SlideShare une entreprise Scribd logo

Virtual Meetup - API Security Best Practices

J
Jimmy Attia

Event page: https://meetups.mulesoft.com/events/details/mulesoft-calgary-presents-api-security-best-practices/

Technologie
1  sur  52
Télécharger pour lire hors ligne
Calgary MuleSoft Meetup Group API Security November 2020 Speakers: Mandy Wong - API & Integration Specialist, Suncor Energy Usha Krishnamoorthy - Lead Integration Developer, Incepta Solutions Andrew Lie - Marketing Manager, Incepta Solutions Facilitator: Jimmy Attia - Senior Strategic Advisor, MuleSoft
Safe harbor statement The information in this presentation is confidential and proprietary to MuleSoft and may not be disclosed without the permission of MuleSoft. This presentation is not subject to your license agreement or any other service or subscription agreement with MuleSoft. MuleSoft has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and MuleSoft's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by MuleSoft at any time for any reason without notice. The information on this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. MuleSoft assumes no responsibility for errors or omissions in this document, except if such damages were caused by MuleSoft intentionally or grossly negligent. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 3
Agenda 1. Jimmy a. Introduction b. Meeting Logistics 2. Mandy a. A Customer’s Journey on the Road to Security b. What Worked and What Didn’t 3. Usha a. Background b. API Threats c. API Security Solutions d. API Security Best Practices e. Securing Through Mulesoft f. API Security Achieved g. Key Takeaways 4. Q&A 5. Wrap up and Announcement of Trivia Winners 4
A Customer’s Journey on the Road to Security
Customer’s Perspective on Security ● As a customer, how do we follow API-led connectivity while securing our API assets? ● There are 3 different architectures for deployment: > On-Prem, Hybrid, and CloudHub ● Are the security practices for each type of deployment different? ● What are the fundamental principles of securing APIs? ● How and when do we use the numerous APIs policies available to us in MuleSoft? 6
Customer’s Perspective on Security ● Depending on how many external vendors we work with, there are different levels of API exposure ○ Expose our API endpoint(s) to just one partner ○ Expose our API endpoint(s) to multiple vendors and partners ○ Make our API endpoint(s) open to the entire public just like what Amazon and Google does ● What security protocols do we use to protect our API assets from data breaches and attacks in each of them? 7
Why API Security Matters ● With the recent increase of API development driving IoT (which plays a central role in digital transformation), API security needs to become a top priority ● Gartner’s report on “How to Build an Effective API Security Strategy” predicts that API abuses will be the leading cause of enterprise web applications data breaches ● It recommends a continuous approach by incorporating security into the API lifecycle, with security designed and implemented directly in APIs 8
What API Security Entails ● API security is about focussing on securing any APIs you expose, whether directly or indirectly ● We categorize security as we know it into 3 categories: Access Control, Rate Limiting, and Content Validation ● Access Control includes OAuth, access rules definition and enforcement ● Rate Limiting includes limiting the number of requests; quotas; and spike control so API’s do not get overwhelmed ● Content Validation includes validating the input/output content 9
Form of Security: API Proxies ● API proxies can act as a form of security, acting as a “facade” so external apps do not call your API directly ● They play a role in rate-limiting and quotas, preventing distributed denial-of-service (DDOS) attacks by providing Transport Layer Security (TLS) ● They control the flow of traffic and access to microservices ● They can also encrypt the data sent by the app ● They are quick and cost-effective 10
Form of Security: API Gateways ● API gateways are a more robust form of security ● They use more advanced security features such as OAuth and OpenID to authenticate users ● They also perform traffic routing, throttling, orchestration, and load balancing ● They act as a reverse proxy to restrict which kinds of microservices external apps can use ● Configuration can be complex resulting in slow and poor performance 11
API Gateways and Proxies in MuleSoft ● MuleSoft’s API manager leverages the runtime capabilities of API Gateway ● Mule runtime engine has an embedded API gateway ○ Essentially we use the Mule runtime as an API gateway ● API Manager automatically generates a proxy app when you select the option to configure the API as an “endpoint with a proxy” 12
BACKGROUND Journey of APIs
