1. Overengineering weakens
your API security
David Vazquez Cortizo
Managing Director

2. 2
● Two truisms (?)
○ The importance of API security
○ The energy (budget) of your organization is limited for security
● Treat security waste (over engineering and bureaucracy) as a security threat
● Take a natural and energy-efficient approach to security through
○ A simple framework
○ Tooling
○ Mindset
Preamble

3. Agenda
● A simple framework to address API security
● Governance - Architecture and Development
● Transparency
● API Operations
● Mindset
● Closing

4. 4
A simple framework to address API security
OAUTH2
OAUTH2 scopes
ACL RBAC
TLS1.2
Mutual TLS
TLS1.3
end2end encryption
Fine-grained authorization

5. 5
● Understand and challenge your needs - remove waste
○ Consider getting rid of your IP whitelisting
● What do you do with your API Gateways?
○ Consider your options:
■ SaaS
■ Managed service from your cloud provider
■ APIM vendor
○ Bring together API Gateway & Identity & Access Management solution
○ Separate domains - Security & Operations layer vs Accessibility layer
Governance - Architecture

6. Marketplace & Platform Features
Publish your APIs and Digital
Products (Applications) into the
catalog
Control the visibility of your
services through private,
public and internal plans
Organise your products into
services within workspaces.
Enrich them with marketing details
and business insights
Invite external companies to
consume your services with
their own workspace that they
control and manage
Provide a multi-branded and
multi-catalog experience.
Business units have their own
organisation & workspaces
External companies manage their
own subscriptions and
applications in a secure and
compliant way
Manage your APIs across the
full API lifecycle from Design to
Sunset
Visualize analytics of your
API traffic down to each
individual request and obtain
performance and use insights
Use standard policies to control
usage in a secure and compliant
way
Highly available infrastructure
in APIM with 99.99% availability
across 4 global regions
Standards, Governance and
Expertise centralised around
the platform to provide a
one-stop CoE for APIs
Define Rate limits, transactions
and pricing for Metering and
Monetization and promote new
revenue streams and innovation
Marketplace
Platform

7. 7
● Layered approach to security for Zero Trust
○ Three doors : Web layer / API Gateway / Destination server
○ External token replacement mechanism before the API Gateway
Governance - Architecture

8. 8
● Leverage ISO 27001 Certification - shift security left
○ Identify security-related tickets during product refinement
○ Establish security roles inside the teams and early approval processes
● Standardize API development
○ Authentication and Access control
○ Input validation libraries, error handling, CORS policies, μservice templates
● Integrate tools in your Continuous Integration pipeline
○ Verification of 3rd party libraries (versions, security threats)
○ Code quality checks & API quality
Governance - Secure development life cycle

9. 9
● Impossible to secure APIs you do not know exist and whether or not are in use
○ You need to know your API state
● APIs as Digital Products
○ Opportunities - Monetization
○ Risks - Security and Operations
● Use API Risk assessment to prioritize security measures
○ Level of use of the API, who and how
Transparency and Discoverability
What the eyes don't see the heart doesn't grieve

10. 10
● Alarms and Monitoring
● Robust API logging and smart processing of these logs
API Operations
Source: Antonio Damasio - Descartes´ error
Is anybody abusing my API state? How would I know?
Follow Nature´s algorithm to develop brains- Detect, defend, prevent
● Rate limiting
● Ingress / Egress control
● Periodic security assessments
● Security posture - tooling for SIEM

11. 11
● Your security budget is limited - Act responsibly
○ Be bold: Eliminate waste from your security and compliance processes
● Understand and challenge needs and requirements
○ Need a self-managed API Gateway?
● Stay rational - Avoid over engineering & Make decisions - Go for tooling!
○ Consider your core business and possible competitive advantage
○ Consider the capabilities of the organization
○ Remember the lifetime obligation to maintain and evolve the code you own
Mindset

12. 12
● Addressed API security with a mix of security framework, tooling and mindset
● Presented a simple framework to address API security in five dimensions
● Gave a few examples of tooling
● Mindset
Summary

13. The API Marketplace company
E-Commerce Journey | Gateway agnostic | Regulated Industries