open apis: security for mobile and the cloud
DESCRIPTION
A look at what’s driving new Internet-facing organizations to open up information through APIs and the implications for application security.TRANSCRIPT
Open APIs: Security for Mobile and the Cloud
Caleb Sima
EIR, Andreessen Horowitz
February 27, 2012
My Perspective
Entrepreneur in Residence, Andreessen Horowitz
CEO Armorize Technologies
CTO Application Security HP
CTO & Co-Founder of SPI Dynamics
Internet Security Systems
API Growth: The VC Perspective
What’s Driving API Growth?
APIs are often driven
by business interests
instead of by IT
The Emergence of Legacy Systems on the Internet
Introduces new
risk profiles
Four Major Issues
Credentials and Authentication
Access Control and Authorization
Validation of Inputs
Misconfiguration
Overly Granular Application API
Insecure
More secure
Normal WebApp: One Request - One API
Post to Register.aspx with the the
following data:
Email=csima%40a16z.com&User
Name=csima&Password=reallyha
rdpassword&ConfirmPassword=re
allyhardpassword&Captcha=hatm
als
With Ajax multiple requests = Multiple Inputs = Bigger
Attack Surface
ValidateEmail([email protected])
CheckUsername(csima)
Final Submission of all data to server
*Demo Search
CheckCaptcha(hatmals)
Exposed Administrative API
Malicious use
Intended use
What is wrong with this code?
Real world application using Microsoft’s framework
A Best Practice—Decouple Security from App
Separation of concerns
between developer and
security admin
February 2012
For further information: