SlideShare a Scribd company logo

What Hackers Don’t Want You To Know: How to Maximize Your API Security

Download as PPTX, PDF
A
AaronLieberman5

We will look at how API security works with MuleSoft including the API development lifecycle and implementing security policies on a live API from Anypoint Platform API Manager. We will also display the monitoring capabilities from API Manager and what a policy violation looks like. Then, we will have some fun by simulating hacks on our own API. We will simulate some common attacks and how API Manager and/or a WAF can block these common attacks. From there, we will dive even deeper by simulating very advanced attacks like OAuth token hijacking, data theft, and DoS attacks that fly under the SLA radar. This is where we will implement an AI engine like PingIntelligence’s Anypoint integration custom API policy to show how a MuleSoft API can use an AI software like PingIntelligence to discover and model normal behavior for your APIs to block and report on advanced attacks.

Technology
1 of 33
WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY March 4, 2020 Dallas MuleSoft Meetup Group
All contents © MuleSoft Inc. Agenda 2 • 6:00PM – Doors open • 6:00PM - 6:30PM – Network, Eat, and Socialize • 6:30PM - 6:35PM – Introductions • 6:35PM - 7:30PM – Presentation/Demo • 7:30PM - 7:45PM – Q&A • 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and Speakers
All contents © MuleSoft Inc. Introductions 3 • About the presenters: – Big Compass – Aaron Lieberman – Ping Identity – Francois Lascelles
• MuleSoft API Lifecycle • MuleSoft API Management • Securing a MuleSoft API • PingIntelligence with MuleSoft APIs MuleSoft API Management and Security
All contents © MuleSoft Inc. API Lifecycle 5 • Design • Build • Test • Deploy • Manage
Demo API Lifecycle
With MuleSoft API Manager security policies, what is the difference between rate limiting and request throttling? Giveaway!
All contents © MuleSoft Inc. MuleSoft API Management 8 • API Manager – Creating an API – SLA Tiers – Contracts – Alerts – Policies • Out of the box policies • Custom Policy from API Manager • Develop Custom Policy in Anypoint Studio • Secure your APIs! – Monitoring
All contents © MuleSoft Inc. Securing APIs in MuleSoft With API Manager 9 • Specific to one API – New feature of automated policies to apply same set of policies to many APIs • Common Policies in API Manager – Basic authentication – IP whitelist/blacklist – Client ID Enforcement – OAuth 2.0 – SLA based rate limiting and throttling
Demo MuleSoft API Management/Security and Attacking a MuleSoft API
All contents © MuleSoft Inc. MuleSoft Anypoint Security 11 • Secure all applications deployed to your Runtime Fabric with Edge Policies • Implement a Web Application Firewall (WAF) • Other policies – IP whitelist – Denial of service – HTTP limits
All contents © MuleSoft Inc. MuleSoft + WAF Security 12 • Protects against many common attacks – SQL Injection – Cross Site Scripting – Body scanning – OWASP Top 10 attacks – These are known vulnerabilities!
All contents © MuleSoft Inc. Security Policies + WAF Protection 13 • What do security policies + WAF actually protect against? – Basic attacks (authentication, rate limiting, SQL injection, etc.) • What are the vulnerabilities? – Advanced API attacks from authenticated hackers – No way to detect authenticated attacks • Google took 2.5 years to detect a breach • How do we protect against these vulnerabilities?
All contents © MuleSoft Inc. MuleSoft + WAF Security Demo Architecture 14
Demo MuleSoft API + WAF Security and Attacking an API Behind a WAF
How long did it take Google to detect an ongoing breach on their API? A.0-6 Months B.6-12 Months C.12-24 Months D.2+ Years Giveaway!
All contents © MuleSoft Inc. Current API Landscape 17 • APIs steadily increasing • Attacks steadily increasing
All contents © MuleSoft Inc. Complementary Visibility 18 API Management API Traffic Analysis “Effective” APIs API Catalogue Gartner: “Discover your APIs before attackers discover them”
All contents © MuleSoft Inc. Identity Correlation 19
All contents © MuleSoft Inc. Why are API breaches persisting? 20  Unexpected ”outside-the-app” scenarios  Deficit of available expertise  Real-time security focus  Downstream vulnerabilities  Users (phish, password reuse, insider threat)  Clients that can’t keep secrets  Bearer tokens Foundational API security blindspots External Vulnerabilities
All contents © MuleSoft Inc. Augmenting API Security with Machine Learning 21 MODEL • Learn from API traffic • Build models: APIs traffic from legit apps DETECT • Inspect runtime traffic • Look for deviations from model BLOCK • Block compromised tokens • Notify/alert
All contents © MuleSoft Inc. Outcomes of applying ML to API security 22 Result: Automated Attack Detection and Blocking • No policy authoring needed (anomaly detection) • Secondary layer of defense to catch persisting gaps • Get notified of attack through existing SIEM and specialized tooling • Block requester by blacklisting API client • Block by token • Block by API key • Block by identity • Block by IP address • Block by cookie • …
All contents © MuleSoft Inc. API Decoys 1. Hacker touches decoy APIs 2. Instant flagging of malicious requesters 3. Blocks access to real APIs /finance /query/date /account /query/name Leverage Hacking Behaviors Against Attackers 200 OK
All contents © MuleSoft Inc. PingIntelligence For APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs • Deep API Visibility – Dynamically discover APIs across all API silos – Analyze API activity, apply identity correlation • Automated threat detection and blocking – Detect and stop attacks that are not caught by foundational API security – Use API decoys to flag hackers before attacks start • Self Learning – Use AI to build models automatically – Eliminate the need to write and manage policies and update API attack signatures
All contents © MuleSoft Inc. Comprehensive Security: MuleSoft + PingIntelligence Foundational API Security Content Injection JSON, XML, SQL injection protection, XSS Flow Control Throttling, Metering, Quota Management, Circuit- breakers Access Control AuthN, AuthZ, Token Management, Microgateway AI-Powered Cyberattacks Detection Automated Cyber Attack Blocking Blocks stolen tokens/cookies, Bad IP’s & API keys API Deception & Decoys Instant hacking detection and blocking Deep API Traffic Visibility & Reporting Monitor & report on all API activity Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs PingIntelligence for APIs
All contents © MuleSoft Inc. MuleSoft + WAF + PingIntelligence Architecture Full Lifecycle API Mgmt. Design, Create, Publish APIs Content Inspection Content Validation Session Management Policy Based Security enforcement Rate Limiting API Visibility & Protection Deep Visibility & Reporting Unique API Behavioral models Automated Attack Blocking API Discovery API Deception Self Learning – no rules or Policies Web Application Security WAF Positive Security Model OWASP Top 10 Protection DDoS Prevention RASP Content Filtering Rate Limiting Signature Based Detection
Demo Attacking a MuleSoft Security+ WAF + PingIntelligence Protected API
All contents © MuleSoft Inc. References and Documentation 28 • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_ Guide_pingintel_32/page/pingintelligence_product_deployment.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white- papers/2018/evolving-api-security-landscape.html
All contents © MuleSoft Inc. References and Documentation 29 • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
Questions?
All contents © MuleSoft Inc. What’s Next? 31 • Share: – Tweet your pictures with the hashtag #MuleMeetup – Invite your network to join: https://meetups.mulesoft.com/denver/ • Feedback: – Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com to suggest topics – Contact MuleSoft at meetup@mulesoft.com for ways to improve the program • Our next meetup: – Date: August 2019 – Location: TBD – Topic: TBD
See you next time Please send topic suggestions to the organizer
What Hackers Don’t Want You To Know: How to Maximize Your API Security