Background of APIs ● Brief history of APIs – Quick timeline ○ 1950s – 1970s: Subroutines, Libraries, FORTRAN, IBM instruction set, C Standard libraries ○ 1980s – 1990s: Interface between HWs and OS, BIOS, Printers, CLIs, etc. ○ 1990s – 2000s: Windows OS APIs, UNIX, Java class libraries and functions, Delicious web APIs ● Rise of API based IT solutions (2000s and onwards) ○ CRM – Salesforce officially launched its API on February 7, 2000 ○ eBay – On November 20, 2000, eBay launched the eBay Application Program Interface (API) along with the eBay Developers Program ○ Amazon – On July 16, 2002, Amazon launched Amazon.com Web Services ● The present and the possible future ○ Social media boom – FB, Flickr, Twitter, etc. ○ Mobile apps of every business – Banks, Retail, Travel, etc. ○ Smart devices – IoTs, AIs and assistants 14
Overall Security Areas ● Infrastructure ○ Architecture ○ Networking & VPCs ○ Load balancing ○ Firewalls ● Solutions ○ Design and structure ○ Data handling ○ Connectivity ● Data ○ Storage and management ○ Access control 15
Incidents of Breaches 16
Incidents of Breaches 17
Reports and Trends ● Cyber Attacks ○ Malware ○ Web-based attacks ○ Web app/injection attacks ○ Phishing ○ DDoS (Distributed Denial of Services) 18
API THREATS Security Threats
REST API Security Threats ● Injection Attacks – A malicious untrusted data, usually a query or a script, is embedded into an unsecured software program ● Man-In-The-Middle-Attack (MITM) – An unauthorized third party secretly relays and possibly alters the communications between two parties ● CSRF Attack – Cross-Site Request Forgery (CSRF) force logged-in users to silently open URLs that perform actions unintentionally 20
REST API Security Threats ● Broken Access Control – An attacker can bypass or control authentication into web applications compromising web tokens, API keys, passwords, account recovery options, password reset methods, etc. ● Distributed Denial of Services – Most common type of attack where a malicious attempt is made to disrupt normal traffic ● Web Parameter Tampering – Based on the manipulation of parameters exchanged between client and server ● Sensitive Data Exposure – When sensitive data isn’t encrypted in transit or at rest it could lead to abuse of this information 21
API SECURITY SOLUTIONS Security as a design principle
Security Building Blocks 25
Industry Standards and Compliances 26
API SECURITY BEST PRACTICES Security as a design principle
API Security Best Practices ● API Design ○ Resistant to attacks ○ Limited/restricted access to end systems ○ Share minimum and only required data ● Framework Design ○ Audit access to sensitive data ○ Log and monitor for usage, performance, and activity ○ Integrate security testing ○ Use gateways and proxies instead of whitelists ○ Object stores – do not store sensitive information in memory ● Transport Level Secure Communications ○ Enable TLS 1.2 or subsequent versions, in accordance with CSE guidance 28
API Security Best Practices ● Identity and Access Management ○ Authenticate and authorize before any operation ■ User and app authentication ■ API and server authentication ■ User and app authorization ○ Use open standards such as OpenID Connect and Open Authorization 2.0 (OAuth 2.0) ○ Single Sign-on ○ MFA 29
API Security Best Practices ● Data Security and Principles ○ Treat all submitted data as untrusted and validate before processing ○ Avoid including sensitive data in request URLs ○ Audit trail of access to sensitive data ○ Avoid temporary storage of business data ○ Data masking, encryptions for sensitive data, etc. ○ Message Integrity ■ Digital Signatures ○ Message Confidentiality ■ Public Key Cryptography ■ Digital Certificates ■ TLS (HTTPS) 30
SECURING THROUGH MULESOFT
Anypoint Deployment Strategies ● CloudHub ● Hybrid: customer hosted runtime + management plane on cloud ● Anypoint platform on Private Cloud ● Anypoint Runtime Fabric 33
How to Secure CloudHub Architecture ● API Manager ● Secret Manager ● Access Manager ● Monitoring Dashboards ● Alerting Mechanism ● Ability to externalize logs for analysis 34
MuleSoft API Manager ● API Manager Policy types ○ Default Policies ○ Automated Policies ○ Custom Policies ● Policy classification ○ Security ○ Compliance ○ Transformation ○ Troubleshooting ○ Quality of Service 35
MuleSoft Provided API Policies ● Security ○ Basic Authentication – LDAP - Authenticates the LDAP credentials (Lightweight directory access protocol, Active Directory) ○ Basic Authentication – Simple - Authenticates a single user password ○ IP Blacklist – Blocks a range of IP addresses ○ IP Whitelist – Allows access from only a preapproved range of IP addresses ○ JSON Threat Protection – Protects against a malicious JSON structure in API requests ○ XML Threat Protection – Protects against malicious XML elements in API requests ○ Client ID Enforcement – Allows access to client applications with a valid client credentials ○ JWT – Validates a JWT token 36
MuleSoft Provided API Policies ● Security ○ OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy – Enforces token access using the MuleSoft OAuth Provider policy ○ OpenAM Access Token Enforcement – Restricts access to a protected resource using an Open AM authentication server ○ PingFederate Access Token Enforcement – Restricts access to a protected resource using the PingFederate authentication server ○ Tokenization – Transforms sensitive data into non-sensitive equivalent tokens ○ Detokenization – Transforms a tokenized value back to the original data 37
