February 23–26, 2020
Please log in
Please log in

Building a security layer around your RESTful APIs

James Wallace (EBSCO LearningExpress)
2:15pm3:05pm Wednesday, February 26, 2020
Location: Grand Ballroom West
Secondary topics:  Best Practice
Average rating: **...
(2.38, 8 ratings)

Who is this presentation for?

  • Developers, architects, and technology managers

Level

Intermediate

Description

Modern architectures are distributed and built on a layer of services. They expose data that’s very valuable to its owner and to potential bad actors. The services can expose sensitive transactional data. However, we often “secure” these services using an API key or security through obscurity. Scary as that may sound, there are solutions that can secure these services.

When designing a security solution, you must ask four key questions:

  • Are the requests coming from an authorized client?
  • Are the requests valid and unmodified?
  • Are you protecting against replay attacks?
  • Does the solution work for authenticated and nonauthenticated users?

A success solution will answer yes to all four.

Many clients request services through JavaScript code in a browser. JavaScript by definition is exposed to the browser and thus anyone can read, copy, and execute the code. The security discussed here cannot expose its algorithm or secrets in the code. Many organizations use API keys to secure their services. This isn’t security; it’s no more secure than a padlock with a key that can be copied and distributed. There are several other solutions to the problem including time-based one-time passwords (TOTPs) and JSON web tokens (JWTs) with signature service.

James Wallace digs into the what and how of securing RESTful API requests. You’ll learn the four things that must be secure and explore several solutions to this security problem.

Prerequisite knowledge

  • A working knowledge of APIs and REST
  • A basic understanding of what a hash is

What you'll learn

  • Learn strategies for securing API requests and the theories behind them
Photo of James Wallace

James Wallace

EBSCO LearningExpress

James Wallace is the director of software development at EBSCO LearningExpress, where he’s both the senior architect for the company and the manager of the development team. James is a skilled, multifaceted, and pragmatic hands-on software engineering manager with 24 years of broad experience in building enterprise applications and architectures across multiple platforms and technologies.

  • IBM
  • LaunchDarkly
  • LightStep
  • Red Hat
  • ThoughtWorks
  • Auth0
  • Check Point Software
  • Contentful
  • Contrast Security
  • Datadog
  • Diamanti
  • Octobot.io
  • Optimizely
  • Perforce
  • Robin.io
  • SmartBear
  • Tidelift
  • WhiteSource
  • Synopsys
  • AxonIQ
  • Codefresh
  • CodeStream
  • Hello2morrow
  • LogRocket
  • Rookout
  • Solo.io
  • CNN
  • Boundless Notions, LLC

Contact us

confreg@oreilly.com

For conference registration information and customer service

partners@oreilly.com

For more information on community discounts and trade opportunities with O’Reilly conferences

Become a sponsor

For information on exhibiting or sponsoring a conference

pr@oreilly.com

For media/analyst press inquires