The difference between Web Apps, Web Services, and Web APIs, and how getting into Web APIs will change the way you do authentication and access control.
Similaire à Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies (20)
23. Greg Kliewer
Principal Consultant, Systems Architect
greg.kliewer@ca.com
@cainc
slideshare.net/CAinc
linkedin.com/company/ca-technologies
ca.com
Notes de l'éditeur
Web sitesPortalsCustomers accessed them via browsers on their desktop and laptop computersNo programmatic access from the WWWAPIs were exposed “behind the firewall” for web sites and portals to access, but there was no access from the WWWAPIs were protected by network separation
Used Web API technologies like HTTP, SSL/TLS, and language-independent, text-based grammarWere mostly adopted for old-school API purposes: to connect applications “on the corporate network”; to “service orient” the enterprise and delivery apps – often new web apps – quickly and less expensivelyHOWEVER, there was some limited uptake of SOAP services access to enterprise services and assets from the WWW by business partners and corporate customersEnterprise to Enterprise integration
REQUIRE programmatic access from the WWWDID NOT EMBARACE use PKI-based securityWhy? Because the market for these apps are not corporations with whom we can contract and run technology projects. These apps are consumed by capital-C Consumers who demand impeccable user experience, including simple and easy installationShow picture of PKI (CA/RA and WoT) As a publisher of Web APIs, do not expect to identify who is calling by verifying digital signatures with asymmetric crypo operations