Securing The API Stronghold
Securing The API Stronghold
The Ultimate Guide to API Security
About the Book
As the world becomes more and more connected, digital security is more and more a pressing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, the proper access management needs to be seriously addressed to ensure that web assets are securely distributed. We at Nordic APIs have collated our most helpful advice on API security into this eBook - a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies. This knowledge is crucial for any web service that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we'll dive into specific considerations such as:
- Detailing OAuth 2.0 and OpenID Connect protocols and workflows
- Defining three distinct approaches to API licensing and availability
- Performing delegation of user identity across microservices
- Using OAuth and the Neo-Security stack to handle identity and access control
- Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each
- Using OpenID Connect for Native Single Sign On (SSO), Mobile Identity Management (MIM) & secure IoT applications
- ... and more
Please read on, share, and enjoy our 5th eBook from the Nordic APIs team, a free compilation of insights from identity experts security specialists.
*All proceeds from the sale of this eBook will be donated to the Salvation Army in Sweden.
About the Author
About the Contributors
Co-Founder, Dopter
Nordic APIs Editor in Chief
Co-Founder, Twobo Technologies
Web Developer, Nordic APIs Blogger
Co-Founder, Twobo Technologies, Nordic APIs
Table of Contents
- Preface
-
1. Introducing API Security Concepts
- 1.1 Identity is at the Forefront of API Security
- 1.2 Neo-Security Stack
- 1.3 OAuth Basics
- 1.4 OpenID Connect
- 1.5 JSON Identity Suite
- 1.6 Neo-Security Stack Protocols Increase API Security
- 1.7 The Myth of API Keys
- 1.8 Access Management
- 1.9 IoT Security
- 1.10 Using Proven Standards
-
2. The 4 Defenses of The API Stronghold
- 2.1 Balancing Access and Permissions
- 2.2 Authentication: Identity
- 2.3 Authorization: Access
- 2.4 Federation: Reusing Credentials & Spreading Resources
- 2.5 Delegation: The Signet of (Limited) Power
- 2.6 Holistic Security vs. Singular Approach
- 2.7 Application For APIs
-
3. Equipping Your API With the Right Armor: 3 Approaches to Provisioning
- 3.1 Differences In API Approaches: Private, Public, & Partner APIs
- 3.2 Considerations and Caveats
- 3.3 So Where Is The Middle Ground?
- 3.4 Real-World Failure
- 3.5 Two Real-World Successes
- 3.6 Conclusion
-
4. Your API is Vulnerable: 4 Top Security Risks to Mitigate
- 4.1 Gauging Vulnerabilities
- 4.2 Black Hat vs. White Hat Hackers
- 4.3 Risk 1 - Security Relies on the Developer
- 4.4 Risk 2 - “Just Enough” Coding
- 4.5 Risk 3 - Misunderstanding Your Ecosystem
- 4.6 Risk 4 - Trusting the API Consumer With Too Much Control
- 4.7 Conclusion
-
5. Deep Dive into OAuth and OpenID Connect
- 5.1 OAuth and OpenID Connect in Context
- 5.2 Start with a Secure Foundation
- 5.3 Overview of OAuth
- 5.4 Actors in OAuth
- 5.5 Scopes
- 5.6 Kinds of Tokens
- 5.7 Passing Tokens
- 5.8 Profiles of Tokens
- 5.9 Types of Tokens
- 5.10 OAuth Flow
- 5.11 Improper and Proper Uses of OAuth
- 5.12 Building OpenID Connect Atop OAuth
- 5.13 Conclusion
-
6. Unique Authorization Applications of OpenID Connect
- 6.1 How OpenID Connect Enables Native SSO
- 6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD
- 6.3 How OpenID Connect Enables the Internet of Things
-
7. How To Control User Identity Within Microservices
- 7.1 What Are Microservices, Again?
- 7.2 Great, So What’s The Problem?
- 7.3 The Solution: OAuth As A Delegation Protocol
- 7.4 The Simplified OAuth 2 Flow
- 7.5 The OpenID Connect Flow
- 7.6 Using JWT For OAuth Access Tokens
- 7.7 Let All Microservices Consume JWT
- 7.8 Why Do This?
-
8. Data Sharing in the IoT
- 8.1 A New Economy Based on Shared, Delegated Ownership
- 8.2 Connected Bike Lock Example IoT Device
- 8.3 How This Works
- 8.4 Option #1: Access Tables
- 8.5 Option #2: Delegated Tokens: OpenID Connect
- 8.6 Review:
-
9. Securing Your Data Stream with P2P Encryption
- 9.1 Why Encrypt Data?
- 9.2 Defining Terms
- 9.3 Variants of Key Encryption
- 9.4 Built-in Encryption Solutions
- 9.5 External Encryption Solutions
- 9.6 Use-Case Scenarios
- 9.7 Example Code Executions
- 9.8 Conclusion
-
10. Day Zero Flash Exploits and Versioning Techniques
- 10.1 Short History of Dependency-Centric Design Architecture
- 10.2 The Hotfix — Versioning
- 10.3 Dependency Implementation Steps: EIT
- 10.4 Lessons Learned
- 10.5 Conclusion
-
11. Fostering an Internal Culture of Security
- 11.1 Holistic Security — Whose Responsibility?
