Securing The API Stronghold
Securing The API Stronghold
Free!
Minimum price
$5.00
Suggested price
Securing The API Stronghold

This book is 100% complete

Completed on 2015-09-23

About the Book

As the world becomes more and more connected, digital security is more and more a pressing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, the proper access management needs to be seriously addressed to ensure that web assets are securely distributed. We at Nordic APIs have collated our most helpful advice on API security into this eBook - a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies. This knowledge is crucial for any web service that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we'll dive into specific considerations such as:

  • Detailing OAuth 2.0 and OpenID Connect protocols and workflows
  • Defining three distinct approaches to API licensing and availability
  • Performing delegation of user identity across microservices
  • Using OAuth and the Neo-Security stack to handle identity and access control
  • Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each
  • Using OpenID Connect for Native Single Sign On (SSO), Mobile Identity Management (MIM) & secure IoT applications
  • ... and more

Please read on, share, and enjoy our 5th eBook from the Nordic APIs team, a free compilation of insights from identity experts security specialists.

*All proceeds from the sale of this eBook will be donated to the Salvation Army in Sweden.

About the Author

Nordic APIs
Nordic APIs

Authors for this eBook include: Kristopher Sandoval, Bill Doerrfeld, Travis Spencer, Andreas Krohn, and Jacob Ideskog.

About the Contributors

Andreas Krohn
Andreas Krohn

Co-Founder, Dopter

Bill Doerrfeld
Bill Doerrfeld

Nordic APIs Editor in Chief

Jacob Ideskog
Jacob Ideskog

Co-Founder, Twobo Technologies

Kristopher Sandoval
Kristopher Sandoval

Web Developer, Nordic APIs Blogger

Travis Spencer
Travis Spencer

Co-Founder, Twobo Technologies, Nordic APIs

Table of Contents

  • Preface
  • 1. Introducing API Security Concepts
    • 1.1 Identity is at the Forefront of API Security
    • 1.2 Neo-Security Stack
    • 1.3 OAuth Basics
    • 1.4 OpenID Connect
    • 1.5 JSON Identity Suite
    • 1.6 Neo-Security Stack Protocols Increase API Security
    • 1.7 The Myth of API Keys
    • 1.8 Access Management
    • 1.9 IoT Security
    • 1.10 Using Proven Standards
  • 2. The 4 Defenses of The API Stronghold
    • 2.1 Balancing Access and Permissions
    • 2.2 Authentication: Identity
    • 2.3 Authorization: Access
    • 2.4 Federation: Reusing Credentials & Spreading Resources
    • 2.5 Delegation: The Signet of (Limited) Power
    • 2.6 Holistic Security vs. Singular Approach
    • 2.7 Application For APIs
  • 3. Equipping Your API With the Right Armor: 3 Approaches to Provisioning
    • 3.1 Differences In API Approaches: Private, Public, & Partner APIs
    • 3.2 Considerations and Caveats
    • 3.3 So Where Is The Middle Ground?
    • 3.4 Real-World Failure
    • 3.5 Two Real-World Successes
    • 3.6 Conclusion
  • 4. Your API is Vulnerable: 4 Top Security Risks to Mitigate
    • 4.1 Gauging Vulnerabilities
    • 4.2 Black Hat vs. White Hat Hackers
    • 4.3 Risk 1 - Security Relies on the Developer
    • 4.4 Risk 2 - “Just Enough” Coding
    • 4.5 Risk 3 - Misunderstanding Your Ecosystem
    • 4.6 Risk 4 - Trusting the API Consumer With Too Much Control
    • 4.7 Conclusion
  • 5. Deep Dive into OAuth and OpenID Connect
    • 5.1 OAuth and OpenID Connect in Context
    • 5.2 Start with a Secure Foundation
    • 5.3 Overview of OAuth
    • 5.4 Actors in OAuth
    • 5.5 Scopes
    • 5.6 Kinds of Tokens
    • 5.7 Passing Tokens
    • 5.8 Profiles of Tokens
    • 5.9 Types of Tokens
    • 5.10 OAuth Flow
    • 5.11 Improper and Proper Uses of OAuth
    • 5.12 Building OpenID Connect Atop OAuth
    • 5.13 Conclusion
  • 6. Unique Authorization Applications of OpenID Connect
    • 6.1 How OpenID Connect Enables Native SSO
    • 6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD
    • 6.3 How OpenID Connect Enables the Internet of Things
  • 7. How To Control User Identity Within Microservices
    • 7.1 What Are Microservices, Again?
    • 7.2 Great, So What’s The Problem?
    • 7.3 The Solution: OAuth As A Delegation Protocol
    • 7.4 The Simplified OAuth 2 Flow
    • 7.5 The OpenID Connect Flow
    • 7.6 Using JWT For OAuth Access Tokens
    • 7.7 Let All Microservices Consume JWT
    • 7.8 Why Do This?
  • 8. Data Sharing in the IoT
    • 8.1 A New Economy Based on Shared, Delegated Ownership
    • 8.2 Connected Bike Lock Example IoT Device
    • 8.3 How This Works
    • 8.4 Option #1: Access Tables
    • 8.5 Option #2: Delegated Tokens: OpenID Connect
    • 8.6 Review:
  • 9. Securing Your Data Stream with P2P Encryption
    • 9.1 Why Encrypt Data?
    • 9.2 Defining Terms
    • 9.3 Variants of Key Encryption
    • 9.4 Built-in Encryption Solutions
    • 9.5 External Encryption Solutions
    • 9.6 Use-Case Scenarios
    • 9.7 Example Code Executions
    • 9.8 Conclusion
  • 10. Day Zero Flash Exploits and Versioning Techniques
    • 10.1 Short History of Dependency-Centric Design Architecture
    • 10.2 The Hotfix — Versioning
    • 10.3 Dependency Implementation Steps: EIT
    • 10.4 Lessons Learned
    • 10.5 Conclusion
  • 11. Fostering an Internal Culture of Security
    • 11.1 Holistic Security — Whose Responsibility?
    • 11.2 The Importance of CIA: Confidentiality, Integrity, Availability
    • 11.3 4 Aspects of a Security Culture
    • 11.4 Considering “Culture”
    • 11.5 All Organizations Should Perpetuate an Internal Culture of Security
  • Resources
    • API Themed Events
    • API Security Talks:
    • Follow the Nordic APIs Blog
    • More eBooks by Nordic APIs:
  • Endnotes

The Leanpub 45-day 100% Happiness Guarantee

Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Write and Publish on Leanpub

Authors, publishers and universities use Leanpub to publish amazing in-progress and completed books and courses, just like this one. You can use Leanpub to write, publish and sell your book or course as well! Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks. Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. It really is that easy.

Learn more about writing on Leanpub