| 000 | 00000cam u2200205 a 4500 | |
| 001 | 000046152756 | |
| 005 | 20250818153438 | |
| 008 | 230630t20202020nyua 001 0 eng d | |
| 010 | ▼a 2021288301 | |
| 015 | ▼a GBC107390 ▼2 bnb | |
| 020 | ▼a 9781617296024 ▼q (pbk.) | |
| 020 | ▼a 1617296023 | |
| 035 | ▼a (KERIS)REF000019943263 | |
| 040 | ▼a UKMGB ▼b eng ▼c UKMGB ▼e rda ▼d OCLCO ▼d JRZ ▼d BDX ▼d OCLCF ▼d DLC ▼d 211009 | |
| 042 | ▼a lccopycat | |
| 050 | 0 0 | ▼a QA76.76.A65 ▼b M317 2020 |
| 082 | 0 4 | ▼a 005.437 ▼2 23 |
| 084 | ▼a 005.437 ▼2 DDCK | |
| 090 | ▼a 005.437 ▼b M179a | |
| 100 | 1 | ▼a Madden, Neil ▼0 AUTH(211009)172407. |
| 245 | 1 0 | ▼a API security in action / ▼c Neil Madden. |
| 260 | ▼a Shelter Island : ▼b Manning Publications, ▼c 2020. | |
| 264 | 1 | ▼a Shelter Island : ▼b Manning Publications, ▼c [2020] |
| 264 | 4 | ▼c ©2020 |
| 300 | ▼a xx, 553 p. : ▼b ill. ; ▼c 24 cm. | |
| 336 | ▼a text ▼2 rdacontent | |
| 337 | ▼a unmediated ▼2 rdamedia | |
| 338 | ▼a volume ▼2 rdacarrier | |
| 500 | ▼a Includes index. | |
| 505 | 0 | ▼a Part 1. Foundations. 1. What is API security? -- 2. Secure API development -- 3. Securing the Natter API -- Part 2. Token-based authentication. 4. Session cookie authentication -- 5. Modern token-based authentication -- 6. Self-contained tokens and JWTs -- Part 3. Authorization. 7. OAuth2 and OpenID connect -- 8. Identity-based access control -- 9. Capability-based security and macaroons -- Part 4. Microservice APIs in Kubernetes. 10. Microservice APIs in Kubernetes -- 11. Securing service-to-service APIs -- Part 5. APIs for the Internet of Things. 12. Securing IoT communications -- 13. Securing IoT APIs. |
| 520 | ▼a APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs-- including microservices and cloud-native applications-- demand a comprehensive, multi-layered approach to security for both private and public-facing APIs. "API security in action" teaches you how to create secure APIs for any situation. By following this hands-on guide you'll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you're done, you'll be able to create APIs that stand up to complex threat models and hostile environments. | |
| 650 | 0 | ▼a Application program interfaces (Computer software). |
| 650 | 0 | ▼a Computer security. |
| 650 | 0 | ▼a Java (Computer program language). |
| 945 | ▼a ITMT |
소장정보
| No. | 소장처 | 청구기호 | 등록번호 | 도서상태 | 반납예정일 | 예약 | 서비스 |
|---|---|---|---|---|---|---|---|
| No. 1 | 소장처 과학도서관/Sci-Info(2층서고)/ | 청구기호 005.437 M179a | 등록번호 121263481 (1회 대출) | 도서상태 대출가능 | 반납예정일 | 예약 | 서비스 |
컨텐츠정보
책소개
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you'll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.