Recommended

Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom Connectors
AaronLieberman5
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
AaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1
Tejas Purohit
 
Warsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policyWarsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policy
Patryk Bandurski
 
The RAML 1.0 Ecosystem
The RAML 1.0 EcosystemThe RAML 1.0 Ecosystem
The RAML 1.0 Ecosystem
MuleSoft
 

Recommended

Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom Connectors
AaronLieberman5
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
AaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1
Tejas Purohit
 
Warsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policyWarsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policy
Patryk Bandurski
 
The RAML 1.0 Ecosystem
The RAML 1.0 EcosystemThe RAML 1.0 Ecosystem
The RAML 1.0 Ecosystem
MuleSoft
 
Meetup bangalore june29th2019
Meetup bangalore june29th2019Meetup bangalore june29th2019
Meetup bangalore june29th2019
D.Rajesh Kumar
 
Warsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CDWarsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CD
Patryk Bandurski
 
Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3
Lalit Panwar
 
Meetup slide 1st june
Meetup slide 1st juneMeetup slide 1st june
Meetup slide 1st june
Santosh Ojha
 
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Gaurav Sethi
 
Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4
Tejas Purohit
 
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECTFlow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Sabrina Marechal
 
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafkaMuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
Royston Lobo
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint Platform
MuleSoft
 
Warsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime FabricWarsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime Fabric
Patryk Bandurski
 
Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01
Lalit Panwar
 
Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020
Santosh Ojha
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3
Gaurav Sethi
 
Riyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewRiyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code review
satyasekhar123
 
Getting started with salt stack
Getting started with salt stackGetting started with salt stack
Getting started with salt stack
Suresh Paulraj
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
SaltStack
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Manish Kumar Yadav
 
MuleSoft JWT Demystified
MuleSoft JWT DemystifiedMuleSoft JWT Demystified
MuleSoft JWT Demystified
Patryk Bandurski
 
