open apis - risks and rewards (Øredev 2013)
DESCRIPTION
Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.TRANSCRIPT
Open APIs - Risks & Rewards
Hampus BrynolfAndreas Krohn
Travis Spencer
Open APIs - Risks & Rewards
Andreas Krohndopter
Application Programming
Interface
API
API
‣ HTTP Request
‣ Machine readable response
‣ JSON
‣ XML
API
‣ HTTP Methods
‣ GET, POST etc
‣ HTTP Headers
‣ URI
‣ Query Parameters
‣ Body
Open API‣ “Not closed”
‣ Anyone can use it
‣ Free or paid
https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow
https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow
https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow
https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow
https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow
Open APIs - Risks & Rewards
Hampus Brynolfintellecta
TWITTER IN SWEDEN
Not
Fin
nish
?
Method
Finnish? 2. Check language
3. Save
1. Get from
queueBlock
4. Add friends
and followers
Language analysis
• N-gram-based text-categorization– Searches for three letter combinations in
words– Considered stable–Worse result with few tweets
– http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.9367
Some data…
• 6,171,929 accounts analyzed• < 100 tweets per account analyzed• 15,410,436 swedish tweets identified
and downloaded
600 000
46%active
17%very active
Registrations per month
Words in description
Force atlas graph
Danmark
Sweden
Finland
celebs
sport
teens
IT/techmedia & politics
education
manga/anime
sports
entertainment
IT/business/media
media & politics
churches
librarians
celebs
sport
entertainment
IT/tech
media & politics
Gamers
nationalist
Hiphop
regional clusters
TACK @dreadnallen // Christofer Laurin
10.000+ available
Open APIs
‣ Salesforce
‣ Paypal
‣ Amazon
‣ ProgrammableWeb
why?
Open APIs
‣ External Innovation
‣ Enable Partnerships
‣ Make Money
‣ Save Money
‣ Marketing
Internal APIs
‣ More common than Open APIs
‣ System Architecture
‣ Partnerships
‣ Speed to Market
‣ Mobile Applications
more than just http
Package an API
‣ Security concerns
‣ Statistics
‣ Developer Portal
‣ Documentation
‣ Community
‣ Pricing & Legal
all but the data
API Management
‣ Security
‣ Developer Portal
‣ Monetization
‣ Statistics
‣ Layer 7, 3scale, Apigee, Mashery...
Open APIs - Risks & Rewards
Travis Spencertwobo technologies
Agenda
Problem: the risks & security challenges
Solution: the “Neo-security Stack” Result: a secure platform for data access
Copyright © 2013 Twobo Technologies AB. All rights reserved
Threats, Dangers & Challenges
Copyright © 2013 Twobo Technologies AB. All rights reserved
Identity is Central to a Solution
Copyright © 2013 Twobo Technologies AB. All rights reserved
Mobile Security
API Security
Enterprise Security
Identity
Venn diagram by Gunnar Peterson
SAML / OpenID Connect
SCIM
JSON Identity Suite
OAuth
XACML
Federation
Provisioning
Identity
Delegated Access
Authorization
The Neo-security Stack
Copyright © 2013 Twobo Technologies AB. All rights reserved
SAML / OpenID Connect
SCIM
JSON Identity Suite
OAuth
XACML
The Neo-security Stack
Copyright © 2013 Twobo Technologies AB. All rights reserved
SAML
SAML: proven technology for identity federation and Web SSO
Profiles, bindings, protocols, assertions & metadata
V. 2.1 in the works
Copyright © 2013 Twobo Technologies AB. All rights reserved
Service Provider (SP)
Identity Provider (IdP)
OpenID Connect
New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user data
Copyright © 2013 Twobo Technologies AB. All rights reserved
Grandpa SAML & junior
SCIM
Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID Connect
Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth
OAuth 2 is the new protocol of protocols
Composed in useful ways Addresses old requirements and
solves new ones Delegated access No password sharing Revocation of access
Copyright © 2013 Twobo Technologies AB. All rights reserved
JSON Identity Protocol Suite
Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA)
Lightweight tokens passed in HTTP headers & query strings
Akin to SAML tokens
Copyright © 2013 Twobo Technologies AB. All rights reserved
The Neo-security Platform
Identity Management
System
API Management
System
Entitlement Management
System
Copyright © 2013 Twobo Technologies AB. All rights reserved
SAML / OpenID Connect
SCIM JSON Identity Suite
OAuth XACML
Building on the Platform
Copyright © 2013 Twobo Technologies AB. All rights reserved
Identity Management
System
API Management
System
Entitlement Management
System
Solutions must be ”baked”
Copyright © 2013 Twobo Technologies AB. All rights reserved
Solutions must be ”baked”
Web SSO Account
Management & Provisioning
Authorization Social Media Aggregation
API Security
Copyright © 2013 Twobo Technologies AB. All rights reserved
using open apis
Get Started
‣ Use API without authentication
‣ Nobel Prize API
‣ Make request
‣ Parse response
using open apis
Get Started
‣ cURL
‣ Postman
‣ Unirest
‣ Java, .NET, Python...
publishing open apis
Get Started
‣ Identify source
‣ Design based on external reqs.
‣ Do NOT mimic internal structures
‣ Mashape
‣ Use your own API!
publishing open apis
Get Started
Pro
‣ Business case, marketing plan etc
‣ Analyze requirements
‣ What to build & what to buy
‣ Build a community!
Thank younordicapis.com/oredev2013