open apis - risks and rewards (Øredev 2013)

53
Open APIs - Risks & Rewards Hampus Brynolf Andreas Krohn Travis Spencer

Upload: nordic-apis

Post on 08-May-2015

383 views

Category:

Technology


3 download

DESCRIPTION

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

TRANSCRIPT

Page 1: Open APIs - Risks and Rewards (Øredev 2013)

Open APIs - Risks & Rewards

Hampus BrynolfAndreas Krohn

Travis Spencer

Page 2: Open APIs - Risks and Rewards (Øredev 2013)

Open APIs - Risks & Rewards

Andreas Krohndopter

Page 3: Open APIs - Risks and Rewards (Øredev 2013)

Application Programming

Interface

API

Page 4: Open APIs - Risks and Rewards (Øredev 2013)

API

‣ HTTP Request

‣ Machine readable response

‣ JSON

‣ XML

Page 5: Open APIs - Risks and Rewards (Øredev 2013)

API

‣ HTTP Methods

‣ GET, POST etc

‣ HTTP Headers

‣ URI

‣ Query Parameters

‣ Body

Page 6: Open APIs - Risks and Rewards (Øredev 2013)

Open API‣ “Not closed”

‣ Anyone can use it

‣ Free or paid

Page 12: Open APIs - Risks and Rewards (Øredev 2013)
Page 13: Open APIs - Risks and Rewards (Øredev 2013)

Open APIs - Risks & Rewards

Hampus Brynolfintellecta

Page 14: Open APIs - Risks and Rewards (Øredev 2013)

TWITTER IN SWEDEN

Page 15: Open APIs - Risks and Rewards (Øredev 2013)

Not

Fin

nish

?

Method

Finnish? 2. Check language

3. Save

1. Get from

queueBlock

4. Add friends

and followers

Page 16: Open APIs - Risks and Rewards (Øredev 2013)

Language analysis

• N-gram-based text-categorization– Searches for three letter combinations in

words– Considered stable–Worse result with few tweets

– http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.9367

Page 17: Open APIs - Risks and Rewards (Øredev 2013)

Some data…

• 6,171,929 accounts analyzed• < 100 tweets per account analyzed• 15,410,436 swedish tweets identified

and downloaded

Page 18: Open APIs - Risks and Rewards (Øredev 2013)

600 000

Page 19: Open APIs - Risks and Rewards (Øredev 2013)

46%active

Page 20: Open APIs - Risks and Rewards (Øredev 2013)

17%very active

Page 21: Open APIs - Risks and Rewards (Øredev 2013)

Registrations per month

Page 22: Open APIs - Risks and Rewards (Øredev 2013)

Words in description

Page 23: Open APIs - Risks and Rewards (Øredev 2013)

Force atlas graph

Page 24: Open APIs - Risks and Rewards (Øredev 2013)

Danmark

Sweden

Finland

Page 25: Open APIs - Risks and Rewards (Øredev 2013)

celebs

sport

teens

IT/techmedia & politics

education

Page 26: Open APIs - Risks and Rewards (Øredev 2013)

manga/anime

sports

entertainment

IT/business/media

media & politics

churches

librarians

Page 27: Open APIs - Risks and Rewards (Øredev 2013)

celebs

sport

entertainment

IT/tech

media & politics

Gamers

nationalist

Hiphop

regional clusters

Page 28: Open APIs - Risks and Rewards (Øredev 2013)

TACK @dreadnallen // Christofer Laurin

Page 29: Open APIs - Risks and Rewards (Øredev 2013)

10.000+ available

Open APIs

‣ Google

‣ Salesforce

‣ Paypal

‣ Amazon

‣ ProgrammableWeb

Page 30: Open APIs - Risks and Rewards (Øredev 2013)

why?

Open APIs

‣ External Innovation

‣ Enable Partnerships

‣ Make Money

‣ Save Money

‣ Marketing

Page 31: Open APIs - Risks and Rewards (Øredev 2013)

Internal APIs

‣ More common than Open APIs

‣ System Architecture

‣ Partnerships

‣ Speed to Market

‣ Mobile Applications

Page 32: Open APIs - Risks and Rewards (Øredev 2013)

more than just http

Package an API

‣ Security concerns

‣ Statistics

‣ Developer Portal

‣ Documentation

‣ Community

‣ Pricing & Legal

Page 33: Open APIs - Risks and Rewards (Øredev 2013)

all but the data

API Management

‣ Security

‣ Developer Portal

‣ Monetization

‣ Statistics

‣ Layer 7, 3scale, Apigee, Mashery...