Ironic
IronicIronic
Ironic
Haomeng Wang
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
Royston Lobo
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 

More Related Content

What's hot

Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Gaurav Sethi
 
Getting started with salt stack
Getting started with salt stackGetting started with salt stack
Getting started with salt stack
Suresh Paulraj
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
SaltStack
 

What's hot (20)

Meetup bangalore june29th2019
Meetup bangalore june29th2019Meetup bangalore june29th2019
Meetup bangalore june29th2019
 
Warsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CDWarsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CD
 
Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3
 
Meetup slide 1st june
Meetup slide 1st juneMeetup slide 1st june
Meetup slide 1st june
 
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
 
Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4
 
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECTFlow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
 
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafkaMuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint Platform
 
Warsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime FabricWarsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime Fabric
 
Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01
 
Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3
 
Riyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewRiyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code review
 
Getting started with salt stack
Getting started with salt stackGetting started with salt stack
Getting started with salt stack
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
 
MuleSoft JWT Demystified
MuleSoft JWT DemystifiedMuleSoft JWT Demystified
MuleSoft JWT Demystified
 
Ironic
IronicIronic
Ironic
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
 

Similar to What Hackers Don’t Want You To Know: How to Maximize Your API Security

Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
Theodore Kim
 

Similar to What Hackers Don’t Want You To Know: How to Maximize Your API Security (20)

Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
Mule soft riyadh virtual meetup_30_aug
Mule soft riyadh virtual meetup_30_augMule soft riyadh virtual meetup_30_aug
Mule soft riyadh virtual meetup_30_aug
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Baltimore jan2019 mule4
Baltimore jan2019 mule4Baltimore jan2019 mule4
Baltimore jan2019 mule4
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
 
MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Mule soft meetup_indonesia_june2020
Mule soft meetup_indonesia_june2020Mule soft meetup_indonesia_june2020
Mule soft meetup_indonesia_june2020
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 

More from AaronLieberman5

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B Connectivity
AaronLieberman5
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With Salesforce
AaronLieberman5
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and Boomi
AaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling Together
AaronLieberman5
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with Confluent
AaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
AaronLieberman5
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
AaronLieberman5
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
AaronLieberman5
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
AaronLieberman5
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
AaronLieberman5
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
AaronLieberman5
 

More from AaronLieberman5 (15)

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B Connectivity
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With Salesforce
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and Boomi
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling Together
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with Confluent
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
 

Recently uploaded

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 

Recently uploaded (20)