MuleSoft Provided API Policies ● Compliance ○ Client ID Enforcement – Allows access to client applications with a valid client credentials ○ CORS – Enables calls executed in a web page to interact with resources from different domains ● Quality of Service ○ HTTP Caching – Stores HTTP responses from an API implementation ○ Rate Limiting – Enables imposing a limit on the number of requests that an API can accept within a specified time. ○ Rate Limiting, SLA-Based – Enables imposing an API request limit based on SLA tiers. ○ Spike Control – Controls API traffic and provides queuing feature ● Message Logging – Logs a custom message when an API is invoked. 38
When and Where to Apply API Policies 39 API Layer Category Policy (Generally applied) Experience Compliance Client Id enforcement, CORS Security Basic authentication, JSON/XML Threat protection,IP Whitelisting (blacklisting), OAuth, Tokenization/Detokenization, Quality of Service RateLimit SLA, Spike, HTTP caching Process Compliance Client Id enforcement Security Basic auth, Tokenization/Detokenization QoS Rate limiting System Compliance Client Id enforcement Security Basic auth, Tokenization/Detokenization QoS Rate limiting, Spike control
MuleSoft Monitoring & Alerts 40
API Manager Alerts ● An API alert is an alarm that flags one of the following problems: ○ The API request violates a policy Automated Policies ○ Requests received by the API exceed a given number within a period of time ○ The API returns a specified HTTP error code ○ The API response time exceeds a certain amount 41 Runtime Manager Alerts ● Number of errors ○ The number of errors in one minute reaches the specified limit ● Number of Mule messages ○ The number of Mule messages since the application started reaches the specified limit ● Response time ○ The response time crosses the specified limit ● Use Runtime Manager to Export Data to External Analytics Tools ○ Splunk and Elk plugins
A Secure CloudHub Architecture with VPC ● Connect resources behind corporate firewall ● Dedicated subnet on CloudHub to deploy organization’s implementations ● Security is paramount ● Place system, process API in VPC ● Load Balancers – SLB (Shared), DLB (Dedicated) 42
On-premise - Local ● Connect resources behind corporate firewall ● Security is paramount ● DMZ (Demilitarized Zone) – connects to the internet ● Internal network – No access to Internet, hosts org assets ● Place system, process API in internal network ● Place experience API in DMZ 43
Runtime Fabric ● Container service that automates deployment and orchestration of Mule applications and API gateways ● Install on multi-cloud env, data centers ● Features: ○ Application Isolation ○ Multiple Runtimes ○ High Availability ○ Supports horizontal and vertical scaling ● Security - Code, container, cluster, cloud 44
Customer Hosted Runtimes on Private Cloud ● Connect to resources in organization’s private network ● Host runtimes on private cloud such as Azure, AWS ● Place system API in private cloud to access on-prem data via VPN gateway ● Experience API can be in DMZ zone ● Security will be applied across firewalls, proxys, VPNs, and load balancers 45
IS API SECURITY ACHIEVED? Are the APIs truly secured?
Perform “Test Attacks” on APIs ● Try some attacks yourself ● Find some tools or apps to test policies ● Have the organization’s security department test the code and environment ● Have professionals attack and assess API security ● Regular Pen-tests (Security test as a Service embedded in SDLC) 48
Security Testing Areas ● Credentials ● Authentication ● Authorization ● Session ● Privacy ● Data ● Certificates 49 ● Source ● System ● Files ● Logs ● Emails ● Services ● Cryptography · · · ● Architecture ● Networks ● Virtualization ● Physical ● Mobile ● Social
KEY TAKEAWAYS
Key Takeaways ● Know the big picture, the infrastructure, and the business ● Security comes at a cost ● There will be side-effects ● Only recommend what’s right and needed ● There’s no one way to do it ● Ensure it gets thoroughly tested for security ● Security is not a one-time activity ● Leverage proactive monitoring and implement policies ● Follow best practices and be as restrictive as possible in API design ● Discuss in the community, let MS know for additional support 51
Q&A
WRAP UP & ANNOUNCEMENT OF TRIVIA WINNERS
ABOUT INCEPTA
● Proud partner of MuleSoft for a number of years; first few partners in Canada during early stage ● Trusted IT partner for digital innovation, with a global presence ● Growth 2020 List: named one of Canada’s fastest-growing companies ● Our mission: To provide business solutions to not only solve challenges, but to accelerate growth and customer success ● Our areas of expertise: Digital Transformation, Integration, Data Management, Customer 360, Cloud Strategy, & Cybersecurity ● Our solution: Cutting-edge integration and automation solutions with the latest technology that transforms visions into realities
Stay connected on social Incepta Solutions @InceptaS Incepta Solutions @InceptaSolutions
Thank you

