Securing The API Stronghold
Free!
Minimum price
$5.00
Suggested price

Securing The API Stronghold

The Ultimate Guide to API Security
  • 1,814

    Readers

  • English

  • PDF

  • EPUB

  • MOBI

  • WEB

About the Book

As the world becomes more and more connected, digital security is more and more a pressing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, the proper access management needs to be seriously addressed to ensure that web assets are securely distributed. We at Nordic APIs have collated our most helpful advice on API security into this eBook - a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies. This knowledge is crucial for any web service that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we'll dive into specific considerations such as:

  • Detailing OAuth 2.0 and OpenID Connect protocols and workflows
  • Defining three distinct approaches to API licensing and availability
  • Performing delegation of user identity across microservices
  • Using OAuth and the Neo-Security stack to handle identity and access control
  • Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each
  • Using OpenID Connect for Native Single Sign On (SSO), Mobile Identity Management (MIM) & secure IoT applications
  • ... and more

Please read on, share, and enjoy our 5th eBook from the Nordic APIs team, a free compilation of insights from identity experts security specialists.

*All proceeds from the sale of this eBook will be donated to the Salvation Army in Sweden.

About the Author

Nordic APIs
Nordic APIs

Authors for this eBook include: Kristopher Sandoval, Bill Doerrfeld, Travis Spencer, Andreas Krohn, and Jacob Ideskog.

