4.4 API's: Access, Request and Response

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 48 minutes
Video Transcription
All right, let's get started with a P I's application programming interfaces. Now, for those of you that have set through the C I S S P exam or for those of you that don't have a ton of security background one of the most foundational principles of security is isolation.
Keep your trusted resource is away from untrusted entities.
As a matter of fact, if you've set through C I S S P training, one of the things that we study is a model called Clark Wilson, the Clark Wilson security model. And it's just a theory about security. But what Clark Wilson essentially says is, keep users out of your stuff or they'll break it.
I'll buy that. Keep users of your stuff, or they'll break it. So, for instance, when a user needs to manipulate data
that may reside and back in database, we don't give that user access to our back in database. That's crazy talk, right? What do we do? Give him a front end application where they can make their entry, or we allow them to view a report or some sort of you that allows them to access what they need without getting into the database.
Well, the same idea with AP eyes. When we talk about access of application programming interfaces, the idea is some outside untrusted entity needs to access some form of internal trusted element. So what we're talking about here, really
the a p I is would allow secure communication from when Web service to another.
All right, so this is really important in today's environment because our Web service is speak to each other. So Soto was so to speak, they communicate with each other. So what we have to make sure is that we have to make sure that we have a format for those applications to communicate properly, and that's what the eight p I does. But
ultimately, it's all about protected access, making sure that something untrusted Web service or whatever
doesn't manipulate something trusted internal processes on you know, the server side
that that that access happens in a controlled fashion. Okay, so Clark Wilson, security model says, keep users out of your stuff or they break it.
And if users need to access your stuff, force them through an interface. So it's no coincidence that a P I application programming interface is just that. All right, So when we talk about an AP, I we're gonna just define that as on element
programming code that allows to Web service is to communicate.
So, for instance, you know, if I'm looking, I've got HR database, and I am adding users to that HR database, and I want the information I have in that database to go upto office 3 65 for instance. So that is I add a user
to my organization.
That user gets an account at office 3 65 Well, that's an A p I. That allows that to happen, right? That communication between this h r rap and office 3 65 All right to the big elements, access request and then response. So when we talk about access, that's where we're addressing
the identity.
And then, um uh, you know what service is? Can that really was more in requests? Who? Let's say access. What account it are we considering
what accounts are allowed to participate, then the actual request itself. So what are we gonna allow to be requested from service A to service be methods in parameters. So when we talk about the methods, what can we ask for.
So can I ask for you to add a user account to your database, for instance, or can this user query records
and then the parameters? Okay, well, this user can query records within a certain date range. Okay. The specifics of the method, our parameters and then the response How is that response gonna be transmitted back and how that's gonna be processed? So when we look at those AP eyes access request in response.
All right. Now, um, I always think about AP eyes like I think about Starbucks. I love myself a good cup of coffee. I'm not saying Starbucks has the best fruit cup of coffee on the planet, But let me tell you,
like someone that travels a lot and I drink a lot of hotel coffee once you spend the extra money and get a Starbucks coffee compared to hotel swill, that's a big step in the right direction. So, yeah, I'm Starbucks person. Are there many other fine, fine coffee organizations out there that
All right, so let's talk about this.
I am one of these people that's kind of obnoxious in my request for coffee. I never thought I would be that person right? For a long time. I was a black coffee drinker. Just give me a cup of black coffee. But as I've aged and as I'm more and more resistant against spending six bucks for a cup of coffee, I've come to the point where I realize
if I'm spending spending six bucks for a cup of coffee, it is gonna be exactly
to my specifications. So now my order for coffee is I would like a grand day
breath. They
cappuccino with one shot off sugar free vanilla.
And I would like that dry.
That's a lot of order, right? I'm very particular as my mother used to call persnickety. So with my cup of coffee now for me, I'm kind of one of those people. If you want something done right, do it yourself. So I show up at Starbucks. My temptation is just let me get in the back. I'll make my own cup of coffee.
That is not going to be well received at Starbucks, as you can imagine.
Why? Why won't they just let me walk into their kitchen?
Because outbreak it? I'm an untrusted into tea, and if I want to access. The resource is of Starbucks. They're not gonna let me do that. Untrusted will break protected stuff.
So what do I do? Instead? I have to place my order with the Arista. Now that Arista's like that a piat. Hey, the baristas job is to make sure that I request something that the back and service can provide. So I can't go in there and say, Hey, can you get me a slice of pepperoni pizza?
I mean, I couldn't do it, but the reason is gonna look at me like I'm crazy, and she's not gonna afford that request to the back. Right?
And the other thing is, if you know and everybody's kind of used to this now, but Starbucks has their own language. I'd like a large. I'm sorry. Do you mean a It's not ground venti.
No, I mean a large. No, no, it's a vintage.
So we've got
What do we have? We have tall grande, a venti, whereas I'm used to speaking in small, medium large. So if I go up to the barista and say I'd like a large coffee, the priest is gonna make sure that that request that goes to the back end is formatted properly. I'm they tell her large, but she's gonna tell the back end that I want Rondae,
right? So her job so far should make sure that what I'm requesting
can be requested. And she also make sure that it's formatted in the right manner. All right, so now I put my fancy order in. I want a grand a breath, a cappuccino, one shot, sugar free vanilla mostly dry.
And she takes that and translates it to the vacuum, and the back end can fill that request. If I had asked for something in the wrong format or something that could not be
fulfilled, that's the baristas job. Hey, so that's an important piece. And our Web service is have toe have that element between them. If I ask for something that goes to the back end that shouldn't be requested, then I'm a slow the process down on the back end,
right? If somehow I'm talking to the chef and I say give me a pepperoni pizza
and that chef, their job is just to take what comes in is a request and try to fulfill it. If we don't have that Marie, Stop operating between. I'm gonna slow things down. We're gonna have a process problem. Okay, So, ultimately, that's what we're looking at for AP eyes
Very important process. They allow an untrusted entity to communicate with their trusted resource without doing so directly there. The man in the I won't say a man in the middle of that has a negative connotation, but they're the go between their the interface that allows proper communication.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By