Recommandé

API Management Within a Microservices Architecture
API Management Within a Microservices Architecture API Management Within a Microservices Architecture
API Management Within a Microservices Architecture Nadeesha Gamage
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud GatewayStéphane Maldini
 
Cloudhub 2.0
Cloudhub 2.0Cloudhub 2.0
Cloudhub 2.0Christopher Co
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupMuleSoft Meetup
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 

Recommandé

API Management Within a Microservices Architecture
API Management Within a Microservices Architecture API Management Within a Microservices Architecture
API Management Within a Microservices Architecture Nadeesha Gamage
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud GatewayStéphane Maldini
 
Cloudhub 2.0
Cloudhub 2.0Cloudhub 2.0
Cloudhub 2.0Christopher Co
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupMuleSoft Meetup
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Understanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootUnderstanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootKashif Ali Siddiqui
 
Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager WSO2
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioMichelle Holley
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce IntegrationJoshua Hoskins
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Mule api management
Mule api managementMule api management
Mule api managementBhanu Chandra Nalleboyina
 
Containerizing MuleSoft applications for hybrid deployment
Containerizing MuleSoft applications for hybrid deployment Containerizing MuleSoft applications for hybrid deployment
Containerizing MuleSoft applications for hybrid deployment JuliaDemidova3
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoftAlexandra N. Martinez
 
Creating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeCreating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeManish Kumar Yadav
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionSalesforce - Sweden, Denmark, Norway
 
Logging best practice in mule using logger component
Logging best practice in mule using logger componentLogging best practice in mule using logger component
Logging best practice in mule using logger componentGovind Mulinti
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsAraf Karsh Hamid
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basicsJuan Vicente Herrera Ruiz de Alejo
 
Effective API Design
Effective API DesignEffective API Design
Effective API DesignBansilal Haudakari
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Managementjeremysbrown
 
Introduction to MuleSoft Anytime Platform
Introduction to MuleSoft Anytime PlatformIntroduction to MuleSoft Anytime Platform
Introduction to MuleSoft Anytime PlatformSalesforce Developers
 
Microservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetupMicroservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetupJimmy Attia
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays
 

Contenu connexe

Tendances

Understanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootUnderstanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootKashif Ali Siddiqui
 
Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager WSO2
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioMichelle Holley
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce IntegrationJoshua Hoskins
 
Containerizing MuleSoft applications for hybrid deployment
Containerizing MuleSoft applications for hybrid deployment Containerizing MuleSoft applications for hybrid deployment
Containerizing MuleSoft applications for hybrid deployment JuliaDemidova3
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Creating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeCreating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeManish Kumar Yadav
 
Logging best practice in mule using logger component
Logging best practice in mule using logger componentLogging best practice in mule using logger component
Logging best practice in mule using logger componentGovind Mulinti
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Managementjeremysbrown
 
Introduction to MuleSoft Anytime Platform
Introduction to MuleSoft Anytime PlatformIntroduction to MuleSoft Anytime Platform
Introduction to MuleSoft Anytime PlatformSalesforce Developers
 

Tendances (20)

Understanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootUnderstanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring Boot
 
Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Mule api management
Mule api managementMule api management
Mule api management
 
Containerizing MuleSoft applications for hybrid deployment
Containerizing MuleSoft applications for hybrid deployment Containerizing MuleSoft applications for hybrid deployment
Containerizing MuleSoft applications for hybrid deployment
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 
Creating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeCreating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven Archetype
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
 
Logging best practice in mule using logger component
Logging best practice in mule using logger componentLogging best practice in mule using logger component
Logging best practice in mule using logger component
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Effective API Design
Effective API DesignEffective API Design
Effective API Design
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
 
