Enterprise Security APIs DEVELOPMENT IN SUPPORT OF APPLICATION SECURITY
Enterprise Security APIs
Jun 19, 2015
Development in support of application security
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Enterprise Security APIsDEVELOPMENT IN SUPPORT OF APPLICATION SECURITY
Enterprise Security APIsWe can further improve application security by developing reusable software that provides securitycentric functionality, makes it easier to develop secure software or both.
Vulnerability Management Lifecycle
Prevent
Detect
Remediate
PreventBest practices and testing
DetectDiscover, assess and rank
RemediateCatalog, prioritize and fix
Application Security
• Policy enforcement and trainingPrevent
• Monitor, scan and reviewDetect
• Management and resourcingRemediate
Development happens…AND SECURITY TOO
Authentication APILoosen coupling to the system
Enforce policy More control and granularity
Standardize across applicationsConsistent user experience
Cryptography APIEnsure that best practices are followedStandardize key managementStop storing secrets in configuration
CSRF Encrypted TokenDetect and remediate as a separated concern
Use the Cryptography API
API backed Application Security
•Security built-in by expertsPrevent
•Purpose built monitoringDetect
•The fix is the APIRemediate
Creating an API…THAT DEVELOPERS WANT TO USE (THAT ’S THE HARD PART)
Getting startedDerive from existing use-cases
Get input from the application developers
Start with simple but extensible (SOLID)
Beware of anti-patterns!Abstraction Inversion
Bullet-point engineering
MaintenanceRefactor for extensibility
Use Semantic Versioning
Support the developers who use itHelp developers proactively
Implement fixes and extensions quickly
Triage issues quickly
Other concernsUse a façade to abstract third-party componentsSimplify and constrain
Use open sourceModularity is key so choose and integrate carefully
Use OpenID Connect or SAML at the boundaries
What’s importantEase of useDevelopers have to want to use it
So make the developer’s life easier
Modularity and portabilityLow barrier to integration
Remember to…Create APIs to address application security concerns
Make them easy for developers to use
Make them easy to integrate
Thanks!Adam Migus: www.migusgroup.com/adam
Email: [email protected]
Twitter: @amigus
Links:
http://en.wikipedia.org/wiki/Solid_(object-oriented_design)
http://semver.org/
http://openid.net/connect/
Related Documents