About the Contributors

Andreas Krohn
Andreas Krohn

Co-Founder, Dopter

Bill Doerrfeld
Bill Doerrfeld

Nordic APIs Editor in Chief

Jacob Ideskog
Jacob Ideskog

Co-Founder, Twobo Technologies

Kristopher Sandoval
Kristopher Sandoval

Web Developer, Nordic APIs Blogger

Travis Spencer
Travis Spencer

Co-Founder, Twobo Technologies, Nordic APIs

Table of Contents

  • Preface
  • 1. Introducing API Security Concepts
    • 1.1 Identity is at the Forefront of API Security
    • 1.2 Neo-Security Stack
    • 1.3 OAuth Basics
    • 1.4 OpenID Connect
    • 1.5 JSON Identity Suite
    • 1.6 Neo-Security Stack Protocols Increase API Security
    • 1.7 The Myth of API Keys
    • 1.8 Access Management
    • 1.9 IoT Security
    • 1.10 Using Proven Standards
  • 2. The 4 Defenses of The API Stronghold
    • 2.1 Balancing Access and Permissions
    • 2.2 Authentication: Identity
    • 2.3 Authorization: Access
    • 2.4 Federation: Reusing Credentials & Spreading Resources
    • 2.5 Delegation: The Signet of (Limited) Power
    • 2.6 Holistic Security vs. Singular Approach
    • 2.7 Application For APIs
  • 3. Equipping Your API With the Right Armor: 3 Approaches to Provisioning
    • 3.1 Differences In API Approaches: Private, Public, & Partner APIs
    • 3.2 Considerations and Caveats
    • 3.3 So Where Is The Middle Ground?
    • 3.4 Real-World Failure
    • 3.5 Two Real-World Successes
    • 3.6 Conclusion
  • 4. Your API is Vulnerable: 4 Top Security Risks to Mitigate
    • 4.1 Gauging Vulnerabilities
    • 4.2 Black Hat vs. White Hat Hackers
    • 4.3 Risk 1 - Security Relies on the Developer
    • 4.4 Risk 2 - “Just Enough” Coding
    • 4.5 Risk 3 - Misunderstanding Your Ecosystem
    • 4.6 Risk 4 - Trusting the API Consumer With Too Much Control
    • 4.7 Conclusion
  • 5. Deep Dive into OAuth and OpenID Connect
    • 5.1 OAuth and OpenID Connect in Context
    • 5.2 Start with a Secure Foundation
    • 5.3 Overview of OAuth
    • 5.4 Actors in OAuth
    • 5.5 Scopes
    • 5.6 Kinds of Tokens
    • 5.7 Passing Tokens
    • 5.8 Profiles of Tokens
    • 5.9 Types of Tokens
    • 5.10 OAuth Flow
    • 5.11 Improper and Proper Uses of OAuth
    • 5.12 Building OpenID Connect Atop OAuth
    • 5.13 Conclusion
  • 6. Unique Authorization Applications of OpenID Connect
    • 6.1 How OpenID Connect Enables Native SSO
    • 6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD
    • 6.3 How OpenID Connect Enables the Internet of Things
  • 7. How To Control User Identity Within Microservices
    • 7.1 What Are Microservices, Again?
    • 7.2 Great, So What’s The Problem?
    • 7.3 The Solution: OAuth As A Delegation Protocol
    • 7.4 The Simplified OAuth 2 Flow
    • 7.5 The OpenID Connect Flow
    • 7.6 Using JWT For OAuth Access Tokens
    • 7.7 Let All Microservices Consume JWT
    • 7.8 Why Do This?
  • 8. Data Sharing in the IoT
    • 8.1 A New Economy Based on Shared, Delegated Ownership
    • 8.2 Connected Bike Lock Example IoT Device
    • 8.3 How This Works
    • 8.4 Option #1: Access Tables
    • 8.5 Option #2: Delegated Tokens: OpenID Connect
    • 8.6 Review:
  • 9. Securing Your Data Stream with P2P Encryption
    • 9.1 Why Encrypt Data?
    • 9.2 Defining Terms
    • 9.3 Variants of Key Encryption
    • 9.4 Built-in Encryption Solutions
    • 9.5 External Encryption Solutions
    • 9.6 Use-Case Scenarios
    • 9.7 Example Code Executions
    • 9.8 Conclusion
  • 10. Day Zero Flash Exploits and Versioning Techniques
    • 10.1 Short History of Dependency-Centric Design Architecture
    • 10.2 The Hotfix — Versioning
    • 10.3 Dependency Implementation Steps: EIT
    • 10.4 Lessons Learned
    • 10.5 Conclusion
  • 11. Fostering an Internal Culture of Security
    • 11.1 Holistic Security — Whose Responsibility?
    • 11.2 The Importance of CIA: Confidentiality, Integrity, Availability
    • 11.3 4 Aspects of a Security Culture
    • 11.4 Considering “Culture”
    • 11.5 All Organizations Should Perpetuate an Internal Culture of Security
  • Resources
    • API Themed Events
    • API Security Talks:
    • Follow the Nordic APIs Blog
    • More eBooks by Nordic APIs:
  • Endnotes

Authors have earned$9,675,609writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.

Learn more about writing on Leanpub

The Leanpub 45-day 100% Happiness Guarantee

Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses! Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks. Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. It really is that easy.

Learn more about writing on Leanpub

Top Books

  1. #1

    El Manual del Manager

    Keyvan Akbary, Félix López, and Álvaro Salazar

    ¿Has deseado alguna vez el haber tenido una buena introducción al rol del Engineering Manager? En este libro aprenderás lo necesario para ejercer el rol de una manera efectiva: Expectativas y Responsabilidades del Rol, 1-1s, Ayudar a Crecer, Objetivos, Planes de Carrera, Cultura, Feedback, Contratación, Cultura de Producto y mucho más.

  2. #2

    Functional Design and Architecture

    Alexander Granin

    Software Design in Functional Programming, Design Patterns and Practices, Methodologies and Application Architectures. How to build real software in Haskell with less efforts and low risks. The first complete source of knowledge.

  3. #3

    Ansible for Kubernetes

    Jeff Geerling

    Ansible is a powerful infrastructure automation tool. Kubernetes is a powerful application deployment platform. Learn how to use these tools to automate massively-scalable, highly-available infrastructure.

  4. #4

    Ansible for DevOps

    Jeff Geerling

    Ansible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.

  5. #5

    Practical FP in Scala: A hands-on approach

    Gabriel Volpe

    A practical book aimed for those familiar with functional programming in Scala who are yet not confident about architecting an application from scratch.

    Together, we will develop a purely functional application using the best libraries in the Cats ecosystem, while learning about design patterns and best practices.