Introduction to MuleSoft Anytime Platform
Introduction to MuleSoft Anytime PlatformIntroduction to MuleSoft Anytime Platform
Introduction to MuleSoft Anytime Platform
 

Similaire à Virtual Meetup - API Security Best Practices

Microservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetupMicroservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetupJimmy Attia
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsAlexandra N. Martinez
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Ricardo Rodríguez
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfPankaj Goyal
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfPankajGoyal164048
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIsWSO2
 
API Management within a Microservice Architecture
API Management within a Microservice ArchitectureAPI Management within a Microservice Architecture
API Management within a Microservice ArchitectureWSO2
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Savannah Cole
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...apidays
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6Jack Carnes
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven IntegrationWSO2
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 

Similaire à Virtual Meetup - API Security Best Practices (20)

Microservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetupMicroservices & anypoint service mesh calgary mule soft meetup
Microservices & anypoint service mesh calgary mule soft meetup
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 
API Management within a Microservice Architecture
API Management within a Microservice ArchitectureAPI Management within a Microservice Architecture
API Management within a Microservice Architecture
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 

Plus de Jimmy Attia

Composer Overview Meetup.pdf
Composer Overview Meetup.pdfComposer Overview Meetup.pdf
Composer Overview Meetup.pdfJimmy Attia
 
Addressing performance issues with API monitoring
Addressing performance issues with API monitoringAddressing performance issues with API monitoring
Addressing performance issues with API monitoringJimmy Attia
 
Virtual Meetup: Mule 4 Error Handling and Logging
Virtual Meetup: Mule 4 Error Handling and LoggingVirtual Meetup: Mule 4 Error Handling and Logging
Virtual Meetup: Mule 4 Error Handling and LoggingJimmy Attia
 
Virtual Meetup - MuleSoft Catalyst and Accelerator for Banking
Virtual Meetup - MuleSoft Catalyst and Accelerator for BankingVirtual Meetup - MuleSoft Catalyst and Accelerator for Banking
Virtual Meetup - MuleSoft Catalyst and Accelerator for BankingJimmy Attia
 
Virtual meetup - Exploring the Runtime Fabric deployment model
Virtual meetup - Exploring the Runtime Fabric deployment modelVirtual meetup - Exploring the Runtime Fabric deployment model
Virtual meetup - Exploring the Runtime Fabric deployment modelJimmy Attia
 
Testing strategies and best practices using MUnit
Testing strategies and best practices using MUnitTesting strategies and best practices using MUnit
Testing strategies and best practices using MUnitJimmy Attia
 

Plus de Jimmy Attia (6)

Composer Overview Meetup.pdf
Composer Overview Meetup.pdfComposer Overview Meetup.pdf
Composer Overview Meetup.pdf
 
Addressing performance issues with API monitoring
Addressing performance issues with API monitoringAddressing performance issues with API monitoring
Addressing performance issues with API monitoring
 
Virtual Meetup: Mule 4 Error Handling and Logging
Virtual Meetup: Mule 4 Error Handling and LoggingVirtual Meetup: Mule 4 Error Handling and Logging
Virtual Meetup: Mule 4 Error Handling and Logging
 
Virtual Meetup - MuleSoft Catalyst and Accelerator for Banking
Virtual Meetup - MuleSoft Catalyst and Accelerator for BankingVirtual Meetup - MuleSoft Catalyst and Accelerator for Banking
Virtual Meetup - MuleSoft Catalyst and Accelerator for Banking
 
Virtual meetup - Exploring the Runtime Fabric deployment model
Virtual meetup - Exploring the Runtime Fabric deployment modelVirtual meetup - Exploring the Runtime Fabric deployment model
Virtual meetup - Exploring the Runtime Fabric deployment model
 
Testing strategies and best practices using MUnit
Testing strategies and best practices using MUnitTesting strategies and best practices using MUnit
Testing strategies and best practices using MUnit
 

Dernier

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Dernier (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Virtual Meetup - API Security Best Practices

