API Security: Essential Practices for Developers

dinushak 254 views 22 slides Aug 07, 2024
Slide 1
Slide 1 of 22
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22

About This Presentation

This presentation guides how to implement APIs that considers security as a key component

Size: 24.17 MB
Language: en
Added: Aug 07, 2024
Slides: 22 pages

Slide Content

API Security: Essential Practices for Developers Dinusha Kumarasiri

Dinusha Kumarasiri, MVP Microsoft MVP for Microsoft Azure Microsoft Certified Trainer (MCT) Enterprise Architect at NCS Australia Cloud Enthusiast Love to share what I learn dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri

Agenda Shifting security to left Threat modelling Modern API build Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Penetration testing & Chaos experiments API deployment Operating APIs dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri

Shifting security to left dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Integrating security measures early in the development lifecycle and enabling early detection and resolution of vulnerabilities Security Information & Event Management (SIEM) Monitor Log & Telemetry collection Web Application Firewall (WAF) Operate Penetration testing Configuration management Chaos engineering Deploy Dynamic Application Security Testing (DAST) Test Code review Static Application Security Testing (SAST) Vulnerability scanning Build Threat modelling Plan

Threat modelling dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Microsoft Threat Modelling Tool Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege STRIDE Process to identify, understand and mitigate potential security threats to a system API threat modelling is a structured approach to identifying and mitigating potential security threats specific to APIs

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Domain Driven Design (DDD) & Test-Driven Development (TDD) Authentication & Authorization Data encryption Input validation Dependency security Repository management Infrastructure as Code

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Domain Driven Design (DDD) & Test-Driven Development (TDD) Repudiation TDD Tests are written before the logic Tests will fail initially, but will be successful when features are implemented Stubs as a new API version which can be used by consumers before implementing the feature Tampering DDD Understand business domain, its processes & their relationships Implement entities within each bounded context Implement domain services Implement APIs that represent domain model Use Data Transfer Objects (DTO) to transfer data between APIs Billing Opportunity Management Common Data Platform

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Authentication & Authorization Use centralized identity platform Azure AD Azure AD B2C OKTA Authentication & Authorization Single Sign-On Multi-Factor Authentication Role-Based Access Control Security Policies SDKs & APIs

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Authentication & Authorization Use strong authentication & authorization methods Use Role Based Access Control (RBAC) Use least privileges to resources Leverage managed service accounts. Delegate credential management to user service provider Tampering Repudiation OAuth 2.0 & OpenID Connect JSON Web Token (JWT) OAuth 2.0 Delegated access on behalf of user(Authorization) OpenID Connect – ID ID Token for user info. Ideal for SSO (Authentication) Authentication & Authorization for RESTful APIs Sign JWT with a strong key Limit the lifetime of JWTs Implement token revocation

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Authentication & Authorization Use subscriptions to identify the caller and products to group APIs Access Control Usage Tracking Security Rate Limiting Analytics

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Data Encryption Tampering Repudiation Encrypting data in Transit Encrypting data at Rest Ensure APIs are accessible only via HTTPs TLS 1.2 or higher to encrypt Use Secure WebSockets mTLS when communicating with external APIs Database encryption File system encryption Backup encryption Store keys, credentials and certificates in a secure location

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Input validation Evaluate the validity of data at multiple layers Validate at the frontend Validate at the API gateway or proxy level Validate at the API level Data sanitization Sanitize input data by removing harmful characters. Encode and decode data with proper schema before using data Syntactic validation Ensures data follows the correct format (e.g. email address) Semantic validation Ensures data is meaningful in given context (e.g. start date before the end date)

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Dependency security APIs may have software component dependencies or infrastructure dependencies Tampering Software dependencies developed by us Ensure reusable libraries are properly managed Publish them as packages in a centralized location ( e.g as nuget packages) Repudiation Software dependencies by 3 rd parties Ensure regularly updated and document the usage Ensure they are verified by vulnerability scans Repudiation Infrastructure dependencies Ensure security best practices are applied to infrastructure components

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Repository management Ensure API project and components are governed by a proper version controlling system Apply a branching strategy with policies and security Ensure critical branches are protected and require pull request approval prior to merge GitHub Azure DevOps

Modern API build dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Infrastructure as a Code ( IaC ) and CI/CD Ensure infrastructure components are provisioned with verified code Enable the organization to implement repeatable infrastructure Dev Test UAT Pre-Prod Prod Perf Development testing Mock testing Unit testing Integration testing Functional testing User acceptance testing Regression testing Load testing Stress testing Alpha testing Production validation testing Incident management

Static Application Security Testing (SAST) dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Approach used to identify security vulnerabilities within an application’s source code without executing the program Integrate SAST process to the build pipeline and fail the build if there are any security vulnerability Generate reports to understand the current risks involved with the source code GitHub advanced security GitHub advanced security for Azure DevOps

Dynamic Application Security Testing (DAST) dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Approach used to identify security vulnerabilities in a running application by simulating attacks from the outside Automated tools to scan applications during runtime Can integrate with CI/CD pipelines

Penetration testing & Chaos experiments dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Penetration testing Approach that involves simulating real-world attacks on APIs to uncover security weaknesses that could be exploited by malicious actors. Manual and more comprehensive Chaos experiments Approach to simulate various failure scenarios to uncover potential security vulnerabilities of API infrastructure Help to understand if your API can withstand and recover from failures (Resilience) Can integrate chaos experiments within your CI/CD pipelines

API deployment dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Deployment practices Scalability Load Balancing High Availability Disaster Recovery OWASP top 10 Rate Limiting Bot Protection Gateway for consumer access Web Application Firewall (WAF) API Management Key Management Modern Storage Centralized Identity OWASP Top 10

dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri

Operating APIs dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri Monitoring Realtime monitoring of transactions and telemetry Protect artifacts Security Information & Event Management (SIEM) Alerts to be configured from monitoring solution to notify anomalies Generate actionable tickets

Thank You! dinushaonline.blogspot.com @kumarasiri048 dinushak Dinusha Kumarasiri
Tags
azure api security
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 254
  • Slides 22
  • Age 482 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category