enterprise security apis

Enterprise Security APIsDEVELOPMENT IN SUPPORT OF APPLICATION SECURITY

Enterprise Security APIsWe can further improve application security by developing reusable software that provides securitycentric functionality, makes it easier to develop secure software or both.

Vulnerability Management Lifecycle

Prevent

Detect

Remediate

PreventBest practices and testing

DetectDiscover, assess and rank

RemediateCatalog, prioritize and fix

Application Security

• Policy enforcement and trainingPrevent

• Monitor, scan and reviewDetect

• Management and resourcingRemediate

Development happens…AND SECURITY TOO

Authentication APILoosen coupling to the system

Enforce policy More control and granularity

Standardize across applicationsConsistent user experience

Cryptography APIEnsure that best practices are followedStandardize key managementStop storing secrets in configuration

CSRF Encrypted TokenDetect and remediate as a separated concern

Use the Cryptography API

API backed Application Security

•Security built-in by expertsPrevent

•Purpose built monitoringDetect

•The fix is the APIRemediate

Creating an API…THAT DEVELOPERS WANT TO USE (THAT ’S THE HARD PART)

Getting startedDerive from existing use-cases

Get input from the application developers

Start with simple but extensible (SOLID)

Beware of anti-patterns!Abstraction Inversion

Bullet-point engineering

MaintenanceRefactor for extensibility

Use Semantic Versioning

Support the developers who use itHelp developers proactively

Implement fixes and extensions quickly

Triage issues quickly

Other concernsUse a façade to abstract third-party componentsSimplify and constrain

Use open sourceModularity is key so choose and integrate carefully

Use OpenID Connect or SAML at the boundaries

What’s importantEase of useDevelopers have to want to use it

So make the developer’s life easier

Modularity and portabilityLow barrier to integration

Remember to…Create APIs to address application security concerns

Make them easy for developers to use

Make them easy to integrate

Thanks!Adam Migus: www.migusgroup.com/adam

Email: adam@migusgroup.com

Twitter: @amigus

Links:

http://en.wikipedia.org/wiki/Solid_(object-oriented_design)

http://semver.org/

http://openid.net/connect/