Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Applying API Security at Scale

320 views

Published on

Discover cutting-edge techniques deployed by modern organizations to both secure and scale their APIs. By automating the bug discovery process and standardizing how identity control, API developers are now prepared to better secure everything from microservices to Kubernetes clusters.

For this LiveCast, we’re devoting an hour to API security! Featuring community experts and their knowledge of new, advanced best practices for scaling API security.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Applying API Security at Scale

  1. 1. ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM APPLYING API SECURITY AT SCALE
  2. 2. 2 API BREACHES REPORTED THIS JUNE ON APISECURITY.IO
  3. 3. WHY IS THIS HAPPENING ? 3
  4. 4. WE ARE HUMANS! 4
  5. 5. TITLE TEXTDIGITAL TRANSFORMATION MADNESS…. 5 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY
  6. 6. HOW DO WE ADDRESS THE ISSUE? 6
  7. 7. CONSIDER SECURITY EARLY: SHIFT LEFT ! 7 DeploymentTestingDevelopmentRequirements Design 1 10 100 1000 Vulnerability Fixing Cost:
  8. 8. SHIFT LEFT GUIDELINES 8
  9. 9. 9 Development Security Operations Business
  10. 10. ONE SIZE DOES NOT FIT ALL KNOW YOUR APIS AND THE RISKS THEY BRING 10See: https://www.owasp.org/index.php/Application_Threat_Modeling
  11. 11. IMPLEMENTATION PRINCIPLES 11 ZERO TRUST DON’T RE-INVENT THE WHEEL PROTECT SENSITIVE DATA SECURE ERROR HANDLING SECURE LOGGING 2
  12. 12. The one thing that you should always remember when coding defensively is that you need to assume that users will do something that you did not plan on. 12
  13. 13. IMPLEMENT SELF-HACKING 13 Automatic analysis first! Code/Libraries/Docker images/ Transport settings Test the Hacky path ! Then manual Bug bounty, Pen testing 3
  14. 14. 14 DEPLOYMENT PRINCIPLES 4 Front Process Data DEFENSE IN DEPTH - SECURITY ZONES - LEAST PRIVILEGE PRINCIPLES
  15. 15. •Vulnerabilities are bugs: use development ticketing system to track issues •Analyse runtime behaviour and raise alerts automatically 15 YOU CAN’T FIX WHAT YOU DON’T KNOW 5
  16. 16. ➤ INTRODUCE API SECURITY EARLY ON ➤ TEACH API SECURITY ACROSS DEV/SEC/OPS TEAMS ➤ AUTOMATE API SECURITY ➤ MONITOR AND LEARN 16 CALL TO ACTION
  17. 17. NEWS AND TOOLS FOR BETTER API SECURITY
  18. 18. RESOURCES OWASP Top 10 for applications ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 18
  19. 19. RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 19

×