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 

What Hackers Don’t Want You To Know: How to Maximize Your API Security

  • 1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY March 4, 2020 Dallas MuleSoft Meetup Group
  • 2. All contents © MuleSoft Inc. Agenda 2 • 6:00PM – Doors open • 6:00PM - 6:30PM – Network, Eat, and Socialize • 6:30PM - 6:35PM – Introductions • 6:35PM - 7:30PM – Presentation/Demo • 7:30PM - 7:45PM – Q&A • 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and Speakers
  • 3. All contents © MuleSoft Inc. Introductions 3 • About the presenters: – Big Compass – Aaron Lieberman – Ping Identity – Francois Lascelles
  • 4. • MuleSoft API Lifecycle • MuleSoft API Management • Securing a MuleSoft API • PingIntelligence with MuleSoft APIs MuleSoft API Management and Security
  • 5. All contents © MuleSoft Inc. API Lifecycle 5 • Design • Build • Test • Deploy • Manage
  • 7. With MuleSoft API Manager security policies, what is the difference between rate limiting and request throttling? Giveaway!
  • 8. All contents © MuleSoft Inc. MuleSoft API Management 8 • API Manager – Creating an API – SLA Tiers – Contracts – Alerts – Policies • Out of the box policies • Custom Policy from API Manager • Develop Custom Policy in Anypoint Studio • Secure your APIs! – Monitoring
  • 9. All contents © MuleSoft Inc. Securing APIs in MuleSoft With API Manager 9 • Specific to one API – New feature of automated policies to apply same set of policies to many APIs • Common Policies in API Manager – Basic authentication – IP whitelist/blacklist – Client ID Enforcement – OAuth 2.0 – SLA based rate limiting and throttling
  • 10. Demo MuleSoft API Management/Security and Attacking a MuleSoft API
  • 11. All contents © MuleSoft Inc. MuleSoft Anypoint Security 11 • Secure all applications deployed to your Runtime Fabric with Edge Policies • Implement a Web Application Firewall (WAF) • Other policies – IP whitelist – Denial of service – HTTP limits
  • 12. All contents © MuleSoft Inc. MuleSoft + WAF Security 12 • Protects against many common attacks – SQL Injection – Cross Site Scripting – Body scanning – OWASP Top 10 attacks – These are known vulnerabilities!
  • 13. All contents © MuleSoft Inc. Security Policies + WAF Protection 13 • What do security policies + WAF actually protect against? – Basic attacks (authentication, rate limiting, SQL injection, etc.) • What are the vulnerabilities? – Advanced API attacks from authenticated hackers – No way to detect authenticated attacks • Google took 2.5 years to detect a breach • How do we protect against these vulnerabilities?
  • 14. All contents © MuleSoft Inc. MuleSoft + WAF Security Demo Architecture 14
  • 15. Demo MuleSoft API + WAF Security and Attacking an API Behind a WAF
  • 16. How long did it take Google to detect an ongoing breach on their API? A.0-6 Months B.6-12 Months C.12-24 Months D.2+ Years Giveaway!
  • 17. All contents © MuleSoft Inc. Current API Landscape 17 • APIs steadily increasing • Attacks steadily increasing
  • 18. All contents © MuleSoft Inc. Complementary Visibility 18 API Management API Traffic Analysis “Effective” APIs API Catalogue Gartner: “Discover your APIs before attackers discover them”
  • 19. All contents © MuleSoft Inc. Identity Correlation 19
  • 20. All contents © MuleSoft Inc. Why are API breaches persisting? 20  Unexpected ”outside-the-app” scenarios  Deficit of available expertise  Real-time security focus  Downstream vulnerabilities  Users (phish, password reuse, insider threat)  Clients that can’t keep secrets  Bearer tokens Foundational API security blindspots External Vulnerabilities
  • 21. All contents © MuleSoft Inc. Augmenting API Security with Machine Learning 21 MODEL • Learn from API traffic • Build models: APIs traffic from legit apps DETECT • Inspect runtime traffic • Look for deviations from model BLOCK • Block compromised tokens • Notify/alert
  • 22. All contents © MuleSoft Inc. Outcomes of applying ML to API security 22 Result: Automated Attack Detection and Blocking • No policy authoring needed (anomaly detection) • Secondary layer of defense to catch persisting gaps • Get notified of attack through existing SIEM and specialized tooling • Block requester by blacklisting API client • Block by token • Block by API key • Block by identity • Block by IP address • Block by cookie • …
  • 23. All contents © MuleSoft Inc. API Decoys 1. Hacker touches decoy APIs 2. Instant flagging of malicious requesters 3. Blocks access to real APIs /finance /query/date /account /query/name Leverage Hacking Behaviors Against Attackers 200 OK
  • 24. All contents © MuleSoft Inc. PingIntelligence For APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs • Deep API Visibility – Dynamically discover APIs across all API silos – Analyze API activity, apply identity correlation • Automated threat detection and blocking – Detect and stop attacks that are not caught by foundational API security – Use API decoys to flag hackers before attacks start • Self Learning – Use AI to build models automatically – Eliminate the need to write and manage policies and update API attack signatures
  • 25. All contents © MuleSoft Inc. Comprehensive Security: MuleSoft + PingIntelligence Foundational API Security Content Injection JSON, XML, SQL injection protection, XSS Flow Control Throttling, Metering, Quota Management, Circuit- breakers Access Control AuthN, AuthZ, Token Management, Microgateway AI-Powered Cyberattacks Detection Automated Cyber Attack Blocking Blocks stolen tokens/cookies, Bad IP’s & API keys API Deception & Decoys Instant hacking detection and blocking Deep API Traffic Visibility & Reporting Monitor & report on all API activity Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs PingIntelligence for APIs
  • 26. All contents © MuleSoft Inc. MuleSoft + WAF + PingIntelligence Architecture Full Lifecycle API Mgmt. Design, Create, Publish APIs Content Inspection Content Validation Session Management Policy Based Security enforcement Rate Limiting API Visibility & Protection Deep Visibility & Reporting Unique API Behavioral models Automated Attack Blocking API Discovery API Deception Self Learning – no rules or Policies Web Application Security WAF Positive Security Model OWASP Top 10 Protection DDoS Prevention RASP Content Filtering Rate Limiting Signature Based Detection
  • 27. Demo Attacking a MuleSoft Security+ WAF + PingIntelligence Protected API
  • 28. All contents © MuleSoft Inc. References and Documentation 28 • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_ Guide_pingintel_32/page/pingintelligence_product_deployment.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white- papers/2018/evolving-api-security-landscape.html
  • 29. All contents © MuleSoft Inc. References and Documentation 29 • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
  • 31. All contents © MuleSoft Inc. What’s Next? 31 • Share: – Tweet your pictures with the hashtag #MuleMeetup – Invite your network to join: https://meetups.mulesoft.com/denver/ • Feedback: – Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com to suggest topics – Contact MuleSoft at meetup@mulesoft.com for ways to improve the program • Our next meetup: – Date: August 2019 – Location: TBD – Topic: TBD
  • 32. See you next time Please send topic suggestions to the organizer