Securing The API Stronghold
Free!
With Membership
$7.99
Suggested price

Securing The API Stronghold

The Ultimate Guide to API Security

About the Book

As the world becomes more and more connected, digital security is more and more a pressing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, the proper access management needs to be seriously addressed to ensure that web assets are securely distributed. We at Nordic APIs have collated our most helpful advice on API security into this eBook - a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies. This knowledge is crucial for any web service that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we'll dive into specific considerations such as:

  • Detailing OAuth 2.0 and OpenID Connect protocols and workflows
  • Defining three distinct approaches to API licensing and availability
  • Performing delegation of user identity across microservices
  • Using OAuth and the Neo-Security stack to handle identity and access control
  • Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each
  • Using OpenID Connect for Native Single Sign On (SSO), Mobile Identity Management (MIM) & secure IoT applications
  • ... and more

Please read on, share, and enjoy our 5th eBook from the Nordic APIs team, a free compilation of insights from identity experts security specialists.

*All proceeds from the sale of this eBook will be donated to the Salvation Army in Sweden.

About the Author

Nordic APIs
Nordic APIs

Authors for this eBook include: Kristopher Sandoval, Bill Doerrfeld, Travis Spencer, Andreas Krohn, and Jacob Ideskog.

About the Contributors

Andreas Krohn
Andreas Krohn

Co-Founder, Dopter

Bill Doerrfeld
Bill Doerrfeld

Nordic APIs Editor in Chief

Jacob Ideskog
Jacob Ideskog

Co-Founder, Twobo Technologies

Kristopher Sandoval
Kristopher Sandoval

Web Developer, Nordic APIs Blogger

Travis Spencer
Travis Spencer

Co-Founder, Twobo Technologies, Nordic APIs

Table of Contents

  • Preface
  • 1. Introducing API Security Concepts
    • 1.1 Identity is at the Forefront of API Security
    • 1.2 Neo-Security Stack
    • 1.3 OAuth Basics
    • 1.4 OpenID Connect
    • 1.5 JSON Identity Suite
    • 1.6 Neo-Security Stack Protocols Increase API Security
    • 1.7 The Myth of API Keys
    • 1.8 Access Management
    • 1.9 IoT Security
    • 1.10 Using Proven Standards
  • 2. The 4 Defenses of The API Stronghold
    • 2.1 Balancing Access and Permissions
    • 2.2 Authentication: Identity
    • 2.3 Authorization: Access
    • 2.4 Federation: Reusing Credentials & Spreading Resources
    • 2.5 Delegation: The Signet of (Limited) Power
    • 2.6 Holistic Security vs. Singular Approach
    • 2.7 Application For APIs
  • 3. Equipping Your API With the Right Armor: 3 Approaches to Provisioning
    • 3.1 Differences In API Approaches: Private, Public, & Partner APIs
    • 3.2 Considerations and Caveats
    • 3.3 So Where Is The Middle Ground?
    • 3.4 Real-World Failure
    • 3.5 Two Real-World Successes
    • 3.6 Conclusion
  • 4. Your API is Vulnerable: 4 Top Security Risks to Mitigate
    • 4.1 Gauging Vulnerabilities
    • 4.2 Black Hat vs. White Hat Hackers
    • 4.3 Risk 1 - Security Relies on the Developer
    • 4.4 Risk 2 - “Just Enough” Coding
    • 4.5 Risk 3 - Misunderstanding Your Ecosystem
    • 4.6 Risk 4 - Trusting the API Consumer With Too Much Control
    • 4.7 Conclusion
  • 5. Deep Dive into OAuth and OpenID Connect
    • 5.1 OAuth and OpenID Connect in Context
    • 5.2 Start with a Secure Foundation
    • 5.3 Overview of OAuth
    • 5.4 Actors in OAuth
    • 5.5 Scopes
    • 5.6 Kinds of Tokens
    • 5.7 Passing Tokens
    • 5.8 Profiles of Tokens
    • 5.9 Types of Tokens
    • 5.10 OAuth Flow
    • 5.11 Improper and Proper Uses of OAuth
    • 5.12 Building OpenID Connect Atop OAuth
    • 5.13 Conclusion
  • 6. Unique Authorization Applications of OpenID Connect
    • 6.1 How OpenID Connect Enables Native SSO
    • 6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD
    • 6.3 How OpenID Connect Enables the Internet of Things
  • 7. How To Control User Identity Within Microservices
    • 7.1 What Are Microservices, Again?
    • 7.2 Great, So What’s The Problem?
    • 7.3 The Solution: OAuth As A Delegation Protocol
    • 7.4 The Simplified OAuth 2 Flow
    • 7.5 The OpenID Connect Flow
    • 7.6 Using JWT For OAuth Access Tokens
    • 7.7 Let All Microservices Consume JWT
    • 7.8 Why Do This?
  • 8. Data Sharing in the IoT
    • 8.1 A New Economy Based on Shared, Delegated Ownership
    • 8.2 Connected Bike Lock Example IoT Device
    • 8.3 How This Works
    • 8.4 Option #1: Access Tables
    • 8.5 Option #2: Delegated Tokens: OpenID Connect
    • 8.6 Review:
  • 9. Securing Your Data Stream with P2P Encryption
    • 9.1 Why Encrypt Data?
    • 9.2 Defining Terms
    • 9.3 Variants of Key Encryption
    • 9.4 Built-in Encryption Solutions
    • 9.5 External Encryption Solutions
    • 9.6 Use-Case Scenarios
    • 9.7 Example Code Executions
    • 9.8 Conclusion
  • 10. Day Zero Flash Exploits and Versioning Techniques
    • 10.1 Short History of Dependency-Centric Design Architecture
    • 10.2 The Hotfix — Versioning
    • 10.3 Dependency Implementation Steps: EIT
    • 10.4 Lessons Learned
    • 10.5 Conclusion
  • 11. Fostering an Internal Culture of Security
    • 11.1 Holistic Security — Whose Responsibility?
    • 11.2 The Importance of CIA: Confidentiality, Integrity, Availability
    • 11.3 4 Aspects of a Security Culture
    • 11.4 Considering “Culture”
    • 11.5 All Organizations Should Perpetuate an Internal Culture of Security
  • Resources
    • API Themed Events
    • API Security Talks:
    • Follow the Nordic APIs Blog
    • More eBooks by Nordic APIs:
  • Endnotes

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $13 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub