SlideShare une entreprise Scribd logo

Layered API Security: What Hackers Don't Want You To Know

Télécharger en tant que PPTX, PDF
A
AaronLieberman5

What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success. YOU MUST REGISTER HERE TO GET THE CONFERENCE LINK: https://bigcompass.typeform.com/to/emg9DO Ping Identity and Azure have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect. This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with Azure. We will look at some common monitoring capabilities on the Azure API and what a security violation would look like. Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks. From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a Azure API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.

Technologie
1  sur  32
Layered API Security: What Hackers Don't Want You To Know June 2020
Overview 1. API Lifecycle 2. API Management 3. Securing an API 4. API Landscape 5. Layered Security with Azure + MuleSoft + PingIntelligence
About Big Compass • Boutique consulting firm • Specializing in integration and related technologies • We build connections • Systems • Apps • People • Corporations
Attack!
API Lifecycle and Management
API Lifecycle • Design • Build • Test • Deploy • Manage
API Management Create API Connect the API Secure Manage/Monitor
First Line of Defense - Gateway Security • Basic authentication • IP whitelisting • Client ID enforcement • SLA based rate limiting and throttling • OAuth 2.0 • JWT • TLS
API Gateway Security
Second Line of Defense - API Security + WAF • Protects against many common attacks - OWASP Top 10 attacks • SQL injection • Cross Site Scripting • Body scanning • DDoS • What are the vulnerabilities? • Advanced API attacks from authenticated hackers • Detecting authenticated attacks is difficult!
API Security + WAF
API Landscape
Current API Landscape
Current API Security Landscape
Current API Security Landscape • API Security Survey • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all API’s • Lesson learned: reactivity to proactivity
API Attack Detection Time to Detect First Breach
The Difficult Problem of Securing APIs High volume of traffic across many APIs High velocity connections across many APIs Variety of client types and activity Who is responsible for APIs?
How Vulnerable are APIs? API login and DDoS attacks Attacks from valid identities Stolen identifiers Under-the- radar API DDoS attacks Stolen account Account takeover Data theft App control Hackers using Machine Learning Every attacks looks different Every blocked attack leads to a new attack Always getting smarter
Answer: Leverage Machine Learning and AI • Behavioral learning • Continuously build security model Model • Look for deviations from the learned behavior Detect • Block compromised tokens/access • Notify/alert Block
PingIntelligence for APIs Deep API visibility Dynamically discover APIs across all environments Monitor APIs across all environments Automated threat detection and blocking Detect and block attacks on your APIs API honeypots to instantly detect probing hackers Self learning Use AI to build behavioral model No need to author and manage policies and update API security
Zero Trust • You can’t trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level • Client app, user, 3rd party identities GitHub leaking client secrets Phishing Stolen token User data <api>
API Security + PingIntelligence Scalable Multi-Cloud API Platform Content Injection JSON, XML, SQL, XSS Flow Control Throttling, metering, quota management Access Control AuthN, AuthZ, Tokens AI-Powered Threat Protection For APIs Automated Cyber- Attack Blocking Blocks stolen tokens/cookies, Bad IPs, and API keys API Deception and Honeypots Instant hacking detection and blocking Deep Visibility and Reporting Monitor and report on all API activity PingIntelligence for APIs
PingIntelligence Augments API Security • API management • Security policies API Gateways • OWASP top 10 protection Web Application Firewalls • Authenticated users • Advanced attacks PingIntelligence for APIs
Attack Landscape Summary API breaches go undetected for months or years Zero trust strategy for securing APIs is crucial Gartner: "by 2022, API abuses will be the most frequent attack vector that result in breaches" Many attacks can't be detected with traditional API security Help is here from PingIntelligence + API Gateways
API Gateway Security
API Security + WAF
API Security + WAF + PingIntelligence
Demo ATTACKING AN AZURE/MULESOFT GATEWAY SECURITY + WAF + PINGINTELLIGENCE PROTECTED API
References and Documentation • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence for APIs – https://docs.pingidentity.com/bundle/pingintelligence-41/page/dvy1564008964001.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white-papers/2018/evolving-api-security-landscape.html
References and Documentation • Azure – API Manager • https://azure.microsoft.com/en-us/services/api-management/ – Azure API Security • https://docs.microsoft.com/en-us/azure/api-management/api-management-security-controls • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
Connect With Us • Big Compass ◦ Website - https://www.bigcompass.com ◦ LinkedIn - https://www.linkedin.com/company/big-compass/ ◦ Twitter - https://twitter.com/big_compass ◦ Facebook - https://www.facebook.com/bigcompass/ ◦ YouTube - https://www.youtube.com/channel/UCe789BLAsirAsl7w0skJlJQ?view_as=subscriber
Questions?

Recommandé

Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
CloudIDSummit
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 

Recommandé

Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
CloudIDSummit
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security Overview
Michael Furman
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
Michael Furman
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
Kelly Speiser
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
Apigee | Google Cloud
 

Contenu connexe

Tendances

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 

Tendances (19)

API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security Overview
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 

Similaire à Layered API Security: What Hackers Don't Want You To Know

What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
Theodore Kim
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 

Similaire à Layered API Security: What Hackers Don't Want You To Know (20)

What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
 
Hacker vs AI
Hacker vs AI Hacker vs AI
Hacker vs AI
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 

Plus de AaronLieberman5

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B Connectivity
AaronLieberman5
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With Salesforce
AaronLieberman5
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and Boomi
AaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling Together
AaronLieberman5
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with Confluent
AaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
AaronLieberman5
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
AaronLieberman5
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
AaronLieberman5
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
AaronLieberman5
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
AaronLieberman5
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
AaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 

Plus de AaronLieberman5 (19)

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B Connectivity
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With Salesforce
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and Boomi
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling Together
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with Confluent
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom Connectors
 

Dernier

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Layered API Security: What Hackers Don't Want You To Know

  • 1. Layered API Security: What Hackers Don't Want You To Know June 2020
  • 2. Overview 1. API Lifecycle 2. API Management 3. Securing an API 4. API Landscape 5. Layered Security with Azure + MuleSoft + PingIntelligence
  • 3. About Big Compass • Boutique consulting firm • Specializing in integration and related technologies • We build connections • Systems • Apps • People • Corporations
  • 6. API Lifecycle • Design • Build • Test • Deploy • Manage
  • 7. API Management Create API Connect the API Secure Manage/Monitor
  • 8. First Line of Defense - Gateway Security • Basic authentication • IP whitelisting • Client ID enforcement • SLA based rate limiting and throttling • OAuth 2.0 • JWT • TLS
  • 10. Second Line of Defense - API Security + WAF • Protects against many common attacks - OWASP Top 10 attacks • SQL injection • Cross Site Scripting • Body scanning • DDoS • What are the vulnerabilities? • Advanced API attacks from authenticated hackers • Detecting authenticated attacks is difficult!
  • 14. Current API Security Landscape
  • 15. Current API Security Landscape • API Security Survey • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all API’s • Lesson learned: reactivity to proactivity
  • 16. API Attack Detection Time to Detect First Breach
  • 17. The Difficult Problem of Securing APIs High volume of traffic across many APIs High velocity connections across many APIs Variety of client types and activity Who is responsible for APIs?
  • 18. How Vulnerable are APIs? API login and DDoS attacks Attacks from valid identities Stolen identifiers Under-the- radar API DDoS attacks Stolen account Account takeover Data theft App control Hackers using Machine Learning Every attacks looks different Every blocked attack leads to a new attack Always getting smarter
  • 19. Answer: Leverage Machine Learning and AI • Behavioral learning • Continuously build security model Model • Look for deviations from the learned behavior Detect • Block compromised tokens/access • Notify/alert Block
  • 20. PingIntelligence for APIs Deep API visibility Dynamically discover APIs across all environments Monitor APIs across all environments Automated threat detection and blocking Detect and block attacks on your APIs API honeypots to instantly detect probing hackers Self learning Use AI to build behavioral model No need to author and manage policies and update API security
  • 21. Zero Trust • You can’t trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level • Client app, user, 3rd party identities GitHub leaking client secrets Phishing Stolen token User data <api>
  • 22. API Security + PingIntelligence Scalable Multi-Cloud API Platform Content Injection JSON, XML, SQL, XSS Flow Control Throttling, metering, quota management Access Control AuthN, AuthZ, Tokens AI-Powered Threat Protection For APIs Automated Cyber- Attack Blocking Blocks stolen tokens/cookies, Bad IPs, and API keys API Deception and Honeypots Instant hacking detection and blocking Deep Visibility and Reporting Monitor and report on all API activity PingIntelligence for APIs
  • 23. PingIntelligence Augments API Security • API management • Security policies API Gateways • OWASP top 10 protection Web Application Firewalls • Authenticated users • Advanced attacks PingIntelligence for APIs
  • 24. Attack Landscape Summary API breaches go undetected for months or years Zero trust strategy for securing APIs is crucial Gartner: "by 2022, API abuses will be the most frequent attack vector that result in breaches" Many attacks can't be detected with traditional API security Help is here from PingIntelligence + API Gateways
  • 27. API Security + WAF + PingIntelligence
  • 28. Demo ATTACKING AN AZURE/MULESOFT GATEWAY SECURITY + WAF + PINGINTELLIGENCE PROTECTED API
  • 29. References and Documentation • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence for APIs – https://docs.pingidentity.com/bundle/pingintelligence-41/page/dvy1564008964001.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white-papers/2018/evolving-api-security-landscape.html
  • 30. References and Documentation • Azure – API Manager • https://azure.microsoft.com/en-us/services/api-management/ – Azure API Security • https://docs.microsoft.com/en-us/azure/api-management/api-management-security-controls • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
  • 31. Connect With Us • Big Compass ◦ Website - https://www.bigcompass.com ◦ LinkedIn - https://www.linkedin.com/company/big-compass/ ◦ Twitter - https://twitter.com/big_compass ◦ Facebook - https://www.facebook.com/bigcompass/ ◦ YouTube - https://www.youtube.com/channel/UCe789BLAsirAsl7w0skJlJQ?view_as=subscriber