SummaryA web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you'll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs--including microservices and cloud-native applications--demand a comprehensive, multi-layered approach to security for both private and public-facing APIs. About the book
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you'll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you're done, you'll be able to create APIs that stand up to complex threat models and hostile environments. What's inside Authentication
Authorization
Audit logging
Rate limiting
Encryption About the reader
For developers with experience building RESTful APIs. Examples are in Java. About the author
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science. Table of Contents PART 1 - FOUNDATIONS 1 What is API security? 2 Secure API development 3 Securing the Natter API PART 2 - TOKEN-BASED AUTHENTICATION 4 Session cookie authentication 5 Modern token-based authentication 6 Self-contained tokens and JWTs PART 3 - AUTHORIZATION 7 OAuth2 and OpenID Connect 8 Identity-based access control 9 Capability-based security and macaroons PART 4 - MICROSERVICE APIs IN KUBERNETES 10 Microservice APIs in Kubernetes 11 Securing service-to-service APIs PART 5 - APIs FOR THE INTERNET OF THINGS 12 Securing IoT communications 13 Securing IoT APIs
정보제공 :
목차
Preface xi Acknowledgments xiii About this book xv About the author xix About the cover illustration xx Part I Foundations 1 1 What is API security? 3 1.1 An analogy: Taking your driving test 4 1.2 What is an API? 6 API styles 7 1.3 API security in context 8 A typical API deployment 10 1.4 Elements of API security 12 Assets 13 Security goals 14 Environments and threat models 16 1.5 Security mechanisms 19 Encryption 20 Identification and authentication 21 Access control and authorization 22 Audit logging 23 Rate-limiting 24 2 Secure API development 27 2.1 The Natter API 27 Overview of the Natter API 28 Implementation overview 29 Setting up the project 30 Initializing the database 32 2.2 Developing the REST API 34 Creating a new space 34 2.3 Wiring up the REST endpoints 36 Trying it out 38 2.4 Injection attacks 39 Preventing injection attacks 43 Mitigating SQL injection with permissions 45 2.5 Input validation 47 2.6 Producing safe output 53 Exploiting XSS Attacks 54 Preventing XSS 57 Implementing the protections 58 3 Securing the Natter API 62 3.1 Addressing threats with security controls 63 3.2 Rate-limiting for availability 64 Rate-limiting with Guava 66 3.3 Authentication to prevent spoofing 70 HTTP Basic authentication 71 Secure password storage with Scrypt 72 Creating the password database 72 Registering users in the Natter API 74 Authenticating users 75 3.4 Using encryption to keep data private 78 Enabling HTTPS 80 Strict transport security 82 3.5 Audit logging for accountability 82 3.6 Access control 87 Enforcing authentication 89 Access control lists 90 Enforcing access control in Natter 92 Adding new members to a Natter space 94 Avoiding privilege escalation attacks 95 Part 2 Token-Based Authentication 99 4 Session cookie authentication 101 4.1 Authentication in web browsers 102 Calling the Natter API from JavaScript 102 Intercepting form submission 104 Serving the HTML from the same origin 105 Drawbacks of HTTP authentication 108 l4.2 Token-based authentication 109 A token store abstraction 111 Implementing token-based login 112 4.3 Session cookies 115 Avoiding session fixation attacks 119 Cookie security attributes 121 Validating session cookies 123 4.4 Preventing Cross-Site Request Forgery attacks 125 SameSite cookies 127 Hash-based double-submit cookies 129 Double-submit cookies for the Natter API 133 4.5 Building the Natter login UI 138 Calling the login API from-JavaScript 140 4.6 Implementing logout 143 5 Modern token-based authentication 146 5.1 Allowing cross-domain requests with CORS 147 Preflight requests 148 CORS headers 150 Adding CORS headers to the Natter API 151 5.2 Tokens without cookies 154 Storing token state in a database 155 The Bearer authentication scheme 160 Deleting expired tokens 162 Storing tokens in Web Storage 163 Updating the CORS filter 166 XSS attacks on Web Storage 167 5.3 Hardening database token storage 170 Hashing database tokens 170 Authenticating tokens with HMAC 172 Protecting sensitive attributes 177 6 Self-contained tokens and JWTs 181 6.1 Storing token state on the client 182 Protecting JSON tokens with HMAC 183 6.2 JSON