  • 1. Calgary MuleSoft Meetup Group API Security November 2020 Speakers: Mandy Wong - API & Integration Specialist, Suncor Energy Usha Krishnamoorthy - Lead Integration Developer, Incepta Solutions Andrew Lie - Marketing Manager, Incepta Solutions Facilitator: Jimmy Attia - Senior Strategic Advisor, MuleSoft
  • 2. Safe harbor statement The information in this presentation is confidential and proprietary to MuleSoft and may not be disclosed without the permission of MuleSoft. This presentation is not subject to your license agreement or any other service or subscription agreement with MuleSoft. MuleSoft has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and MuleSoft's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by MuleSoft at any time for any reason without notice. The information on this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. MuleSoft assumes no responsibility for errors or omissions in this document, except if such damages were caused by MuleSoft intentionally or grossly negligent. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 3
  • 3. Agenda 1. Jimmy a. Introduction b. Meeting Logistics 2. Mandy a. A Customer’s Journey on the Road to Security b. What Worked and What Didn’t 3. Usha a. Background b. API Threats c. API Security Solutions d. API Security Best Practices e. Securing Through Mulesoft f. API Security Achieved g. Key Takeaways 4. Q&A 5. Wrap up and Announcement of Trivia Winners 4
  • 4. A Customer’s Journey on the Road to Security
  • 5. Customer’s Perspective on Security ● As a customer, how do we follow API-led connectivity while securing our API assets? ● There are 3 different architectures for deployment: > On-Prem, Hybrid, and CloudHub ● Are the security practices for each type of deployment different? ● What are the fundamental principles of securing APIs? ● How and when do we use the numerous APIs policies available to us in MuleSoft? 6
  • 6. Customer’s Perspective on Security ● Depending on how many external vendors we work with, there are different levels of API exposure ○ Expose our API endpoint(s) to just one partner ○ Expose our API endpoint(s) to multiple vendors and partners ○ Make our API endpoint(s) open to the entire public just like what Amazon and Google does ● What security protocols do we use to protect our API assets from data breaches and attacks in each of them? 7
  • 7. Why API Security Matters ● With the recent increase of API development driving IoT (which plays a central role in digital transformation), API security needs to become a top priority ● Gartner’s report on “How to Build an Effective API Security Strategy” predicts that API abuses will be the leading cause of enterprise web applications data breaches ● It recommends a continuous approach by incorporating security into the API lifecycle, with security designed and implemented directly in APIs 8
  • 8. What API Security Entails ● API security is about focussing on securing any APIs you expose, whether directly or indirectly ● We categorize security as we know it into 3 categories: Access Control, Rate Limiting, and Content Validation ● Access Control includes OAuth, access rules definition and enforcement ● Rate Limiting includes limiting the number of requests; quotas; and spike control so API’s do not get overwhelmed ● Content Validation includes validating the input/output content 9
  • 9. Form of Security: API Proxies ● API proxies can act as a form of security, acting as a “facade” so external apps do not call your API directly ● They play a role in rate-limiting and quotas, preventing distributed denial-of-service (DDOS) attacks by providing Transport Layer Security (TLS) ● They control the flow of traffic and access to microservices ● They can also encrypt the data sent by the app ● They are quick and cost-effective 10
  • 10. Form of Security: API Gateways ● API gateways are a more robust form of security ● They use more advanced security features such as OAuth and OpenID to authenticate users ● They also perform traffic routing, throttling, orchestration, and load balancing ● They act as a reverse proxy to restrict which kinds of microservices external apps can use ● Configuration can be complex resulting in slow and poor performance 11
  • 11. API Gateways and Proxies in MuleSoft ● MuleSoft’s API manager leverages the runtime capabilities of API Gateway ● Mule runtime engine has an embedded API gateway ○ Essentially we use the Mule runtime as an API gateway ● API Manager automatically generates a proxy app when you select the option to configure the API as an “endpoint with a proxy” 12
  • 13. Background of APIs ● Brief history of APIs – Quick timeline ○ 1950s – 1970s: Subroutines, Libraries, FORTRAN, IBM instruction set, C Standard libraries ○ 1980s – 1990s: Interface between HWs and OS, BIOS, Printers, CLIs, etc. ○ 1990s – 2000s: Windows OS APIs, UNIX, Java class libraries and functions, Delicious web APIs ● Rise of API based IT solutions (2000s and onwards) ○ CRM – Salesforce officially launched its API on February 7, 2000 ○ eBay – On November 20, 2000, eBay launched the eBay Application Program Interface (API) along with the eBay Developers Program ○ Amazon – On July 16, 2002, Amazon launched Amazon.com Web Services ● The present and the possible future ○ Social media boom – FB, Flickr, Twitter, etc. ○ Mobile apps of every business – Banks, Retail, Travel, etc. ○ Smart devices – IoTs, AIs and assistants 14
