN DEPTH : SECURE YOUR APIS Users Apps APIs Backend OAuth2 MFA Federated login API key OAuth2 TLS IP access control Spike arrest Rate limits Threat protection Intrusion detection DDoS Mutual TLS IP access control API security for digital transformation - SIGS 16

AGENDA Transforming your business in the digital era API Security challenges 15 min Best practices 5 min API security for digital transformation - SIGS 17

FULL STACK ARCHITECTURE Internet Internet services Remote Access Transition Front-ends Reverse proxy VPN concentrator Secure zone Policy server (PDP) Applications API Gateway Portal Web front-end 2-Factor Services Identity Portal Front-end HSM KMS (key server) Infrastructure Datas ESB Portal Application server Identity Back-end Server Active Directory PKI DNS/DHCP/ Email-gateway Management Policy server Database (PIP) Portal Database Identity Database Admin jump host API security for digital transformation - SIGS 18

AUTHENTICATION/AUTHORIZATION/SSO 1 Control and restrict access to your APIs Make it easy yet secure API security for digital transformation - SIGS 19

LICENSING 2 Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: OAuth Authorization Scopes Document visibility Quota policies API security for digital transformation - SIGS 20

MESSAGE AND PARAMETER SECURITY 3 Protect your APIs keys and message using encrypted channel and HMAC HTTP Parameter http://apis.elca.ch/directory/staff?app_id=mydir&app_key=mykey Protect API Keys with HMAC Hash-based Message Authentication Code Message Security Implement HTTPS For XML/JSON payloads encrypt specific parts of the message API security for digital transformation - SIGS 21

THREAT PROTECTION 4 Package your APIs in different ways Use API keys to restrict what the App can access Denial of Service Injection Attacks Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks Cross Site Scripting Network address and range blacklists/whitelists HTTP Parameter Stuffing API security for digital transformation - SIGS 22

CONTENT FILTERING 5 Provide a content firewall, protecting against malicious content Validate message content including message headers, form and query parameters, XML and JSON data structures. Policies for XML and JSON DoS Protection against viruses in attachments and other binary content via ICAP integration with leading antivirus engines API security for digital transformation - SIGS 23

QUOTA MANAGEMENT/RATE LIMITING 6 Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc. API security for digital transformation - SIGS 24

SECURITY FEATURE OF AN API GATEWAY : OUT-OF-THE-BOX SECURITY POLICIES OpenID Provider/Relying Party OAuth 1.0a & 2.0 (all grant-types) Developer/Partner Key Auth & Az CORS Management HTTP Basic-Auth Mutual SSL based Authentication SAML 1.1 & 2.0 (STS included) WS-Trust 1.2 & 1.3 WS-Security Transport Binding WS-Security Username Token WS-Security Message Encryption/Signature Integration with AD, SiteMinder, OAM, RSA, ELCARD Cookie-based Authentication Denial of Service attack Prevention SQL Injection Prevention Virus Scanning XML Schema Validation Malicious Pattern Detection SLA/Throttling by a Developer/Partner Certificate (PKI) Management (CA Included) API security for digital transformation - SIGS 25

API SECURITY GOVERNANCE INTEGRATE INTO LIFE CYCLE Test Doc. Design Govern Develop Secure Support for open standards & protocols (eg. SAML, OAuth, TLS, etc) Security & Access Control Policies - Authentication, Authorization, Transport level security Input validation & vulnerability detection ( XSS, CSRF,SQL injection..) Rate Limiting & Throttling Deploy 26 API security for digital transformation - SIGS

KEY TAKEAWAYS Follow API Threat Model and build API security into your API products Ensure identity and security controls at every points of API lifecycle and integrate best practice into SDLC Gain visibility into API security risks, data sensitivity prior to deployment Protect sensitive data In transit and at rest Layered Protection is key API security for digital transformation - SIGS 27

Merci. Contact Nagib Aouini Head of Cyber security services ELCA Nagib.aouini@elca.ch Grégory Ruch Cyber Security Expert ELCA Grégory.ruch@elca.ch ELCA Informatique SA Lausanne 021 613 21 11 Genève 022 307 15 11 ELCA Informatik AG Zürich 044 456 32 11 Bern 031 556 63 11 www.elca.ch API security for digital transformation - SIGS ELCA 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback