Philippe De Ryck

Architecting API Security

Is your perimeter security obsolete? Learn the architectural patterns that contain attackers who are already inside your network and prevent lateral movement.

Architecting API Security
#1about 2 minutes

The urgent need for API security from day one

Recent studies show widespread vulnerabilities like hard-coded keys and authorization failures, highlighting the necessity of designing for security from the start.

#2about 1 minute

Focusing on secure architecture over just code

The OWASP API Security Top 10 reveals that many critical risks, like broken authorization, are best addressed through architectural design rather than just secure coding practices.

#3about 2 minutes

A typical API architecture overview

A common API architecture consists of clients, an API gateway acting as a single entry point, and various backend APIs or microservices handling specific responsibilities.

#4about 6 minutes

Why perimeter security is no longer enough

A compromised internal service, such as a vulnerable image processor, can breach the entire trusted zone, demonstrating that a single perimeter defense is insufficient.

#5about 5 minutes

Using compartmentalization for defense-in-depth

By isolating high-risk services like image processors into separate trust zones, you can contain the damage from a potential breach as part of a defense-in-depth strategy.

#6about 3 minutes

Isolating both untrusted and sensitive services

Compartmentalization applies both to sandboxing untrusted components and to creating secure enclaves for highly sensitive services like authentication or payments.

#7about 5 minutes

Authenticating internal API-to-API calls

To prevent a compromised internal service from moving laterally, enforce authentication between all internal APIs and define strict policies on which services can communicate.

#8about 5 minutes

Propagating user context to internal APIs

Internal services need user context to make authorization decisions, which can be achieved by forwarding the user's authentication state from the gateway via a token relay.

#9about 4 minutes

Using reference tokens instead of raw JWTs

To avoid exposing large or sensitive JWTs to clients, an API gateway can issue a small, opaque reference token and translate it back to the full JWT for internal API calls.

#10about 2 minutes

Following JWT security best practices

JSON Web Tokens are not a complete security solution and require careful implementation to avoid common pitfalls related to signature validation, algorithm choice, and revocation.

#11about 2 minutes

Key architectural takeaways for API security

Improve your API security by planning for compromise, choosing simple and robust solutions, and using the API gateway to shield internal implementation details from clients.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Essential security measures for protecting public APIs
01:33 MIN

Essential security measures for protecting public APIs

Security Pitfalls for Software Engineers

Securing APIs against broken authentication flaws
05:12 MIN

Securing APIs against broken authentication flaws

Bullet-Proof APIs: The OWASP API Security Top Ten

Designing a secure API using protected URL zones
01:25 MIN

Designing a secure API using protected URL zones

Full-stack role-based authorization in 45 minutes

A summary of APIs for multi-layered security
01:32 MIN

A summary of APIs for multi-layered security

No More Post-its: Boost your login security with APIs

Securing APIs with JWT, RBAC, and CORS
02:36 MIN

Securing APIs with JWT, RBAC, and CORS

API = Some REST and HTTP, right? RIGHT?!

Designing APIs for AI consumption and built-in security
03:39 MIN

Designing APIs for AI consumption and built-in security

Lessons learned from observing a billion API requests

A seven-step guide to securing modern web apps
06:37 MIN

A seven-step guide to securing modern web apps

Full-stack role-based authorization in 45 minutes

Leveraging APIs as a tool for clean architecture
03:50 MIN

Leveraging APIs as a tool for clean architecture

The Great API Debate: REST, GraphQL, or gRPC?

Featured Partners

Related Videos

See all videos
Security in modern Web Applications - OWASP to the rescue!
26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Unleashing the Power of Developers: Why Cybersecurity is the Missing Piece?!?
27:36

Unleashing the Power of Developers: Why Cybersecurity is the Missing Piece?!?

Tino Sokic

Bullet-Proof APIs: The OWASP API Security Top Ten
25:46

Bullet-Proof APIs: The OWASP API Security Top Ten

Christian Wenz

Lessons learned from observing a billion API requests
23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design
58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

You can’t hack what you can’t see
29:34

You can’t hack what you can’t see

Reto Kaeser

What The Hack is Web App Sec?
24:01

What The Hack is Web App Sec?

Jackie

Securing Your Web Application Pipeline From Intruders
44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Related Articles

View all articles
Chris Heilmann
Dev Digest 134 - Where pixels sing?
News and ArticlesWeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to t...
Dev Digest 134 - Where pixels sing?
Chris Heilmann
Dev Digest 116 - WWWAI?
This time, learn how to un-AI Google's search results, what's new on the web, avoid a new security hole and go back to BASICS with us. News and ArticlesWhat a week. Google, Microsoft, OpenAI and many others had their big flagship events announcing th...
Dev Digest 116 - WWWAI?
Harman Singh
11 Best Practices For PHP Security
PHP is one of the most popular programming languages in use today. It is used by millions of websites, including some of the biggest names on the internet. While PHP is a very powerful language, it can also be quite insecure if not used properly. In ...
11 Best Practices For PHP Security
Luis Minvielle
The Best Upcoming IT Webinars
Now that you already know what IT webinars are and how they can help you level up your professional appeal, you might want actually to get into one. Live tech webinars are one of the best ways to stay on top of the latest trends and tools because eit...
The Best Upcoming IT Webinars

From learning to earning

Jobs that call for the skills explored in this talk.