This set of Learning Paths is here to familiarize API developers with Apigee's Platform and how it can be leveraged to secure you apps and API.
It's important for app developers and API providers to undertand how to protect users, apps and APIs from abuse and how to deal with malicious attacks when they happen. For insight, read User Experience, Data Quality and How to Deal with Mistakes written by Kumar Srivastava.
Kumar also wrote Security and Privacy in the App Economy that highlights the growing concern around end user privacy.
Securing APIs with SSL
Follow this learning path to get an understanding of some of the common protections you should set up to prevent malicious attacks on your API traffic.
- Review the Wikipedia definition of SSL
- Review this article written by Elvin Cheng An Introduction to Mutual SSL
- Protect against MITM (man-In-the-middle) attacks
- Prevent "end run attacks" against backend services (which bypass 1st mile security)
- Prevent spoofing and encrypt the channel
Apigee FAQ around OAuth
Follow this link to get Apigee's perspective on OAuth based on the most Frequently Asked Questions of our Customers.
Securing Apps with OAuth
This learning path will show you how to use OAuth to set up app authentication and control access your APIs.
- Understand OAuth 1.0 by reading the specification
- Understand OAuth 2.0 by reading the specification
- Get ta better understanding of how OAuth 2.0 is used by reading the blog by Greg Brail (Apigee's CTO) on "Implementing OAuth 2.0" and "Securing APIs with OAuth 2.0: Auth Code"
- Ensure that apps are authenticated and authorized to consume requested API resources and that they do not compromise the permissions defined by users. Read "Securing APIs with API keys" and another Greg Brail Blog titled "Is OAuth worth the effort?".
- Review the Apigee OAuth documentation. It includes ways to:
- Authenticate and authorize apps to consume specified API resources
- Ensure apps do not compromise the permissions defined by users
- Protect against "end run attacks" against a back-end services (which bypass 1st mile security)
- Protect against developers from bringing down an API with malformed or malicious messages and content in requests