  • 14. Overall Security Areas ● Infrastructure ○ Architecture ○ Networking & VPCs ○ Load balancing ○ Firewalls ● Solutions ○ Design and structure ○ Data handling ○ Connectivity ● Data ○ Storage and management ○ Access control 15
  • 17. Reports and Trends ● Cyber Attacks ○ Malware ○ Web-based attacks ○ Web app/injection attacks ○ Phishing ○ DDoS (Distributed Denial of Services) 18
  • 19. REST API Security Threats ● Injection Attacks – A malicious untrusted data, usually a query or a script, is embedded into an unsecured software program ● Man-In-The-Middle-Attack (MITM) – An unauthorized third party secretly relays and possibly alters the communications between two parties ● CSRF Attack – Cross-Site Request Forgery (CSRF) force logged-in users to silently open URLs that perform actions unintentionally 20
  • 20. REST API Security Threats ● Broken Access Control – An attacker can bypass or control authentication into web applications compromising web tokens, API keys, passwords, account recovery options, password reset methods, etc. ● Distributed Denial of Services – Most common type of attack where a malicious attempt is made to disrupt normal traffic ● Web Parameter Tampering – Based on the manipulation of parameters exchanged between client and server ● Sensitive Data Exposure – When sensitive data isn’t encrypted in transit or at rest it could lead to abuse of this information 21
  • 21. API SECURITY SOLUTIONS Security as a design principle
  • 23. Industry Standards and Compliances 26
  • 24. API SECURITY BEST PRACTICES Security as a design principle
  • 25. API Security Best Practices ● API Design ○ Resistant to attacks ○ Limited/restricted access to end systems ○ Share minimum and only required data ● Framework Design ○ Audit access to sensitive data ○ Log and monitor for usage, performance, and activity ○ Integrate security testing ○ Use gateways and proxies instead of whitelists ○ Object stores – do not store sensitive information in memory ● Transport Level Secure Communications ○ Enable TLS 1.2 or subsequent versions, in accordance with CSE guidance 28
  • 26. API Security Best Practices ● Identity and Access Management ○ Authenticate and authorize before any operation ■ User and app authentication ■ API and server authentication ■ User and app authorization ○ Use open standards such as OpenID Connect and Open Authorization 2.0 (OAuth 2.0) ○ Single Sign-on ○ MFA 29
  • 27. API Security Best Practices ● Data Security and Principles ○ Treat all submitted data as untrusted and validate before processing ○ Avoid including sensitive data in request URLs ○ Audit trail of access to sensitive data ○ Avoid temporary storage of business data ○ Data masking, encryptions for sensitive data, etc. ○ Message Integrity ■ Digital Signatures ○ Message Confidentiality ■ Public Key Cryptography ■ Digital Certificates ■ TLS (HTTPS) 30
  • 29. Anypoint Deployment Strategies ● CloudHub ● Hybrid: customer hosted runtime + management plane on cloud ● Anypoint platform on Private Cloud ● Anypoint Runtime Fabric 33
  • 30. How to Secure CloudHub Architecture ● API Manager ● Secret Manager ● Access Manager ● Monitoring Dashboards ● Alerting Mechanism ● Ability to externalize logs for analysis 34
  • 31. MuleSoft API Manager ● API Manager Policy types ○ Default Policies ○ Automated Policies ○ Custom Policies ● Policy classification ○ Security ○ Compliance ○ Transformation ○ Troubleshooting ○ Quality of Service 35
  • 32. MuleSoft Provided API Policies ● Security ○ Basic Authentication – LDAP - Authenticates the LDAP credentials (Lightweight directory access protocol, Active Directory) ○ Basic Authentication – Simple - Authenticates a single user password ○ IP Blacklist – Blocks a range of IP addresses ○ IP Whitelist – Allows access from only a preapproved range of IP addresses ○ JSON Threat Protection – Protects against a malicious JSON structure in API requests ○ XML Threat Protection – Protects against malicious XML elements in API requests ○ Client ID Enforcement – Allows access to client applications with a valid client credentials ○ JWT – Validates a JWT token 36
  • 33. MuleSoft Provided API Policies ● Security ○ OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy – Enforces token access using the MuleSoft OAuth Provider policy ○ OpenAM Access Token Enforcement – Restricts access to a protected resource using an Open AM authentication server ○ PingFederate Access Token Enforcement – Restricts access to a protected resource using the PingFederate authentication server ○ Tokenization – Transforms sensitive data into non-sensitive equivalent tokens ○ Detokenization – Transforms a tokenized value back to the original data 37
