Philippe De Ryck

Architecting API Security

Is your perimeter security obsolete? Learn the architectural patterns that contain attackers who are already inside your network and prevent lateral movement.

Architecting API Security
#1about 2 minutes

The urgent need for API security from day one

Recent studies show widespread vulnerabilities like hard-coded keys and authorization failures, highlighting the necessity of designing for security from the start.

#2about 1 minute

Focusing on secure architecture over just code

The OWASP API Security Top 10 reveals that many critical risks, like broken authorization, are best addressed through architectural design rather than just secure coding practices.

#3about 2 minutes

A typical API architecture overview

A common API architecture consists of clients, an API gateway acting as a single entry point, and various backend APIs or microservices handling specific responsibilities.

#4about 6 minutes

Why perimeter security is no longer enough

A compromised internal service, such as a vulnerable image processor, can breach the entire trusted zone, demonstrating that a single perimeter defense is insufficient.

#5about 5 minutes

Using compartmentalization for defense-in-depth

By isolating high-risk services like image processors into separate trust zones, you can contain the damage from a potential breach as part of a defense-in-depth strategy.

#6about 3 minutes

Isolating both untrusted and sensitive services

Compartmentalization applies both to sandboxing untrusted components and to creating secure enclaves for highly sensitive services like authentication or payments.

#7about 5 minutes

Authenticating internal API-to-API calls

To prevent a compromised internal service from moving laterally, enforce authentication between all internal APIs and define strict policies on which services can communicate.

#8about 5 minutes

Propagating user context to internal APIs

Internal services need user context to make authorization decisions, which can be achieved by forwarding the user's authentication state from the gateway via a token relay.

#9about 4 minutes

Using reference tokens instead of raw JWTs

To avoid exposing large or sensitive JWTs to clients, an API gateway can issue a small, opaque reference token and translate it back to the full JWT for internal API calls.

#10about 2 minutes

Following JWT security best practices

JSON Web Tokens are not a complete security solution and require careful implementation to avoid common pitfalls related to signature validation, algorithm choice, and revocation.

#11about 2 minutes

Key architectural takeaways for API security

Improve your API security by planning for compromise, choosing simple and robust solutions, and using the API gateway to shield internal implementation details from clients.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Building trust through honest developer advocacy
02:48 MIN

Building trust through honest developer advocacy

Devs vs. Marketers, COBOL and Copilot, Make Live Coding Easy and more - The Best of LIVE 2025 - Part 3

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Understanding browser APIs that rely on company services
04:30 MIN

Understanding browser APIs that rely on company services

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Improving the developer feedback loop with specialized tools
03:16 MIN

Improving the developer feedback loop with specialized tools

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Featured Partners

Related Videos

See all videos
Bullet-Proof APIs: The OWASP API Security Top Ten25:46

Bullet-Proof APIs: The OWASP API Security Top Ten

Christian Wenz

Lessons learned from observing a billion API requests23:47

Lessons learned from observing a billion API requests

Pratim Bhosale

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Enabling automated 1-click customer deployments with built-in quality and security44:40

Enabling automated 1-click customer deployments with built-in quality and security

Christoph Ruggenthaler

Related Articles

View all articles
A
Apify
What Developers Are Building to Win $1 Million with Apify
Apify started as a web scraping product, but quickly evolved into a full-blown platform and marketplace for developers to write code, and monetise it by creating Actors, tools that simplify the scraping process for others. Running until the end of J...
What Developers Are Building to Win $1 Million with Apify

From learning to earning

Jobs that call for the skills explored in this talk.

Security Engineer

Security Engineer

Laravel

Remote
£53K
Laravel
Continuous Integration
Amazon Web Services (AWS)
+1