Tag Archives: Security API

Nessus Security Scans Using the SoftLayer API

via Nessus Security Scans Using the SoftLayer API | SoftLayer Development Network.

SoftLayer offers free vulnerability scans with all servers. When utilized through the customer portal, it will run a scan on the primary IP for the given server. Because vulnerabilities and misconfiguration are a fact of life in server administration, SoftLayer recommends running scan regularly to keep you you up-to-date on security risks that may impact your server.

Automating regular vulnerability scans can become effortless when using the SoftLayer API.

Chat Security: User Identification with Digital Signature Message Verification

via Chat Security: User Identification w/ Digital Signature Message Verification – PubNub.

The requirement of message security and sender verification is pretty obvious when it comes to chat. With email SMTP, a digital signing as proof of sender is included. But what about for mobile and web chat applications? How can we ensure that a user is identified and authorized?

In this tutorial, we’ll show you how to build chat user identification using digital signature message verification.

You can identify the sender by creating a Unique ID as well as a Name attached to the message payload of the chat conversation. This is similar to IRC strategies but a bit more simplistic.

Video: The Nuts and Bolts of API Security: Protecting Your Data at All Times

Twobo Technologies. Nordic APIs World Tour 2015: May 11 – Copenhagen. Travis Spencer argues that API keys are insufficient for implementing proper API security and identity management. This talk delves into OAuth and OpenId Connect, with the goal to create a holistic approach to API and enterprise security that keeps all systems safe through a multi-faceted approach to identity control.

This talk specifically covers:
– The risks of relying solely on API keys
– Fundamental introduction to OAuth as an identity delegation protocol
– The actors involved in an OAuth process
– Step-by-step processes involved in the common web server OAuth flow (validating tokens, returning data, etc.)
– Overview of scopes, permissions and delegations.
– Kinds of tokens (Access Tokens, Refresh Tokens)
– Profiles of tokens (Bearer, Holder of Key)
– Overview on types of tokens (WS-Security, SAML, JWT)
– Using OpenID Connect as a federation protocol
– Step-by-step OpenID Connect flow example
– and more

Video: Integrating API Security Into A Comprehensive Identity Platform

Pam Dingle – Ping Identity. Nordic APIs World Tour 2015: May 11 – Copenhagen. OAuth 2.0 and OAuth-based protocols are considered best practice in API Security – but what would those protocols look like as part of an overall Identity strategy? Pamela Dingle talks about the value proposition and best practices around integrating a standards-based API Security framework into an overall identity infrastructure initiative.

For thought provoking pieces on everything APIs, check out the Nordic APIs blog: http://nordicapis.com/blog/

The theme for the Nordic APIs World Tour was the API Lifecycle. Read these Nordic APIs articles for more information on managing an API’s entire Lifecycle:


Java EE Security API (JSR 375) Update

via Java EE Security API (JSR 375) Update (The Aquarium).

From the current set of Java EE 8 JSRs, ‘Java EE Security API’ (JSR 375) is the latest one as it was only approved in December last year. It was started later than the other JSRs. Nevertheless, the EG is now very active (+200 messages just for last month!).

Obviously, this effort need a strong focus as ‘Security’ can mean a lot of things. And depending on whom you ask, you will high likely have different views. So to EG is currently busy filtering and consolidating ideas. In addition, one thing that is clear is that having a common ground for discussions is really needed. So the EG is also working on defining a security API terminology; i.e. a common vocabulary to enable concise and accurate communication amongst the EG and the community (see here). This may sounds obvious but it’s not; e.g. what’s the difference between a user store and a user realm?

Video: Firebase Security API Overview Screencast

This screencast is an overview of how to use the new authentication and security APIs available in Firebase!

The Firebase Security API consists of two pieces: Authentication and Security Rules.

Authentication tells Firebase who a user is. Firebase gives you full control over authenticating your users and provides a number of ways of doing so. You can generate auth tokens on your own servers, authenticate using the built-in Firebase Simple Login service (which provides Email/Password, Facebook, Twitter, Github, and Persona login), or authenticate using third- party services like Singly. Firebase enforces SSL on all connections, so you will never have to send your credentials in the open.

Security Rules tell Firebase what operations should be permitted for a specific user. You upload these rules when you deploy your app, and Firebase enforces them consistently whenever data is accessed. The rules language is extremely flexible and allows you to read data from Firebase, view incoming data, access auth credentials, and more, directly from simple javascript-like expressions.