Setting the Context: What We’re Not Covering

Firstly, it’s important to clarify what we won't be discussing. This presentation isn't legal advice, and topics like hack back or strike back strategies, cyber deception, or active defense methods such as tripwires and venom are outside our scope. For those interested in legal aspects, such as the pending HR 3270, consulting your corporate counsel is advisable.

‍

Understanding Architecture: Beyond Complex Diagrams

A common misconception is that architecture equates to complex diagrams. However, effective architecture should be comprehensible and actionable for the entire team, from architects to engineers and developers. It's crucial that the architecture is not just visually impressive but also practical and implementable. Referencing the DoD’s and NIST’s zero trust reference architectures can provide valuable insights, though they can be quite dense.

‍

Patterns and Simplicity

Effective architecture relies on straightforward patterns and diagrams. The goal is to ensure that engineers can easily understand and implement these patterns. The best architecture is one that your team can grasp and utilize, rather than one that just looks good on paper.

‍

Core Elements: Authentication, Authorization, and Encryption

Some of the hardest elements to get right in any API environment are authentication, authorization, and encryption. These are complex and heavily reliant on sophisticated mathematics. Missteps in these areas can lead to severe consequences. Utilizing open standards for token-based authentication (OAuth 2.0, OIDC) and leveraging technologies like MTLS and certificate-based authentication can significantly enhance security.

‍

Cloud Native Approach and Good Hygiene

Transitioning to cloud environments requires a shift from traditional data center approaches. Good hygiene is foundational to defensible architecture. Policies should be applied across entire projects or subscriptions, reducing the risk of human error and ensuring consistent security practices. Embracing cloud-native technologies and policies helps prevent common pitfalls.

‍

Disrupting Attackers’ ROI

Understanding attackers' motivations is key. They invest resources expecting a return, so our goal should be to disrupt their ROI. By making it expensive for them to target us and serving them misleading or resource-intensive content, we can deter attacks. Integration across the entire stack is crucial to implement these strategies effectively.

‍

Access Control Models

Effective access control involves a combination of role-based, attribute-based, and relationship-based models. These should be integrated into the API architecture to ensure that only authorized actions are permitted. Implementing these controls in a way that complements your specific environment is vital.

‍

Addressing Technical Debt

Technical debt can hinder the advancement of security measures. Recognizing and addressing technical debt is crucial. Developing a strong inventory of APIs and maintaining good practices can prevent the accumulation of technical debt and the challenges it brings.

‍

Design for Malice

Designing with potential threats in mind involves segregating authenticated and unauthenticated traffic and ensuring robust rate limiting and monitoring. Understanding what unauthorized access or data leakage looks like and establishing baselines for normal traffic are essential steps.

‍

Developer Experience

A defensible architecture should facilitate the developer experience by making it easier to identify, prioritize, and fix vulnerabilities. Clear communication and tools for developers to address security issues are fundamental to maintaining a secure environment.

‍

Conclusion

In summary, building a defensible architecture for APIs involves simplicity, good hygiene, understanding attacker motivations, robust access control, managing technical debt, and ensuring a positive developer experience. By focusing on these aspects, we can create a secure and resilient API ecosystem.

‍

Watch Jon King's full session from APISEC|CON here.

‍