JSFoo 2018

Introduce audience to security implications while writing application code for public facing gateway services. The talk will not be a tutorial on security best practices. Instead, it will focus on building an understanding for developing secure applications and outline ways to do so.

Key takeaways:

1. How to build secure APIs
2. Understand security challenges while building BFF (Backend For Frontend)
3. Security should be a part of writing code - not a separate

Outline

BFF Introduction

• Rise of BFFs in microservices architecture
• Purpose of these gateway services
• Security challenges and considerations

Security core components in terms of an API

• Confidentiality
• Integrity
• Availability

Responsibilities of a BFF

• Managing public access to internal services
• Validation and sanitisation on requests and responses
• Deferring certain responsibilities to downstream services

Building with security in mind

• Architecture as a forcing function for security
• Principle of least privilege
• Content security
• Testing for security

Case Study - Postman BFF

• Abstracting out security from business logic
• Security as development stage
• Enforcing best practices using tests and linting
• Continuous monitoring for security

Requirements

The talk assumes basic familiarity with HTTP concepts.

Speaker bio

I am a Software Developer at Postman. I have been developing web applications for the past 4 years. Currently, I spend my time building, optimizing and maintaining the web products of Postman.

Links

• Github: https://github.com/ankit-m/
• Twitter: https://twitter.com/ankit_muchhala
• ReactFoo 2018: https://reactfoo.talkfunnel.com/2018-delhi/31-react-internals-how-understanding-react-implementa

Slides

https://www.slideshare.net/AnkitMuchhala/building-a-secure-bff-at-postman