Apigee engineers on the API Lifecycle and API Security at I Love APIs 2015. The role of Apigee Sense in API Security

1. 1
API Security Lifecycle
Joel D’sa
Product Security Engineering at
Apigee
Chris Von See
Global Architect at Apigee

2. Agenda
2
Secure API design
Secure API implementation
Demo
Facilitating Security for API Consumers
Operationalizing API Security and
Mitigating Threats
Mitigating Security Breaches
©2015 Apigee. All Rights Reserved.

3. Apigee Sense
3©2015 Apigee. All Rights Reserved.

4. API Security Lifecycle
Lifecycle
Design
Implement
Run-time
Security
Access
managemen
t
Audit
Monitor/Re
sponse
4
Design
Design for secure exposure of private
and public APIs
Implementation
Out of the box policies in edge to
improve API security
Run-time Security
Threat protection policies and token
management
Access
management
RBAC for API team, deployment
environments, logging, secure
debugging
Audit Secure logging and forwarding events
Monitoring &
Response
Breach detection & Mitigation

5. Leveraging API Façades
5
• Hide API back-end implementation details
• Configure security constraints and other processing
based on API consumer
• Carefully manage return of sensitive, inappropriate
or unauthorized data by APIs
• track device usage info and correlation to specific
users
API Façade http://www.theage.com.au/ffximage/2008/01/03/rg_sewage_wideweb__470x335,0.jpg

6. Design considerations
• Classify your APIs – use API products
• Classify your resources – use OAuth2 scopes
– Restricted Resources
– Private Resources
– Public Resources
• Establish and enforce SLAs
– Quota and Spike Arrest – Prevent Application denial of service
– Edge out of the box security policies – Prevent injection attacks, data leaks
• Inbound and Outbound communications security
– Edge SSL APIs – Manage your transport security
• Logging and Auditing
– Log access – Edge message logging
– Follow through with an audit policy
6

7. Security policies in Apigee Edge
7
Secure APIs and protect
back-end systems from
attack
Secure interactions
with API consumers
and optimize
performance

8. Securing the API – Run-time
8

9. Threat Protection – Best practices
• Use Conditionals and Fault Rules to reject input before it reaches the southbound
service
• Use the Extract Variables policy so that JSON and XML variables are parsed and
made available using secure parsers already built into Edge
• Use the JSON and XML Threat protection policies to establish content-level limits on
JSON and XML structures.
• Use the Regular Expression Protection policy to protect against SQL Injection, Cross
site and reflected cross site scripting attacks
• Use the SOAP Message Validation policy to validate a SOAP message against a
schema or WSDL
9

10. SSL
10©2015 Apigee. All Rights Reserved.
• Ensure that certificates are setup correctly
– Signed by a trusted CA
– Certificate key sizes must be 2048 bits or higher
• Follow NIST recommendations for protocol and cipher configurations
• Run SSL scans from nessus or qualys to ensure that your configuration is secure
• Apigee EDGE helps
– API to configure certificates and trust for incoming and outgoing TLS
– Configuration options for choosing the correct protocols and algorithms

11. Demo
11©2015 Apigee. All Rights Reserved.

12. Securing the Edge instance
12©2015 Apigee. All Rights Reserved.
Organization Trust Boundary
Environment Trust Boundary

13. Mitigating risks from compromised applications
– Monitor for unusual activity (traffic
volume/source, excessive authentication calls,
etc.)
– Revoke/re-approve/delete an API key
– Regenerate API keys and secrets
– Revoke/re-approve/delete some or all active
OAuth access and refresh tokens
– Dynamic invalidation via code in API proxies,
based on user IDs, device identifiers or other
criteria
13
When this happens… What do you do?

14. Questions?
14©2015 Apigee. All Rights Reserved.

15. Thank you
15©2015 Apigee. All Rights Reserved.