  6. #6

    Tame your Work Flow

    Steve Tendon and Daniel Doiron

    Do you need a high performance enterprise governance approach improving management, execution and delivery while dealing with multiple projects/products, events, stakeholders and teams? Giving you better bottom line results, faster time to market, less work, better predictability, happier employees, and delighted clients? Then learn about TameFlow!

  7. #7

    C++ Best Practices

    Jason Turner

    Level up your C++, get the tools working for you, eliminate common problems, and move on to more exciting things!

  8. #8

    Cloud Strategy

    Gregor Hohpe

    “Strategy is the difference between making a wish and making it come true.” A successful migration to the cloud shouldn’t be driven by wishes, but guided by a sound strategy, frameworks, and decision models. This book tells you how—without becoming superficial nor getting lost in technology and product details.

  9. #9

    Machine Learning Engineering

    Andriy Burkov

    "If you intend to use machine learning to solve business problems at scale, I'm delighted you got your hands on this book."

    —Cassie Kozyrkov, Chief Decision Scientist at Google

    "Foundational work about the reality of building machine learning models in production."

    —Karolis Urbonas, Head of Machine Learning and Science at Amazon

  10. #10

    Composing Software

    Eric Elliott

    All software design is composition: the act of breaking complex problems down into smaller problems and composing those solutions. Most developers have a limited understanding of compositional techniques. It's time for that to change.

Top Bundles

  1. #1

    Quality Software

    11 Books

    The Quality Software Bundle is for managers, would-be managers, and any of us who find themselves being managed and confused. This comprehensive bundle covers the entire span of software development approaches, from hacking through waterfall, cascade, prototyping, Iterative enhancement, reusable code, off-the-shelf, to Agile teams. The bundle...
  2. #2

    The Node.js Bundle

    3 Books

    This bundle combines three bestselling Leanpub Node.js books into a package that gives you everything you need to get started with developing Node.js applications at an unbeatable price.
  3. #3

    The Tester's Library

    8 Books

    The Tester's Library consists of eight five-star books that every software tester should read and re-read. As bound books, this collection would cost over $200. Even as e-books, their price would exceed $80, but in this bundle, their cost is only $49.99. Here are the books, and why they should be in your library: Perfect Software and Other...
  4. #4

    agile

    11 Books

    In this bundle, you will find 10 different agile books. They are about different aspects of being agile. - finding a job - doing coding dojo's - Retrospectives - Personal kanban - a non-typical coaching book and even a book that gives you an insight in the lives of some agile people.
  5. #5

    WTFlop 6M + HU - Beta Bundle

    6 Books

  6. #6

    Marionette.js A to Z

    3 Books

    Marionette.js has become a popular Backbone-based javascript library, because it helps you avoid boiler-plate code and focus on what makes your app special. But how do you get started?Whether you want to finally get started with dynamic client-side programming (like one reader did), or are an experienced front-end dev who has inherited a...
  7. #7

    Complete Scala Bundle

    3 Books

    Scala is a general-purpose programming language and it's getting extremely popular these days. Some say that learning Scala could be a challenging task. My experience, however, suggests that this is actually a myth that has very little to do with reality. With the right approach, learning Scala can be easy, fun and rewarding.The first book from...
  8. #8

    Build A Better Backbone App

    3 Books

    The best way to learn new development skills is through experience, but that takes time you don't have.Get the best of both worlds with this bundle: you'll learn how to produce modern web applications by learning from experienced developers like Derick Bailey and David Sulc. BackboneJS is one of the favorite tools on the web today, but it...
  9. #9

    People Skills—Soft but Difficult

    7 Books

    Perhaps you've been told that "lack of people skills" has been holding you back. No wonder: you may have had hundreds of hours of technical training, but little or no "people skills" guidance.You've heard it said that people skills are "soft," whereas technical skills are "hard." For you, though, technical skills are "easy," but people skills...
  10. #10

    SurviveJS - Webpack + React

    2 Books

    Get both SurviveJS - Webpack and SurviveJS - React for a single price!

Publish Early, Publish Often

  • Path
  • There are many paths, but the one you're on right now on Leanpub is:
  • › Securing-the-api-stronghold

Leanpub is copyright © 2010-2020 Ruboss Technology Corp. All rights reserved.