Page 34: Open APIs - Risks and Rewards (Øredev 2013)

Open APIs - Risks & Rewards

Travis Spencertwobo technologies

Page 35: Open APIs - Risks and Rewards (Øredev 2013)

Agenda

Problem: the risks & security challenges

Solution:  the  “Neo-security  Stack” Result: a secure platform for data access

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 36: Open APIs - Risks and Rewards (Øredev 2013)

Threats, Dangers & Challenges

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 37: Open APIs - Risks and Rewards (Øredev 2013)

Identity is Central to a Solution

Copyright © 2013 Twobo Technologies AB. All rights reserved

Mobile Security

API Security

Enterprise Security

Identity

Venn diagram by Gunnar Peterson

Page 38: Open APIs - Risks and Rewards (Øredev 2013)

SAML / OpenID Connect

SCIM

JSON Identity Suite

OAuth

XACML

Federation

Provisioning

Identity

Delegated Access

Authorization

The Neo-security Stack

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 39: Open APIs - Risks and Rewards (Øredev 2013)

SAML / OpenID Connect

SCIM

JSON Identity Suite

OAuth

XACML

The Neo-security Stack

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 40: Open APIs - Risks and Rewards (Øredev 2013)

SAML

SAML: proven technology for identity federation and Web SSO

Profiles, bindings, protocols, assertions & metadata

V. 2.1 in the works

Copyright © 2013 Twobo Technologies AB. All rights reserved

Service Provider (SP)

Identity Provider (IdP)

Page 41: Open APIs - Risks and Rewards (Øredev 2013)

OpenID Connect

New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user data

Copyright © 2013 Twobo Technologies AB. All rights reserved

Grandpa SAML & junior

Page 42: Open APIs - Risks and Rewards (Øredev 2013)

SCIM

Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID Connect

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 43: Open APIs - Risks and Rewards (Øredev 2013)

OAuth

OAuth 2 is the new protocol of protocols

Composed in useful ways Addresses old requirements and

solves new ones Delegated access No password sharing Revocation of access

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 44: Open APIs - Risks and Rewards (Øredev 2013)

JSON Identity Protocol Suite

Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA)

Lightweight tokens passed in HTTP headers & query strings

Akin to SAML tokens

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 45: Open APIs - Risks and Rewards (Øredev 2013)

The Neo-security Platform

Identity Management

System

API Management

System

Entitlement Management

System

Copyright © 2013 Twobo Technologies AB. All rights reserved

SAML / OpenID Connect

SCIM JSON Identity Suite

OAuth XACML

Page 46: Open APIs - Risks and Rewards (Øredev 2013)

Building on the Platform

Copyright © 2013 Twobo Technologies AB. All rights reserved

Identity Management

System

API Management

System

Entitlement Management

System

Page 47: Open APIs - Risks and Rewards (Øredev 2013)

Solutions  must  be  ”baked”

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 48: Open APIs - Risks and Rewards (Øredev 2013)

Solutions  must  be  ”baked”

Web SSO Account

Management & Provisioning

Authorization Social Media Aggregation

API Security

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 49: Open APIs - Risks and Rewards (Øredev 2013)

using open apis

Get Started

‣ Use API without authentication

‣ Nobel Prize API

‣ Make request

‣ Parse response

Page 50: Open APIs - Risks and Rewards (Øredev 2013)

using open apis

Get Started

‣ cURL

‣ Postman

‣ Unirest

‣ Java, .NET, Python...

Page 51: Open APIs - Risks and Rewards (Øredev 2013)

publishing open apis

Get Started

‣ Identify source

‣ Design based on external reqs.

‣ Do NOT mimic internal structures

‣ Mashape

‣ Use your own API!

Page 52: Open APIs - Risks and Rewards (Øredev 2013)

publishing open apis

Get Started

Pro

‣ Business case, marketing plan etc

‣ Analyze requirements

‣ What to build & what to buy

‣ Build a community!

Page 53: Open APIs - Risks and Rewards (Øredev 2013)

Thank younordicapis.com/oredev2013