March 5th, 2012

Layer 7 at RSA Conference 2012

RSA Conference 2012The 2012 RSA Conference is now over and as many journalists rightly noted this year’s show was as much about opening up the enterprise to the outside as it was about closing the enterprise from the outside. With the acceleration of Cloud adoption and the rapid growth of tablet and smart phone inside the enterprise, the need to manage how information is shared out securely has never been greater. To this end, Layer 7 gave two talks at RSA in addition to two workshops and a sponsorship of Cloud Security Alliance Conference around this general theme.

The two talks given by Layer 7 staff at RSA included one focused on access best practices for APIs called Enterprise Access Control Patterns for REST & Web API and the other focused on the threat implications of Open APIs called Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. The first was delivered by Layer 7 Director of Solution Engineering Francois Lascelles. The second was delivered by Layer 7 CTO Scott Morrison. For those of you not able to have caught the talks live, we provide the slides below. Enjoy.


March 2nd, 2012

API Security for Mobile & Cloud – A Best Practices Workshop for Enterprises Hosted by Layer 7

We Secure APIsOn Monday February 27, 2012 Layer 7 hosted an exclusive workshop at RSA Conference in San Francisco at the trendy W Hotel. The audience was a group of IT professionals interested to learn more about API management as it relates to mobile and Cloud security.

There was an hour of networking before the presentations started, during which lunch was served. The room filled quickly. As this was an exclusive event, seating was limited. By the time the first presenter had started, it was standing room only.

Layer 7 CTO Scott Morrison hosted the event, which featured guest speakers Caleb Sima and Rag Ramanathan. The workshop provided insight into API security and management best practices for mobile and Cloud.

More and more enterprises are looking to API publishing as a way of exposing their data to partners and external developers building mobile apps and Cloud services. But this inevitably creates serious security concerns.

So the aim of the workshop was to address the issue of API security for mobile and Cloud, with three presentations. The slides from these presentations are embedded below.

Caleb Sima: Open APIs – Security for Mobile & the Cloud

A look at what’s driving new Internet-facing organizations to open up information through APIs, plus a discussion of the implications for application security.

Rag Ramanathan: Securing & Governing Cloud APIs

A look at why APIs matter in the Cloud and the unique security challenges Cloud APIs create.

Scott Morrison: API Security & Management Best Practices

A look at the high-level considerations for controlling, metering and monitoring APIs from test through to production.

February 23rd, 2012

Upcoming RSA Conference Talk: Hacking’s Gilded Age – How APIs Will Increase Risk & Chaos

RSA Conference 2012I’m going to be speaking about API security at next week’s 2012 RSA Conference. I gave this talk the provocative title Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. It’s scheduled for Friday, March 2, 2012 at 10:10am in room 302.

Here’s the long form of the abstract, which gives a little more detail of what I’m going to cover in the talk than the short abstract that’s online does:

This session will explore why APIs (which are largely RESTful services) are fundamentally different than conventional Web sites, despite the fact that they share common elements such as the HTTP protocol. Web sites abstract back-end applications behind a veneer of HTML that should — if it is well-designed — constrain capability and thus limit an organization’s security exposure. APIs, in contrast, represent a more explicit interface leading directly into applications. These often self-document their intent and thus provide a hacker with important clues that may reveal potential attack vectors — from penetration to denial-of-service. Because of this, APIs require a much more sophisticated model for access control, confidentiality around parameters, integrity of transactions, attack detection, throttling and auditing.

But aside from the technological differences, there are cultural differences in the Web development community that considerably increase the risk profile of using APIs. Many API developers have backgrounds in Web site development and fail to understand why APIs demand a more rigorous security model than the Web sites they were trained on. In a misguided attempt to promote agility, convenience is often chosen over precaution and rigor. The astonishingly rapid rise of RESTful services over SOAP, OAuth over SAML, API keys over certificates and SSL (or nothing) over WS-Security is a testament to fast-and-informal prevailing over complex-and-standardized.

Nevertheless, it is certainly possible to build secure APIs and this session will demonstrate specifically how you can spearhead a secure and scalable API strategy. For every bad practice, we will offer an alternative pattern that is simple-but-secure. We will explicitly show how the API community is dangerously extending some Web paradigms, such as avoiding general use of SSL or not protecting security tokens, into the API world where the cost of failure is far greater. And finally, we will prescribe a series of directives that will steer developers away from the risky behaviors that are the norm on the conventional Web.

I hope you can attend. And if you do, please come up after the talk and say hello.

See you next week in San Francisco!

October 18th, 2011

Presentation: API Security & OAuth Patterns

OAuth PatternLast week, Layer 7’s Director of Solutions Engineering, Francois Lascelles, gave a presentation at the RSA Europe Conference in London. The presentation, called Enterprise Access Control Patterns for REST and Web API, provided an overview of the various authentication and identity federation mechanisms applicable to Web APIs and RESTful Web services.

With more and more organizations looking to expose application data via APIs, the issue of API security is on a lot of people’s minds. Francois’ aim was to help some of these people make sense of protocols like OAuth, SAML and OpenID. He also aimed to explain how these protocols fit together and how they can be leveraged to enable trust management and access control.

Francois got a very positive response to this presentation, so we decided to make his slide deck more widely available. You can view the whole thing right now in the player below, courtesy of the Layer 7 Slide Share page:

October 5th, 2011

Let’s talk OAuth @RSAConference

RSA ConferenceA lot has changed about the state of OAuth since I last presented at RSA Conference. Last year, the enterprise was screaming for standardized mechanics to provide access control to their APIs. Back then, OAuth was merely on the Enterprise Architect’s radar. It’s now safe to say that OAuth 2.0 is poised to fill this gap. OAuth 2.0 is rich –different token types to accommodate different styles. The ‘bearer’ token type provides the simplicity of cookies, the ‘mac’ token type provides the security of hmac signatures. OAuth 2.0 also defines many different flows to accommodate different situations, involving either two or three parties. Because this rising standard addresses so many use cases, the infrastructure supporting it must remain flexible to cover all of the benefits. Let’s talk OAuth, see you @RSAConference London, Oct 13 2011 STAR-305.