eBook Released: Securing the API Stronghold Bill Doerrfeld September 24, 2015 We’re very pleased to announce the release of our new eBook Securing the API Stronghold: The Ultimate Guide to API Security. Visit our eBooks page today to grab a FREE copy. Or, download to your Kindle from the Amazon store.Our new eBook: Securing the API Stronghold Securing the API Stronghold is the most comprehensive and freely available deep dive into the core tenants of modern web API security and access management. Arm yourself with the techniques and technologies required to evolve your platform into an API stronghold.Table of Contentsi. Preface1. Introducing API Security Concepts1.1 Identity is at the Forefront of API Security1.2 Neo-Security Stack1.3 OAuth Basics1.4 OpenID Connect1.5 JSON Identity Suite1.6 Neo-Security Stack Protocols Increase API Security1.7 The Myth of API Keys1.8 Access Management1.9 IoT Security1.10 Using Proven Standards2. The 4 Defenses of The API Stronghold2.1 Balancing Access and Permissions2.2 Authentication: Identity2.3 Authorization: Access2.4 Federation: Reusing Credentials & Spreading Resources2.5 Delegation: The Signet of (Limited) Power2.6 Holistic Security vs. Singular Approach2.7 Application For APIs3. Equipping Your API With the Right Armor3.1 Differences In API Approaches: Private, Public, & Partner APIs3.2 Considerations and Caveats3.3 So Where Is The Middle Ground?3.4 Real-World Failure3.5 Two Real-World Successes3.6 Conclusion4. Your API is Vulnerable: 4 Top Security Risks to Mitigate4.1 Gauging Vulnerabilities4.2 Black Hat vs.White Hat Hackers4.3 Risk 1 – Security Relies on the Developer4.4 Risk 2 – “Just Enough” Coding4.5 Risk 3 – Misunderstanding Your Ecosystem4.6 Risk 4 – Trusting the API Consumer With Too Much Control4.7 Conclusion5. Deep Dive into OAuth and OpenID Connect5.1 OAuth and OpenID Connect in Context5.2 Start with a Secure Foundation5.3 Overview of OAuth5.4 Actors in OAuth5.5 Scopes5.6 Kinds of Tokens5.7 Passing Tokens5.8 Profiles of Tokens5.9 Types of Tokens5.10 OAuth Flow5.11 Improper and Proper Uses of OAuth5.12 Building OpenID Connect Atop OAuth5.13 Conclusion6. Unique Authorization Applications of OpenID Connect6.1 How OpenID Connect Enables Native SSO6.2 How to Use OpenID Connect to Enable Mobile Information Management and BYOD6.3 How OpenID Connect Enables the Internet of Things7. How To Control User Identity Within Microservices7.1 What Are Microservices, Again?7.2 Great, So What’s The Problem?7.3 The Solution: OAuth As A Delegation Protocol7.4 The Simplified OAuth2 Flow7.5 The OpenID Connect Flow7.6 Using JWT For OAuth Access Tokens7.7 Let All Microservices Consume JWT7.8 Why Do This?8. Data Sharing in the IoT8.1 A New Economy Based on Shared, Delegated Ownership8.2 Connected Bike Lock Example IoT Device8.3 How This Works8.4 Option #1: Access Tables8.5 Option #2: Delegated Tokens: OpenID Connect8.6 Review9. Securing Your Data Stream with P2P Encryption9.1 Why Encrypt Data?9.2 DefiningTerms9.3 Variants of Key Encryption9.4 Built-in Encryption Solutions9.5 External Encryption Solutions9.6 Use-Case Scenarios9.7 Example Code Executions9.8 Conclusion10. Day Zero Flash Exploits and Versioning Techniques10.1 Short History of Dependency-Centric Design Architecture10.2 The Hotfix — Versioning10.3 Dependency Implementation Steps: EIT10.4 Lessons Learned10.5 Conclusion11. Fostering an Internal Culture of Security11.1 Holistic Security — Whose Responsibility?11.2 The Importance of CIA: Confidentiality, Integrity, Availability11.3 4 Aspects of a Security Culture11.4 Considering “Culture”11.5 All Organizations Should Perpetuate an Internal Culture of SecurityResourcesAPI Themed EventsAPI Security TalksMore eBooks by NordicAPIsEndnotesPricing & DownloadThe book is FREE to download straight from the Nordic APIs eBook page. However, if you would like to support Nordic APIs, you can purchase the eBook through Leanpub and name your price, or download it for $0.99 through the Amazon store. SummaryAs the world becomes more and more connected, digital security is more and more a pressing concern. Especially in the Internet of Things (IoT), Application Programming Interface (API), and microservice spaces, user identity control and access management needs to be properly handled to ensure that web assets are securely distributed.We at Nordic APIs have collated our most helpful advice on API security into this eBook – a single tomb that introduces important terms, outlines proven API security stacks, and describes workflows using modern technologies. This knowledge is crucial for any web service that needs to properly authenticate, control access, delegate authority, and federate credentials across a system. Following an overview of basic concepts, we’ll dive into specific considerations such as:Detailing OAuth 2.0 and OpenID Connect protocols and workflows,Defining the three distinct approaches to API provisioning,Performing delegation of user identity across microservices,Using OAuth and the Neo-Security stack to handle access control within IoT scenarios,Differentiating Authentication, Authorization, Federation, and Delegation, and the importance of each concept,Using OpenID Connect for Native Single Sign On (SSO) and Mobile Identity Management (MIM),and more….Please read on, share, and enjoy our 5th eBook from the Nordic APIs team, a free compilation of insights from a wide range of identity and security specialists.Visit our Permanent eBook PageCheck out our dedicated eBook page to view our other eBook releases, and keep on the lookout for our next upcoming release – Using Spark Java to Program APIs – a guide to creating powerful APIs using the Spark Java micro framework developed and maintained by Per Wendel.As always, we welcome feedback in the comments below, or on our Twitter, Linkedin, or Google+ pages. Please enjoy Securing the API Stronghold, and let us know how we can improve. Be sure to join the Nordic APIs newsletter for news about upcoming events as well as blog and eBook updates.Thank you to all our participants, contributors, and followers that have made this release possible!
