What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management? Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can - provide visibility for all security threats targeting their backend services - control access to sensitive data - end-to-end - enable developers to build secure apps with secure APIs - facilitate secure access with partners and developers

1. API Security in the Digital Age
Subra Kumaraswamy, Apigee &
Jason Kobus, Silicon Valley Bank

2. youtube.com/apigee

3. slideshare.net/apigee

4. @Subrak
Subra Kumaraswamy
Jason Kobus
Silicon Valley Bank

5. Agenda
• API Security 101
• Launching an API Platform for a regulated company
• Key Takeaways
5

6. Apigee
Managemen
t
Develope
r
API Team
Enterprise Security Requirements
6
API Threat Protection
IT Security
Developer friendly security features – Secure SDLC
Threat protection by configuration
Identity and fine granular access control
Security for App and API Developers
Security by global policies – Separation of Duties
Security automation enabled by APIs
End-to-End security – In Rest and Transit
OOB features for security and compliance management
End-to-End Security
User Apigee
Run-time
App/Devi
ce
Backend

7. API Security Stakeholders
7
Product Manager
How can I release features with
built-in security?
How I can reduce the release
cycle?
Business owner
How to reduce risk while
expanding API exposure?
How to meet compliance?
Ops
How do I enforce consistent
security policy across APIs?
What controls I have to mitigate
attacks like DoS?
API Developer
What options I have to secure
data in rest and transit?
How can I securely manage keys?
Security & Privacy Team
How do I manage the PII life cycle of
data exposed via APIs
How do I govern APIs exposed to internal
and external developers?

8. The risk must be mitigated on several layers
8
Application Architecture (user and data mgmt)
Application Topology (zoning, protocols, …)
Operating System security (access control, patches, …)
Network security (firewall, topology, filtering, …)
API Security (auth* and backend sheltering)
Auditing,
Monitoring,
Processes
(Data center,
Development,
Deployment)
Scope of API Security Deployment

9. Threat Modeling and API/infrastructure Design
• Your APIs are vulnerable to the typical Web application
security attacks – Think OWASP Top 10 attacks
• In addition you have to worry about:
– API abuse via API key theft
– Hackers reverse engineering Apps to access private APIs
– Traffic spike protection by way of Bots or DoS attacks
– Identity tracking across API sessions
– XML/JSON injection type attacks
– Token harvesting due to insecure communication or storage
9

10. API Security Governance – Integrate into Life
Cycle
Govern
Design
Develop
Secure
Deploy
Doc.
Test
10
Support for open standards & protocols
(eg. SAML, OAuth, TLS, etc) 
Security & Access Control Policies -
Authentication, Authorization, Transport
level security

Input validation & vulnerability detection (
XSS, CSRF,SQL injection..) 
Rate Limiting & Throttling 

11. Launching an API Platform for a regulated
company
{
“Jason Kobus”: {
“role”: “Director API Banking / Fintech Integration”,
“company”: “Silicon Valley Bank”,
“credentials”: {“current”: [“CSPO”, “CISSP”, “CISA”]}, {“former”: [“CIA”, “CISM”, “CIPP, “Series 7”, “PMP”, “ISO 27001 LI”]},
“mission”: “Deliver secure financial APIs to make clients happy and extend reach / increase revenue”
}
}
September 29, 2015
DISCLAIMER: The content on this site, and comments made during the presentation, are my own and don't necessarily represent the positions,
strategies, or opinions of Silicon Valley Bank.

12. API Opportunity and Risk Management
What are the biggest cyber-threats facing regulated financial entities today and on the
horizon? How can organizations embracing innovation and agile development culture
while balancing the time to market goals with risk management mission?
– Visibility
– Data protection
– API security
– Partner integration

13. Visibility
• Risk Assessment:
– OWASP/NIST for typical threats
– Brute force: How strong are your keys?
• Vulnerability assessment
• Penetration testing
• Packet Capture
• Know your API operations:
– What are they capable of?
– Could they be exploited by fraudsters?
The first step in avoiding a trap is knowing
of its existence!" -- Thufir Hawat, Dune

14. Protect Sensitive Data
• Avoid Data breaches, Partner with Privacy:
– GLBA, HIPAA, PCI DSS, EU DPD, State laws, etc. == Compliance Complexity
• Controls:
– Network: SSL termination
– Data protection strategy:
• Avoid, Redact, Encrypt, Insure
• Read-only/non-transact
– more...

15. API $ecurity
• Vet your API gateway partner and leverage their security infrastructure, assurance, and
experts.
• Consider the worst case scenario – what if there is an event? Make sure your Legal
understands.
• API Authentication paradigms in financial services
– "data aggregation“ APIs used to pull account, balance, transaction data
• User ID and password (challenge questions) = same creds as online banking
• User ID and read-only PIN
– OAUTH
• Enforce client security better
• Where purpose and actual grant align

16. Partner Integration
• How to “Trust” your API partners:
– Good vendor management – financials / SOC-2
– Data sharing agreements
– Work with partners to ensure end users get clear and unambiguous notice
to customers before they authorize the access
UK report "Data sharing and open data in banking":
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/413766/PU1793_Open_data_re
sponse.pdf

17. Security at Points of Engagement
17
P
A I
Users Apps Developers APIs API Team Backend
Mutual TLS
IP Access
control
RBAC
Identity & Access Mgmt.
Audit
Spike Arrest
Rate Limits
Threat Protection
Intrusion Detection
DDoS
Access
Block
Revoke
SSO
RBAC
API key
OAuth2
TLS
OAuth2
MFA
Federated Login
IP Access Control

18. Key Takeaways
• Follow API Threat Model and build API security into your API
products
• Ensure identity and security controls at every points of API
lifecycle and integrate best practice into SDLC
• Gain visibility into API security risks, data sensitivity prior to
deployment
• Protect sensitive data – In transit and at rest
• Layered Protection is key
18

19. Thank you