Web Tokens 185 The standard JWT claims 187 The JOSE header 188 Generating standard JWTs 190 Validating a signed JWT 193 6.3 Encrypting sensitive attributes 195 Authenticated encryption 197 Authenticated encryption with NaCl 198 Encrypted JWTs 200 Using a JWT library 203 6.4 Using types for secure API design 206 6.5 Handling token revocation 209 Implementing hybrid tokens 210 Part 3 Authorization 215 7 OAuth2 and OpenID Connect 217 7.1 Scoped tokens 218 Adding scoped tokens to Natter 220 The difference between scopes and permissions 223 7.2 Introducing OAuth2 226 Types of clients 227 Authorization grants 228 Discoveting OAuth2 endpoints 229 7.3 The Authorization Code grant 230 Redirect URIs for different types of clients 235 Hardening code exchange with PKCE 236 Refresh tokens 237 7.4 Validating an access token 239 Token introspection 239 Securing the HTTPS client configuration 245 Token revocation 248 JWT access tokens 249 Encrypted JWT access tokens 256 Letting the AS decrypt the tokens 258 7.5 Single sign-on 258 7.6 OpenID Connect 260 ID tokens 260 Hardening OIDC 263 Passing an ID token to an API 264 8 Identity-based access control 267 8.1 Users and groups 268 LDAP groups 271 8.2 Role-based access control 274 Mapping roles to permissions 276 Static roles 277 Determining user roles 279 Dynamic roles 280 8.3 Attribute-based access control 282 Combining decisions 284 Implementing ABAC decisions 285 Policy agents and API gateways 289 Distributed policy enforcement and XACML 290 Best practices for ABAC 291 9 Capability-based security and macaroons 294 9.1 Capability-based security 295 9.2 Capabilities and REST 297 Capabilities as URIs 299 Using capability URIs in the Natter API 303 HATEOAS 308 Capability URIs for browser-based clients 311 Combining capabilities with identity 314 Hardening capability URIs 315 9.3 Macaroons: Tokens with caveats 319 Contextual caveats 321 A macaroon token store 322 First-party caveats 325 Third-party caveats 328 Part 4 Microservice APIs in Kubernetes 333 10 Microservice APIs in Kubernetes 335 10.1 Microservice APIs on Kubernetes 336 10.2 Deploying Natter on Kubernetes 339 Building H2 database as a Docker container 341 Deploying the database to Kubernetes 345 Building the Natter API as a Docker container 349 The link-preview microservice 353 Deploying the new microservice 355 Calling the link-preview microservice 357 Preventing SSRF attacks 361 DNS rebinding attacks 366 10.3 Securing microservice communications 368 Securing communications with TLS 368 Using a service mesh for TLS 370 Locking down network connections 375 10.4 Securing incoming requests 377 11 Securing service-to-service APIs 383 11.1 API keys and JWT bearer authentication 384 11.2 The OAuth2 client credentials grant 385 Service accounts 387 11.3 The JWT bearer grant for OAuth2 389 Client authentication 391 Generating the JWT 393 Service account authentication 395 11.4 Mutual TLS authentication 396 How TLS certificate authentication works 397 Client certificate authentication 399 Verifying client identity 402 Using a service mesh 406 Mutual TLS with OAuth2 409 Certificate-bound access tokens 410 11.5 Managing service credentials 415 Kubernetes secrets 415 Key and secret management services 420 Avoiding long-lived secrets on disk 423 Key derivation 425 11.6 Service API calls in response to user requests 428 The phantom, token pattern 429 OAuth2 token exchange 431 Part 5 APIs for the Internet of Things 437 Securing IoT communications 439 12.1 Transport layer security 440 Datagram TLS 441 Cipher suites for constrained devices 452 12.2 Pre-shared keys 458 Implementing a PSK server 460 The PSK client 462 Supporting raw PSK cipher suites 463 PSK with forward secrecy 465 12.3 End-to-end security 467 COSE 468 Alternatives to COSE 472 Misuse-resistant authenticated encryption 475 12.4 Key distribution and management 479 One-off key provisioning 480 Key distribution servers 481 Ratcheting for forward secrecy 482 Post-compromise security 484 13 Securing IoT APIs 488 13.1 Authenticating devices 489 Identifying devices 489 Device certificates 492 Authenticating at the transport layer 492 13.2 End-to-end authentication 496 OSCORE 499 Avoiding replay in REST APIs 506 13.3 OAuth2 for constrained environments 511 The device authorization grant 512 ACE-OAuth 517 13.4 Offline access control 518 Offline user authentication 518 Offline authorization 520 Appendix A Setting up Java and Maven 523 Appendix B Setting up Kubernetes 532 Index 535