Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
1© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Leveraging open banking
specifications for rigorous
API security –
...
2© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Olaf van Gorp
Akana Platform Senior Specialist
olaf.van.gorp@roguew...
3© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Ada Lovelace
“The Analytical Engine
has no pretensions
whatever to ...
4© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Welcome?
5© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Protecting our resources in the real
world
6© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Protecting our resources in the digital
world
7© 2018 Rogue Wave Software, Inc. All Rights Reserved.
API Specifications
Leveraging some good work already done
Source: h...
8© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Open Banking / PSD2 specs
• Sensitive data
• Regulation
• Careful, ...
9© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Initiatives / Resources
10© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Common ground
‘Layered’ approach to API security:
Transport layer
...
11© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Summary comparison
Client authentication
and authorization
OAuth2....
12© 2018 Rogue Wave Software, Inc. All Rights Reserved.
In summary…
Ensure that each request is coming from a trusted sour...
13© 2018 Rogue Wave Software, Inc. All Rights Reserved.
How does it all work together?
Authorization Server
Identity Provi...
14© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Additional things to consider
• MFA (SCA)
User authentication: can...
15© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Conclusion
API security: There’s quite a lot to it
…but there’s us...
16© 2018 Rogue Wave Software, Inc. All Rights Reserved.
Prochain SlideShare
Chargement dans…5
×

Leveraging open banking specifications for rigorous API security – What’s in it for you?

Presented at APIdays Paris.

API security is the principal concern when it comes to establishing a trusted API ecosystem. Rightly so, because opening up business systems through APIs by definition expands the attack surface that can be exploited. Although many threat vectors and vulnerabilities are well known, we have to remain on the lookout for new threats continuously.

On the positive side, open standards that help defend against security threats are constantly being created and refined. What is even more helpful are the specifications that aggregate relevant standards into a comprehensive API security profile. Excellent examples of these are the current specifications that support open banking initiatives like UK Open Banking and PSD2. Could these specifications not have a wider applicability? In other words, would we be able to benefit from the security guidelines captured in these specifications in other verticals like logistics, retail, energy, healthcare and government, too?

In this talk, we will compare security guidelines covered in the specifications and see to what extent they may benefit the wider enterprise API developer community.

  • Identifiez-vous pour voir les commentaires

Leveraging open banking specifications for rigorous API security – What’s in it for you?

  1. 1. 1© 2018 Rogue Wave Software, Inc. All Rights Reserved. Leveraging open banking specifications for rigorous API security – What’s in it for you?
  2. 2. 2© 2018 Rogue Wave Software, Inc. All Rights Reserved. Olaf van Gorp Akana Platform Senior Specialist olaf.van.gorp@roguewave.com Presenter
  3. 3. 3© 2018 Rogue Wave Software, Inc. All Rights Reserved. Ada Lovelace “The Analytical Engine has no pretensions whatever to originate anything. It can do whatever we know how to order it to perform.” Richard Taylor's Scientific Memoirs, 1843
  4. 4. 4© 2018 Rogue Wave Software, Inc. All Rights Reserved. Welcome?
  5. 5. 5© 2018 Rogue Wave Software, Inc. All Rights Reserved. Protecting our resources in the real world
  6. 6. 6© 2018 Rogue Wave Software, Inc. All Rights Reserved. Protecting our resources in the digital world
  7. 7. 7© 2018 Rogue Wave Software, Inc. All Rights Reserved. API Specifications Leveraging some good work already done Source: https://kottke.org/18/04/ikea-style-instructions-for-programming-algorithms
  8. 8. 8© 2018 Rogue Wave Software, Inc. All Rights Reserved. Open Banking / PSD2 specs • Sensitive data • Regulation • Careful, diligent work with many stakeholders • Applied to production systems Why these?
  9. 9. 9© 2018 Rogue Wave Software, Inc. All Rights Reserved. Initiatives / Resources
  10. 10. 10© 2018 Rogue Wave Software, Inc. All Rights Reserved. Common ground ‘Layered’ approach to API security: Transport layer Client authentication and authorization Content security
  11. 11. 11© 2018 Rogue Wave Software, Inc. All Rights Reserved. Summary comparison Client authentication and authorization OAuth2.0 (OpenID Connect) OAuth2.0 (Optional) OAuth2.0 (OpenID Connect) Content security JSON Web Tokens (JWS) “Signed HTTP Messages” “Signed HTTP Messages” Transport layer Mutual TLS Mutual TLS (using eIDAS certificates) Mutual TLS (using eIDAS certificates) Open Banking Berlin Group STET
  12. 12. 12© 2018 Rogue Wave Software, Inc. All Rights Reserved. In summary… Ensure that each request is coming from a trusted source MTLS Ensures client authenticity OAuth Ensures client authorization JWT Ensures message integrity, confidentiality, and non- repudiation
  13. 13. 13© 2018 Rogue Wave Software, Inc. All Rights Reserved. How does it all work together? Authorization Server Identity Provider Backend systems Client mTLS JWT 1 2 3
  14. 14. 14© 2018 Rogue Wave Software, Inc. All Rights Reserved. Additional things to consider • MFA (SCA) User authentication: can we trust the user to be who s(he) is? • Injection • Cross-site scripting • Request overload • … Can we trust the user’s intentions?
  15. 15. 15© 2018 Rogue Wave Software, Inc. All Rights Reserved. Conclusion API security: There’s quite a lot to it …but there’s useful specifications to help you out. Implementing security standards is far from trivial …don’t do it yourself …excellent tools in the market to help you
  16. 16. 16© 2018 Rogue Wave Software, Inc. All Rights Reserved.

×