Best Practices for Securing Your APIs
I'd like to share a presentation I've put together on some best practices for securing your APIs. This presentation covers everything from encryption, to UUIDs, the differences between authentication and authorization, OAuth and OpenID Connect, and a host of other information around SSL, TLS, and more ways you can secure your APIs from those pesky would-be hackers.
Much has been said around securing APIs and fortunately people do try to implement some of these practices. Unfortunately, most do not implement multiple legged security thereby relying solely on a single measure or two simplistic and easy-to-defeat mechanisms to secure their APIs. Alas, some even rely on not publishing the documentation for their APIs as a measure of "security". These methods are simply not acceptable and it's important to approach security by believing that there are indeed smarter hackers than you out there and that your information is always at risk.
It is critical that you pay careful attention to security not as an afterthought, but as a well-formed strategy as you build your interfaces. Security should be engrained in every resource, every action, and truly everything you do as you build and design APIs! Please read and enjoy and feel free to provide feedback!
Note: This content will be presented at various API meet ups around the east coast and has been generated in my role as a CA APIM Principal Consultant. This topic is one I consider CA Technologies to be highly knowledgable on and they provide a very comprehensive set of Security, Identity Management, and API Management solutions. Feel free to reach out to either myself or any of us at CA to talk about how you can better secure your APIs.
[gallery type="columns" size="large" ids="390,391,392,393,394,395,396,397,398,399,400,401,402,403,404"]