SlideShare a Scribd company logo

apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem

apidays
apidays
apidaysapidays

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs October 11 & 12, 2023 https://www.apidays.global/australia/ The Swiss Cheese Model of Layered API Security Leon Andrews, Principal, APIs & Platform Engineering at Terem ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem

1 of 50
Download to read offline
The Swiss Cheese Model of
Layered API Security
apidays Australia 11 October 2023
1996 - MSc Information Systems & Technology + Perl
1997 - NetChannel UK - WebTV startup
1998 - jobnet.com.au - Australia’s first commercial web services?
2001 - RecuitASP & HRX - Disruptive SaaS recruitment and HR
2012 onwards - Consulting in digital, mobility, integration, APIs,
platform engineering…
Currently heading up Terem's API and Platform Engineering
business in ANZ
About me
Terem
Terem is a product development and strategy
firm that works for enterprises, tech companies
and Government.
We’re most valuable when we run strategy and
product development iteratively, working
towards a commercial outcome.
We’re based across Australia and New Zealand.
Terem Australia & NZ API Survey 2023
The model depicts a system as a stack of slices of
Swiss cheese, with each slice representing a
barrier or safeguard against failure.
● Developed by James Reason, a British
Psychologist in the 1990s, as a metaphor for
how complex systems can fail.
● Holes in the cheese represent weaknesses
in the barriers.
● The holes are randomly distributed, so that
they don’t always align.
● When the holes in the slices align, a
hazard can pass through all of the barriers
and cause a failure.
The Swiss Cheese Model
The Swiss Cheese Model
Based on the idea that incidents are
usually the result of a combination of
factors
● Human errors
● Bad actors
● System failures
● Environmental conditions
Can also be used to identify the
different layers of protection in a
system and to assess the effectiveness
of those layers.

Recommended

Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...apidays
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 

More Related Content

What's hot

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...apidays
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy IntroductionDoug Gregory
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)Amazon Web Services
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityAlibaba Cloud
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 

What's hot (20)

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy Introduction
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Cloud security
Cloud security Cloud security
Cloud security
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application Security
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 

Similar to apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem

INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...apidays
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsAlexandra N. Martinez
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesJimmy Attia
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API IntegrationsNordic APIs
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
Building Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresBuilding Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresMisagh Moayyed
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014CloudCamp Chicago
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Ricardo Rodríguez
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
Single Source of Truth for Network Automation
Single Source of Truth for Network AutomationSingle Source of Truth for Network Automation
Single Source of Truth for Network AutomationAndy Davidson
 
Perth Meetup August 2021
Perth Meetup August 2021Perth Meetup August 2021
Perth Meetup August 2021Michael Price
 

Similar to apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem (20)

INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API Integrations
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
Building Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresBuilding Open Source Identity Infrastructures
Building Open Source Identity Infrastructures
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 
Single Source of Truth for Network Automation
Single Source of Truth for Network AutomationSingle Source of Truth for Network Automation
Single Source of Truth for Network Automation
 
Perth Meetup August 2021
Perth Meetup August 2021Perth Meetup August 2021
Perth Meetup August 2021
 

More from apidays

apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...apidays
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...apidays
 

More from apidays (20)

apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
 
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
 

Recently uploaded

Oppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdfOppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdfOppotus
 
Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)CUO VEERANAN VEERANAN
 
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Thibaud Le Douarin
 
Artificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptxArtificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptxVighnesh Shashtri
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 
Industry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxIndustry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxMdRafiqulIslam403212
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for usersStephenEfange3
 
SABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as referenceSABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as referencepriyansabari355
 
Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023stephizcoolio
 
Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...
Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...
Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...AkbarHidayatullah11
 
data analytics and tools from in2inglobal.pdf
data analytics  and tools from in2inglobal.pdfdata analytics  and tools from in2inglobal.pdf
data analytics and tools from in2inglobal.pdfdigimartfamily
 
SABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a referenceSABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a referencepriyansabari355
 
chatgpt-prompts (1).pdf
chatgpt-prompts (1).pdfchatgpt-prompts (1).pdf
chatgpt-prompts (1).pdfMuntherMurjan1
 
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfIIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfAustraliaChapterIIBA
 
PredictuVu ProposalV1.pptx
PredictuVu ProposalV1.pptxPredictuVu ProposalV1.pptx
PredictuVu ProposalV1.pptxKapilSinghal47
 
[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...
[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...
[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...Daniele Malitesta
 
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...Cyber Security Experts
 

Recently uploaded (18)

Oppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdfOppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdf
 
Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)
 
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
 
Artificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptxArtificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptx
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Industry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxIndustry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptx
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for users
 
2.pptx
2.pptx2.pptx
2.pptx
 
SABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as referenceSABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as reference
 
Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023
 
Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...
Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...
Morris H. DeGroot, Mark J. Schervish - Probability and Statistics (4th Editio...
 
data analytics and tools from in2inglobal.pdf
data analytics  and tools from in2inglobal.pdfdata analytics  and tools from in2inglobal.pdf
data analytics and tools from in2inglobal.pdf
 
SABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a referenceSABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a reference
 
chatgpt-prompts (1).pdf
chatgpt-prompts (1).pdfchatgpt-prompts (1).pdf
chatgpt-prompts (1).pdf
 
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfIIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
 
PredictuVu ProposalV1.pptx
PredictuVu ProposalV1.pptxPredictuVu ProposalV1.pptx
PredictuVu ProposalV1.pptx
 
[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...
[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...
[IRTalks@The University of Glasgow] A Topology-aware Analysis of Graph Collab...
 
