eBook Released: Securing the API Stronghold Bill Doerrfeld September 24, 2015 We’re very pleased to announce the release of our new eBook Securing the API Stronghold: The Ultimate Guide to API Security. Visit our eBooks page today to grab a FREE copy. Or, download to your Kindle from the Amazon store. Our new eBook: Securing the API Stronghold Securing the API Stronghold is the most comprehensive and freely available deep dive into the core tenants of modern web API security and access management. Arm yourself with the techniques and technologies required to evolve your platform into an API stronghold. Table of Contents i. Preface 1. Introducing API Security Concepts 1.1 Identity is at the Forefront of API Security 1.2 Neo-Security Stack 1.3 OAuth Basics 1.4 OpenID Connect 1.5 JSON Identity Suite 1.6 Neo-Security Stack Protocols Increase API Security 1.7 The Myth of API Keys 1.8 Access Management 1.9 IoT Security 1.10 Using Proven Standards 2. The 4 Defenses of The API Stronghold 2.1 Balancing Access and Permissions 2.2 Authentication: Identity 2.3 Authorization: Access 2.4 Federation: Reusing Credentials & Spreading Resources 2.5 Delegation: The Signet of (Limited) Power 2.6 Holistic Security vs. Singular Approach 2.7 Application For APIs 3. Equipping Your API With the Right Armor 3.1 Differences In API Approaches: Private, Public, & Partner APIs 3.2 Considerations and Caveats 3.3 So Where Is The Middle Ground? 3.4 Real-World Failure 3.5 Two Real-World Successes 3.6 Conclusion 4. Your API is Vulnerable: 4 Top Security Risks to Mitigate 4.1 Gauging Vulnerabilities 4.2 Black Hat vs.White Hat Hackers 4.3 Risk 1 – Security Relies on the Developer 4.4 Risk 2 – “Just Enough” Coding 4.5 Risk 3 – Misunderstanding Your Ecosystem 4.6 Risk 4 – Trusting the API Consumer With Too Much Control 4.7 Conclusion 5. Deep Dive into OAuth and OpenID Connect 5.1 OAuth and OpenID Connect in Context 5.2 Start with a Secure Foundation 5.3 Overview of OAuth 5.4 Actors in OAuth 5.5 Scopes 5.6 Kinds of Tokens 5.7 Passing Tokens 5.8 Profiles of Tokens 5.9 Types of Tokens 5.10 OAuth Flow 5.11 Improper and Proper Uses of OAuth 5.12 Building OpenID Connect Atop OAuth 5.13 Conclusion 6. Unique Authorization Applications of OpenID Connect 6.1 How OpenID Connect Enables Native SSO 6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD 6.3 How OpenID Connect Enables the Internet of Things 7. How To Control User Identity Within Microservices 7.1 What Are Microservices, Again? 7.2 Great, So What’s The Problem? 7.3 The Solution: OAuth As A Delegation Protocol 7.4 The Simplified OAuth2 Flow 7.5 The OpenID Connect Flow 7.6 Using JWT For OAuth Access Tokens 7.7 Let All Microservices Consume JWT 7.8 Why Do This? 8. Data Sharing in the IoT 8.1 A New Economy Based on Shared, Delegated Ownership 8.2 Connected Bike Lock Example IoT Device 8.3 How This Works 8.4 Option #1: Access Tables 8.5 Option #2: Delegated Tokens: OpenID Connect 8.6 Review 9. Securing Your Data Stream with P2P Encryption 9.1 Why Encrypt Data? 9.2 DefiningTerms 9.3 Variants of Key Encryption 9.4 Built-in Encryption Solutions 9.5 External Encryption Solutions 9.6 Use-Case Scenarios 9.7 Example Code Executions 9.8 Conclusion 10. Day Zero Flash Exploits and Versioning Techniques 10.1 Short History of Dependency-Centric Design Architecture 10.2 The Hotfix — Versioning 10.3 Dependency Implementation Steps: EIT 10.4 Lessons Learned 10.5 Conclusion 11. Fostering an Internal Culture of Security 11.1 Holistic Security — Whose Responsibility? 11.2 The Importance of CIA: Confidentiality, Integrity, Availability 11.3 4 Aspects of a Security Culture 11.4 Considering “Culture” 11.5 All Organizations Should Perpetuate an Internal Culture of Security Resources API Themed Events API Security Talks More eBooks by NordicAPIs Endnotes Pricing & Download The book is FREE to download straight from the Nordic APIs eBook page. However, if you would like to support Nordic APIs, you can purchase the eBook through Leanpub and name your price, or download it for $0.99 through the Amazon store. Summary As the world becomes more and more connected, digital security is more and more a pressing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, user identity control and access management needs to be properly handled to ensure that web assets are securely distributed. We at Nordic APIs have collated our most helpful advice on API security into this eBook – a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies. This knowledge is crucial for any web service that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we’ll dive into specific considerations such as: Detailing OAuth 2.0 and OpenID Connect protocols and workflows, Defining the three distinct approaches to API provisioning, Performing delegation of user identity across microservices, Using OAuth and the Neo-Security stack to handle access control within IoT scenarios, Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each concept, Using OpenID Connect for Native Single Sign On (SSO) and Mobile Identity Management (MIM), and more…. Please read on, share, and enjoy our 5th eBook from the Nordic APIs team, a free compilation of insights from a wide range of identity and security specialists. Visit our Permanent eBook Page Check out our dedicated eBook page to view our other eBook releases, and keep on the lookout for our next upcoming release – Using Spark Java to Program APIs – a guide to creating powerful APIs using the Spark Java micro framework developed and maintained by Per Wendel. As always, we welcome feedback in the comments below, or on our Twitter, Linkedin, or Google+ pages. Please enjoy Securing the API Stronghold, and let us know how we can improve. Be sure to join the Nordic APIs newsletter for news about upcoming events as well as blog and eBook updates. Thank you to all our participants, contributors, and followers that have made this release possible! The latest API insights straight to your inbox