As presented at https://www.prnewswire.com/news-releases/forum-systems-and-infosecurity-magazine-to-host-api-security-best-practices-briefing-and-ai-workshop-300709787.html on 20 Sep 2018

1. Evolving challenges for modern
enterprise architectures
in the age of APIs
Dinis Cruz, CISO, Photobox
April 2018

2. I’m a CISO focused on
securing our client’s Magic moments
by creating secure environments
that enable and accelerate the business
and contribute to the
top and bottom line

3. Here are my challenges
1.How to make rational risk based decisions
2.How to create high performance teams
3.How to scale Security knowledge
4.How to drive and enable change
5.How to map data as graphs

4. Everything is a API

6. You might
think your API
landscape
looks like this

7. Or like this

8. But in reality it
looks like this
Dependencies between APIs

9. and like this
Traffic patterns (who talks to to who)

10. How do you understand
API dependencies?

11. One way to do it is to break
stuff and see what happens

12. Netflix Chaos Monkey

13. Chaos Engineering is
carefully injecting harm into
our systems
to test the system’s ability to
respond to it.

14. Success story
Netflix recommendations

15. The best model is to use Security to
improve:
visibility , availability, data validation,
authentication, authorisation, etc…

16. Every API needs to
be protected

17. You need to think about API
Security at the Gate
Central API filtering
Outside world

18. But also at API level

19. Every API
needs to
protect
herself

20. Apis should trust no-one
that connects to them
that gives them data
that they depend on

21. We want zero-trust networks
(and zero-trust APIs)

22. See Google’s Beyondcorp
for a great framework

23. Change the defend
paradigm

24. The myth of the
singe point of failure
(i.e. attackers only need to run
code and find a weak spot)

25. Do you understand what is
going on in your APIs?

26. Biggest threat is not the issue,
but is not having visibility

27. When do you know about
security incidents?
(or changes)

28. You need to know what the
attackers are
doing on your APIs

29. If you don’t know what is on
the pentest report …
you have a bigger problem
(i.e. your SOC should be able to tell you)

30. Best Security model is one
based on
the attacker making a mistake
(i.e. a change)

31. Use risks to understand reality
and to make the business
owners responsible for their
decisions

32. Use Threat Models to
understand how your system
works and to document it

33. Use tests to replicate
known behaviours, attacks
and simulate changes
(with and without random events)

34. Which can also called
Security tests
(which pass on vulnerable
state and on regression test)

35. Properties of secure
APIs

36. Availability

37. Plan for Failure
Ability to sustain failures

38. Validate and Sanitise
all requests

39. Authenticate and Authorise
all requests

40. Reduce capabilities and
features gracefully

41. Hostile to
insecure traffic
and
insecure code

42. Have error budgets
(from Google SRE)

43. Are easy to change

44. Are easy to refactor
(make changes with confidence)

45. Pushes to production
happen minutes
(fully tested and 100x a day (if needed))

46. The bigger they
get the faster they go
(it is smooth and safe to make changes)

47. Have 99% change coverage

48. Change coverage

49. What matters is
change coverage

50. If you make changes
and they are not detected

51. you are just making
random changes

52. Every change you make
has to have a respective
test change
(much better pair programming model)

53. Two more little
things

54. See Photobox
Group Security
blog for real-
world examples
of how we think
and operate
https://pbx-group-security.com

55. We are hiring :)
Head of InfoSec
Senior AWS Security
Engineer
https://pbx-group-security.com/roles/

56. I’m writing a book and would
really appreciate your feedback
https://leanpub.com/generation-z

57. Thanks

58. Any questions
@DinisCruz