SlideShare une entreprise Scribd logo

Building Secure and Resilient APIs

M
Manah Khalil

Building usable API layer requires balancing between security and usability. Operating API endpoints includes addressing fraud and delivering privacy-by-design. Modern management frameworks and gateways guarantee stateful operations whether the APIs themselves are stateful or not.

Technologie
1  sur  9
Télécharger pour lire hors ligne
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 1 Building Secure and Resilient APIs Manah Khalil ExecutiveDirector Identity,Fraud& EmergingTechnologies
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 2 Security Identity of Caller Fraud Privacy Defining API Security
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 3 ● New OWASP Top 10 (A10) highlights importance of API security ● Bot attacks and relay attacks (through trusted parties) ● CAPTCHA mainly designed for UI, not suitablefor API ● IP blacklisting, velocity attacks ● Certificate pinning is costly and not scalable ● TOR network and other anonymizers weaken traditional controls ● 4th generation 1 bots becoming smarter, emulating humans ● Trusted parties expose bigger risk when channeling attacks (e.g. retailers) 1 https://blog.radware.com/security/2019/09/meet-the-four-generations-of-bots/ Fraudsters and hackers focus on openAPIs
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 4 ● Code vulnerabilities ● OSS vulnerabilities ● Input validation ● Session hijacking ● Data leak(unintendedexposure of data) ● Data handling (masking,redaction,tokenization,encryption...) ● Unauthorized callers, misconfigured access control ● Data consistency (cache-poisoning,latent/lazypersistence) ● Thread management and parallel execution ● Denial of service, throttling,resource pooling API inherits and extends the app surface of attack
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 5 ● Business logic ● Insiders attack ● Attack from within the network Emerging types of attack
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 6 Complexity for securing APIs ● Limited device fingerprinting ● IP-based metadata ● Custom data submitted by caller and not device ● Certificate management ● Authentication and authorization ● Session management (state, caching, synchronization) ● Chaining/relaying through trusted 3rd parties
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 7 Designing for security and privacy by design ● Layering and defense-in-depth ● Centralized choking point, but also more control ● WAF ● Identity gateway for AuthN/AuthZ ● API gateway ● Centralized risk scoring and policy ● API inventory (allow <api>, deny *) ● Assume everything WILL fail ● Focus on the asset not the caller (external or internal users) ● Privacy-by-design ● Authentication AND Authorization ● Session Management ● Multi-factor Authentication (MFA) at API level CHOKE POINT LAYERED DEFENSE
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 8 Audit and Traceability Usable Logging Actionable Monitoring Other related capabilities
Verizon confidentialand proprietary. Unauthorizeddisclosure, reproduction or otheruse prohibited. 9

Recommandé

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
FIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO Alliance
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 

Recommandé

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
FIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO Alliance
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBMFIDO Alliance
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana Arnaudova
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO Alliance
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationFIDO Alliance
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 

Contenu connexe

Tendances

NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBMFIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO Alliance
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationFIDO Alliance
 

Tendances (20)

NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern World
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBM
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - English
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without Boundaries
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric Authentication
 

Similaire à Building Secure and Resilient APIs

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...WSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTForgeRock
 
Firewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesFirewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesCYLK IT Solutions
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Vijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachVijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachDevOpsDays DFW
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...AirTight Networks
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016Verimatrix
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilForgeRock
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
2011 Sales Presentation V6
2011 Sales Presentation V62011 Sales Presentation V6
2011 Sales Presentation V6tina_williams
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 

Similaire à Building Secure and Resilient APIs (20)

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
Firewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesFirewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicações
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Vijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachVijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway Approach
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah Khalil
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
2011 Sales Presentation V6
2011 Sales Presentation V62011 Sales Presentation V6
2011 Sales Presentation V6
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 

Dernier

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Dernier (20)

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Building Secure and Resilient APIs

  • 1. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 1 Building Secure and Resilient APIs Manah Khalil ExecutiveDirector Identity,Fraud& EmergingTechnologies
  • 2. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 2 Security Identity of Caller Fraud Privacy Defining API Security
  • 3. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 3 ● New OWASP Top 10 (A10) highlights importance of API security ● Bot attacks and relay attacks (through trusted parties) ● CAPTCHA mainly designed for UI, not suitablefor API ● IP blacklisting, velocity attacks ● Certificate pinning is costly and not scalable ● TOR network and other anonymizers weaken traditional controls ● 4th generation 1 bots becoming smarter, emulating humans ● Trusted parties expose bigger risk when channeling attacks (e.g. retailers) 1 https://blog.radware.com/security/2019/09/meet-the-four-generations-of-bots/ Fraudsters and hackers focus on openAPIs
  • 4. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 4 ● Code vulnerabilities ● OSS vulnerabilities ● Input validation ● Session hijacking ● Data leak(unintendedexposure of data) ● Data handling (masking,redaction,tokenization,encryption...) ● Unauthorized callers, misconfigured access control ● Data consistency (cache-poisoning,latent/lazypersistence) ● Thread management and parallel execution ● Denial of service, throttling,resource pooling API inherits and extends the app surface of attack
  • 5. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 5 ● Business logic ● Insiders attack ● Attack from within the network Emerging types of attack
  • 6. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 6 Complexity for securing APIs ● Limited device fingerprinting ● IP-based metadata ● Custom data submitted by caller and not device ● Certificate management ● Authentication and authorization ● Session management (state, caching, synchronization) ● Chaining/relaying through trusted 3rd parties
  • 7. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 7 Designing for security and privacy by design ● Layering and defense-in-depth ● Centralized choking point, but also more control ● WAF ● Identity gateway for AuthN/AuthZ ● API gateway ● Centralized risk scoring and policy ● API inventory (allow <api>, deny *) ● Assume everything WILL fail ● Focus on the asset not the caller (external or internal users) ● Privacy-by-design ● Authentication AND Authorization ● Session Management ● Multi-factor Authentication (MFA) at API level CHOKE POINT LAYERED DEFENSE
  • 8. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 8 Audit and Traceability Usable Logging Actionable Monitoring Other related capabilities
  • 9. Verizon confidentialand proprietary. Unauthorizeddisclosure, reproduction or otheruse prohibited. 9