  • 34. MuleSoft Provided API Policies ● Compliance ○ Client ID Enforcement – Allows access to client applications with a valid client credentials ○ CORS – Enables calls executed in a web page to interact with resources from different domains ● Quality of Service ○ HTTP Caching – Stores HTTP responses from an API implementation ○ Rate Limiting – Enables imposing a limit on the number of requests that an API can accept within a specified time. ○ Rate Limiting, SLA-Based – Enables imposing an API request limit based on SLA tiers. ○ Spike Control – Controls API traffic and provides queuing feature ● Message Logging – Logs a custom message when an API is invoked. 38
  • 35. When and Where to Apply API Policies 39 API Layer Category Policy (Generally applied) Experience Compliance Client Id enforcement, CORS Security Basic authentication, JSON/XML Threat protection,IP Whitelisting (blacklisting), OAuth, Tokenization/Detokenization, Quality of Service RateLimit SLA, Spike, HTTP caching Process Compliance Client Id enforcement Security Basic auth, Tokenization/Detokenization QoS Rate limiting System Compliance Client Id enforcement Security Basic auth, Tokenization/Detokenization QoS Rate limiting, Spike control
  • 37. API Manager Alerts ● An API alert is an alarm that flags one of the following problems: ○ The API request violates a policy Automated Policies ○ Requests received by the API exceed a given number within a period of time ○ The API returns a specified HTTP error code ○ The API response time exceeds a certain amount 41 Runtime Manager Alerts ● Number of errors ○ The number of errors in one minute reaches the specified limit ● Number of Mule messages ○ The number of Mule messages since the application started reaches the specified limit ● Response time ○ The response time crosses the specified limit ● Use Runtime Manager to Export Data to External Analytics Tools ○ Splunk and Elk plugins
  • 38. A Secure CloudHub Architecture with VPC ● Connect resources behind corporate firewall ● Dedicated subnet on CloudHub to deploy organization’s implementations ● Security is paramount ● Place system, process API in VPC ● Load Balancers – SLB (Shared), DLB (Dedicated) 42
  • 39. On-premise - Local ● Connect resources behind corporate firewall ● Security is paramount ● DMZ (Demilitarized Zone) – connects to the internet ● Internal network – No access to Internet, hosts org assets ● Place system, process API in internal network ● Place experience API in DMZ 43
  • 40. Runtime Fabric ● Container service that automates deployment and orchestration of Mule applications and API gateways ● Install on multi-cloud env, data centers ● Features: ○ Application Isolation ○ Multiple Runtimes ○ High Availability ○ Supports horizontal and vertical scaling ● Security - Code, container, cluster, cloud 44
  • 41. Customer Hosted Runtimes on Private Cloud ● Connect to resources in organization’s private network ● Host runtimes on private cloud such as Azure, AWS ● Place system API in private cloud to access on-prem data via VPN gateway ● Experience API can be in DMZ zone ● Security will be applied across firewalls, proxys, VPNs, and load balancers 45
  • 42. IS API SECURITY ACHIEVED? Are the APIs truly secured?
  • 43. Perform “Test Attacks” on APIs ● Try some attacks yourself ● Find some tools or apps to test policies ● Have the organization’s security department test the code and environment ● Have professionals attack and assess API security ● Regular Pen-tests (Security test as a Service embedded in SDLC) 48
  • 44. Security Testing Areas ● Credentials ● Authentication ● Authorization ● Session ● Privacy ● Data ● Certificates 49 ● Source ● System ● Files ● Logs ● Emails ● Services ● Cryptography · · · ● Architecture ● Networks ● Virtualization ● Physical ● Mobile ● Social
  • 46. Key Takeaways ● Know the big picture, the infrastructure, and the business ● Security comes at a cost ● There will be side-effects ● Only recommend what’s right and needed ● There’s no one way to do it ● Ensure it gets thoroughly tested for security ● Security is not a one-time activity ● Leverage proactive monitoring and implement policies ● Follow best practices and be as restrictive as possible in API design ● Discuss in the community, let MS know for additional support 51
  • 47. Q&A
  • 48. WRAP UP & ANNOUNCEMENT OF TRIVIA WINNERS
  • 50. ● Proud partner of MuleSoft for a number of years; first few partners in Canada during early stage ● Trusted IT partner for digital innovation, with a global presence ● Growth 2020 List: named one of Canada’s fastest-growing companies ● Our mission: To provide business solutions to not only solve challenges, but to accelerate growth and customer success ● Our areas of expertise: Digital Transformation, Integration, Data Management, Customer 360, Cloud Strategy, & Cybersecurity ● Our solution: Cutting-edge integration and automation solutions with the latest technology that transforms visions into realities
  • 51. Stay connected on social Incepta Solutions @InceptaS Incepta Solutions @InceptaSolutions