Aetna's presentation on Building an API Security Strategy from our first annual user conference, SmartBear Connect.

1. 1©2017 Aetna Inc.
Building an API
Security Strategy
Mark Willis, Information Security Advisor August 2017

2. 2©2017 Aetna Inc. 2
Before we begin,
what exactly is an API?
If you want to have some fun at your next
team meeting…
• Ask everyone to sit in a circle,
• Tell them to turn to the person on their
right,
• And describe an API in 30 seconds…
• You’ll be very surprised at:
- The answers you hear or…
- More likely, the awkward pauses
The reality is that working with APIs is
actually easier than describing them!

3. 3©2017 Aetna Inc.
Software Development Life Cycle
The SDLC as taught in school:
• Requirements
• Analysis
• Design
• Implementation
• Maintenance
Rinse and Repeat
But what about security?
• Specifically, API security?
Analysis
Design
Implementation
Maintenance
Requirements
API Security
? ?
??
?

4. Building an API Security Strategy
Phase 1: Understanding the
Requirements Phase
of the SDLC

5. 5©2017 Aetna Inc.
Aetna’s Enhanced Secure SDLC
1. Set project expectations: secure from the start (per arche-type)
PREVENTATIVE
API Risk Classification
Security Requirement
Definition
Software Security Training (Role-Based Curriculum)
Requirements
Ex: All API input must be validated
Ex: External vs Internal APIs
Ex: Authentication and Authorization

6. Building an API Security Strategy
Phase 2: Understanding the
Design Phase of the SDLC

7. 7©2017 Aetna Inc.
Aetna’s Enhanced Secure SDLC
Requirements Design
1. Set project expectations: secure from the
start (per arche-type)
2. Define API security blueprints: Arche-type specific
patterns and secure-by-design components
PREVENTATIVE
Threat Modeling
Assets
Attack
Vectors
Threats
API Risk Classification
Security Requirement
Definition
Software Security Training (Role-Based Curriculum)
Secure Application
Design
Ex: All API input must be validated
Ex: External vs Internal APIs
Ex: Authentication and Authorization

8. Building an API Security Strategy
Phase 3: Understanding the
Development and Testing
Phases of the SDLC

9. 9©2017 Aetna Inc.
Aetna’s Enhanced Secure SDLC
Requirements Design Development Test Production
1. Set project
expectations:
secure from the
start (per arche-
type)
2. Define security
blueprints: Arche-
type specific
patterns and
secure-by-design
components
Identification & proactive
protection against security
vulnerabilities in
production
Conduct API security
testing on deployed
configurations
PREVENTATIVE DETECTIVEStatic Analysis
Dynamic
Assessment
Security Libraries &
Frameworks
Threat Modeling
Ex: All data input
by users must be
validated
Assets
Attack
Vectors
Threats
Threat-Based Pen
Test
Open Source Analysis
Application Risk
Classification
Security Requirement
Definition
Software Security Training (Role-Based Curriculum)
PRODUCTION
Continuous Perimeter
Assessment
Web Application
Firewalls
Secure Coding
Guidelines Automated
Attack/Bot Defense
Secure Application
Design
API Security Testing
Real time API defect identification
Dynamic Scan/
Ethical Hacking
Reports

10. 10©2017 Aetna Inc.
API Security Testing in Action
Case Study: Giving API Security Testing the Respect it Deserves!
• Providingvalue to our customers by ensuringsecuritystandards/protocols are met for the digital
products being delivered
• Collaborationbetween Global Securityand Digital Assurance Team to implementa security testing
strategy to support digital transformation program
API/Service
Performed by Digital
Assurance
Mobile
Performed by Development
Teams w/assistance from
Global Security
Web
Performed by Development
Teams w/assistance from
Global Security
➢ Criteria for securitytesting:
any API that will be
functionallytesting by QA
will be security tested
➢ Digital assurance to perform
securityvulnerabilityscans
againstAPIs
➢ All development teams to
perform static analysis scans
duringdevelopment
➢ Static analysis scans will be
performed via security
mavens
➢ Dynamic scans will be
performed via requests to
the Global Security, Software
SecurityGroup
➢ All development teams to
perform static analysis scans
duringdevelopment
➢ Static analysis scans will be
performed via security
mavens
➢ Dynamic scans will
performed via requests to
the Global Security, Software
SecurityGroup

11. API Security Testing Strategy
Externally Facing API
Security Policy

12. 12©2017 Aetna Inc.
Externally Facing API Security Policy
• As a method to allow access to common services, Aetna exposes
both REST and SOAP APIs to the Internet in order to address
business requirements such as providing services that are
consumed by mobile and web applications
• Any API, therefore, shall only be exposed to the Internet via
architecturally approved standard mechanisms and shall not be
exposed directly from web servers
12

13. Global Security &
Digital Transformation
API Security Testing Strategy and
Partnership
A Case Study of Collaboration
Across the Enterprise

14. 14©2017 Aetna Inc.
Background/History of Security Testing in Digital
Transformation Program
At an enterprise level, Global Security collaborates with business, architecture & development
teams to ensure security standards/protocols are met by the application under test
Collaboration between Global Security and Digital Assurance teams to implement a security
testing strategy to support digital transformation
• Current security testing by Global Security focuses on web and mobile applications
• Security testing of APIs by Digital Assurance provides additional value by ensuring all
vulnerabilities have been addressed
Digital Assurance approach for security testing of APIs
• Distinct PI objective for the creation of a DA security testing framework for APIs that
establishes a consistent end-to-end process for API security testing
• DA API Security Testing framework can be leveraged beyond the Digital Assurance Team
to support the enterprise-level testing
14

15. 15©2017 Aetna Inc.
Aetna Framework for API Security Testing
The following documents were created as part of the framework for API security testing by
Global Security and the Digital Assurance Team:
• Aetna End-to-End process for Security Testing – This document contains the overall list
of activities that a security tester should perform from scope identification through defect
closure
• Steps to perform API security testing using various tools – This document contains all
the steps to perform API security testing via our tools
• Activity Log – This document contains the steps to create epics, features, stories and tasks
for security testing activities
• Security Testing Overview – This document contains the need/
basics of why security testing is needed for an organization and
some sample test cases
• Web Services Overview – This document contains the basics
of web services, web services components, web services
protocols and how to perform API security testing
Process
Best
Practices
Templates

16. 16©2017 Aetna Inc.
QA Security Testing - Dependencies
30 Day (R2: S2 – 3) 60+ Day (R2: S4-6) 90+ Day (R3+)
Key Deliverables
• Define best practices,process
& implementation of tools
• Establish training
• Implement use of tools by
Digital Assurance for QA
securitytesting
• Establish defect management
process
• Establish metrics/reporting
• Establish QA SecurityMaven
Program
• Automation/DevOps POC of
QA SecurityTesting
Assistance Needed by Global Security(GS)
• Additional tools trainingfor
initial QA Security Mavens
• Two additional licenses will be
required
• GS will assist with API testing
− Execution
− Analysis of scans
• GS will help define QA
SecurityMaven Belt Levels &
Requirements and develop
requiredtraining
• Engagementwith tool vendor
for support (DevOps,
licensing, etc.)
• Procure additional licenses for
tools for long term strategy
to support the enterprise

17. API Security Testing Strategy
Identify, Capture and Track Key
Performance Indicators (KPIs)

18. 18©2017 Aetna Inc.
API Key Performance Indicators (KPIs)

19. Thank You!
Questions?