This document discusses the need for API security as APIs increasingly expose enterprise data and processes both internally and externally. It notes that while APIs may seem invisible without a GUI, they can be easily discovered and are vulnerable to the same threats as web applications if not properly secured. The document advocates for a holistic approach to API security that considers authentication, authorization, integrity, confidentiality and other aspects. It also emphasizes that the right security measures depend on the type of API and calls for collaboration between operations, development, security and business teams to implement proper API security.

1. ARE YOU SURE YOUR APIS ARE SECURE ?
ISABELLE MAUNY - CTO
The API Security Platform for the Enterprise

2. API SECURITY NEEDS TO
2
EVOLVE

3. 3
FROM ESTABLISHED PERIMETER…

4. 4
TO BLURRY PERIMETER…

5. 5App icon made by https://www.flaticon.com/authors/pixel-buddha
Internal
Partner Public
VIRTUAL APPLICATION NETWORKS

6. FAST APP DELIVERY
6
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

7. 7
SECURITY IS NEEDED. ALWAYS.
1

8. 8
EXPOSING ENTERPRISE DATA
AND PROCESSES.
WHAT ARE APIS FOR ?

9. 9
Internal
External
80
55
57
69
Now
Expect in the next
18 months
Source: @The State of Cybersecurity and Digital Trust 2016” Accenture
and HIS Research - Sample: 208 Enterprise Security Professionals
Have you experienced the theft
or corruption of internal
corporate or user/consumer
information by Internal or
External threat actors?

10. Second Streamer
10
29%
9%
62%
Source: Gartner (May 2016)
Breakdown by type of insider.
Career Launcher
Saboteur

11. 11

12. “I think that a lot of people think that because there is no GUI on an
API that no one can find it and it is invisible. But we can find
them in about five seconds with a proxy…
…Almost every threat that applies to a web app, can
happen to an API, but a lot of people for some reason are not
protecting them as much as their web applications.”
Tanya Janca
Application Security Evangelist - AppSec Podcast
12
“

13. 13
YOU NEED A HOLISTIC APPROACH
TO API SECURITY2

14. 14
Authentication
Integrity
(transport &
message)
Audit
Confidentiality
(transport &
message)
Availability
(Rate Limiting)
Authorization
Non
Repudiation
Data Validity
(attacks
protection)

15. 15
YES. You need to
consider all of this…
… AND you need to
configure all aspects
in the right way

16. 16
EASY TO GET
THOSE
WRONG!

17. 17
NOT ALL APIS ARE EQUAL
3

18. “Security is a risk control measure…In
the security sphere, one size does not fit
all. We have to take ‘appropriate
measures’.
Nat SakimuraFixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/
18
“

19. 19
Financial APIS Security Auth Grant Types
OpenID Connect Flows
TLS Settings
Message Confidentiality
Non-Repudiation
Message Integrity
Financial APIs Working Group: http://openid.net/wg/fapi/

20. 20
DEVOPS, BUT WITH SECURITY ON
4

21. LET’S SHIFT LEFT!
21
DeploymentTestingDevelopmentDesign

22. SEC-DEV-OPS IN ACTION
22
Develop
Assess
Secure
TestDocument
Deploy
Continuous API
testing, including
security testing
Deploy to API Security
Platform
Configure and apply
security policy from
assessed risk
Assess API description
and evaluate risk level
Document and annotate
API with OpenAPI/Swagger

23. 23
COLLABORATION IS CRUCIAL
5

24. 24
RELIES ON STRONG COLLABORATION
ACROSS OPERATIONS, DEVELOPMENT,
SECURITY AND BUSINESS TEAMS
PROPER SECURITY

25. CONTACT: INFO@42CRUNCH.COM
WWW.42CRUNCH.COM
The API Security Platform for the Enterprise