- 11.2 The Importance of CIA: Confidentiality, Integrity, Availability
- 11.3 4 Aspects of a Security Culture
- 11.4 Considering “Culture”
- 11.5 All Organizations Should Perpetuate an Internal Culture of Security
-
Resources
- API Themed Events
- API Security Talks:
- Follow the Nordic APIs Blog
- More eBooks by Nordic APIs:
- Endnotes
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$10,906,214writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
- #1
Practical FP in Scala: A hands-on approach
Gabriel VolpeA practical book aimed for those familiar with functional programming in Scala who are yet not confident about architecting an application from scratch.
Together, we will develop a purely functional application using the best libraries in the Cats ecosystem, while learning about design patterns and best practices.
- #2
入門 日本語自然言語処理
Masato Hagiwara and Paul O'Leary McCann日本語テキストを処理したい全てのプログラマ・エンジニアの方へ。分かち書きなどの基本から、自然言語生成などの最新の話題までをカバー。動かして学べるコードや、参照文献も付いています。言語学や機械学習の知識が無くても問題ありません。
- #3
Learning Algorithms Through Programming and Puzzle Solving
Alexander S. Kulikov and Pavel PevznerThis book powers our MicroMasters program on edX and specialization on Coursera, one of the ten most popular computer science courses on Coursera. Over half a million students have tried to solve many programming challenges and algorithmic puzzles described in this book. We invite you to join them! See the webpage of the book for more details.
- #4
Functional Programming Made Easier
Charles ScalfaniA Functional Programming book from beginner to advanced without skipping a single step along the way.
In my 40 years of programming, I've felt that programming books always let me down, especially Functional Programming books. So, I wrote the book I wish I had 5 years ago.
Functional Programming will never be easy, but it can be easier.
- #5
Functional event-driven architecture: Powered by Scala 3
Gabriel VolpeExplore the event-driven architecture (EDA) in a purely functional way, mainly powered by Fs2 streams in Scala 3!
Leverage your functional programming skills by designing and writing stateless microservices that scale, powered by stateful message brokers.
- #6
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
- #7
OpenIntro Statistics
David Diez, Christopher Barr, Mine Cetinkaya-Rundel, and OpenIntroA complete foundation for Statistics, also serving as a foundation for Data Science.
Leanpub revenue supports OpenIntro (US-based nonprofit) so we can provide free desk copies to teachers interested in using OpenIntro Statistics in the classroom and expand the project to support free textbooks in other subjects.
More resources: openintro.org.
- #8
Cloud Strategy
Gregor Hohpe“Strategy is the difference between making a wish and making it come true.” A successful migration to the cloud can transform your organization, but it shouldn’t be driven by wishes. This book tells you how to develop a sound strategy guided by frameworks and decision models without being overly abstract nor getting lost in product details.
- #9
Visualise, document and explore your software architecture
Simon BrownA short guide to visualising, documenting and exploring your software architecture.
- #10
Scrum Product Ownership - Navigating the Forest AND the Trees, 3'rd Edition
Robert GalenIn 2009, I published Scrum Product Ownership - Ed. 1. Then the 2'nd Ed. in 2013. This is the 3'rd edition, celebrating the 10th anniversary of the original book. It's evolved from a beginners guide to be a more balanced reference for beginners, practitioner, and expert Product Owners.
Top Bundles
- #1
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #2
The Indie Python Extravaganza
5 Books
The Indie Python Extravaganza! A collection of books that will help you to improve your knowledge of the Python programming language one page at a time. Join four indie authors in a journey from the basics of Python to the structure of production-ready systems, going through the core features of the language, some intermediate projects and a... - #3
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #4
All the Books of The Medical Futurist
6 Books
We put together the most popular books from The Medical Futurist to provide a clear picture about the major trends shaping the future of medicine and healthcare. Digital health technologies, artificial intelligence, the future of 20 medical specialties, big pharma, data privacy, digital health investments and how technology giants such as Amazon... - #7
Abandon Your Job - Leaving the Rat Race with Python
8 Books
Now, get all the great Python and Freelancing books from finxter.com in one single bundle!Coffee Break Python - All Python BasicsCoffee Break Python Workbook - Practice the basics of PythonCoffee Break Python Mastery Workouts - Practice advanced Python conceptsCoffee Break Python Slicing - All about SlicingCoffee Break Python NumPy - Get started... - #8
10 Books Bundle - A New Career in Tech 🚀
10 Books
Do you want to create yourself a new and profitable skillset - in one year or less? Do you want to position yourself on the right side of change finally? Do you want to work from home and set your own work schedule while choosing fun and interesting coding projects? Software developers and freelance developersearn six figuresin the US, according... - #9
The Python Craftsman
3 Books
The Python Craftsman series comprises The Python Apprentice, The Python Journeyman, and The Python Master. The first book is primarily suitable for for programmers with some experience of programming in another language. If you don't have any experience with programming this book may be a bit daunting. You'll be learning not just a programming...