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
 

apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem

  • 1. The Swiss Cheese Model of Layered API Security apidays Australia 11 October 2023
  • 2. 1996 - MSc Information Systems & Technology + Perl 1997 - NetChannel UK - WebTV startup 1998 - jobnet.com.au - Australia’s first commercial web services? 2001 - RecuitASP & HRX - Disruptive SaaS recruitment and HR 2012 onwards - Consulting in digital, mobility, integration, APIs, platform engineering… Currently heading up Terem's API and Platform Engineering business in ANZ About me
  • 3. Terem Terem is a product development and strategy firm that works for enterprises, tech companies and Government. We’re most valuable when we run strategy and product development iteratively, working towards a commercial outcome. We’re based across Australia and New Zealand.
  • 4. Terem Australia & NZ API Survey 2023
  • 5. The model depicts a system as a stack of slices of Swiss cheese, with each slice representing a barrier or safeguard against failure. ● Developed by James Reason, a British Psychologist in the 1990s, as a metaphor for how complex systems can fail. ● Holes in the cheese represent weaknesses in the barriers. ● The holes are randomly distributed, so that they don’t always align. ● When the holes in the slices align, a hazard can pass through all of the barriers and cause a failure. The Swiss Cheese Model
  • 6. The Swiss Cheese Model Based on the idea that incidents are usually the result of a combination of factors ● Human errors ● Bad actors ● System failures ● Environmental conditions Can also be used to identify the different layers of protection in a system and to assess the effectiveness of those layers.
  • 7. Wikipedia has this diagram as their example Notice there are two types of cheese, and we’ll borrow that idea. Each layer has holes, and some layers are even slightly broken Multiple layers improve the chance of protection from the virus Wikipedia’s example
  • 8. Applying this to API Security Our layers of Swiss cheese have to cover a lot: ● We’re protecting against a wide range threats: ○ Mostly from “bad actors” with specific intent ● But also dealing with: ○ Human traits such as… ■ Skill levels / intelligence ■ Motivation / Energy ■ Boredom / Interest / Laziness ■ Appreciation / Appetite for risk ○ Mistakes - poor execution ○ Time - rushed execution ○ Exploitable bugs in software platforms ○ Unknown unknowns
  • 9. The OWASP 10 API risks… It’s tempting to think that because these are “API security risks”, the focus needs to be on “the APIs” The Swiss Cheese Model helps us think about this differently Many of these risks are not particularly API-specific, they apply more broadly.
  • 10. ● Technology Swiss Cheese ○ Hardware and software systems ○ Frameworks that operate on these systems Our two cheese types ● Human Swiss Cheese ○ Business drivers ○ Mindset and motivation
  • 11. ● Technology Swiss Cheese ○ Network layer Technology Swiss Cheese
  • 12. ● DNS / IP configuration ● Web Application Firewall (WAF) ● Load Balancing ● Cloud-specific environment configuration Network Layer
  • 13. Technology Swiss Cheese ● Technology Swiss Cheese ○ Network layer ○ Auth layer
  • 14. ● Authentication & Authorisation across every OSI Layer 1-7 ● How well is this baked into your API request & response flow? ● From basic HTTP authentication to Mutual TLS and everything in-between ● Affects access to run APIs, but also for APIs to call other resources, internal and external developers to access platforms, and admins to run the platforms Auth Layer
  • 15. Technology Swiss Cheese ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer
  • 16. ● The protocols in place to determine access to APIs, and how well they are used. ● API Specifications and their contents ● Ensuring APIs are succinctly described and precise in their scope ● This may be where some obfuscation can be used ● Acting as an initial barrier to entry Protocol Layer
  • 17. ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer ○ Gateway layer Technology Swiss Cheese
  • 18. ● The actual server that’s processing the API requests ● API proxy, appraising requests, triggering service calls, returning responses. ● Following rules about how traffic can flow ● Does a lot of the heavy lifting ● Can also provide clues to an attacker Gateway Layer
  • 19. ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer ○ Gateway layer ○ Monitoring layer Technology Swiss Cheese
  • 20. ● Monitoring and alerting when issues arise ● Needs to be well focused - may need to cover 1000s of scenarios ● Some platforms now feature AI tools to help detect issues ● API platforms typically provide analytics engines to read the data Monitoring Layer
  • 21. ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer ○ Gateway layer ○ Monitoring layer ○ CI/CD layer Technology Swiss Cheese
  • 22. ● Build and Test Automation ● Ensuring APIs are well formed ● Critical testing layer that implements policy and ensures adherence ● Automated code generation ● Automated resource provisioning CI/CD Layer
  • 23. ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer ○ Gateway layer ○ Monitoring layer ○ CI/CD layer ○ API Platform layer Technology Swiss Cheese
  • 24. ● Configuration Tools ○ Rate Limiting / quotas / throttling ○ Input parsing & transformation ○ Authorisation ○ Flows ○ Policies ○ Products ○ Payments ○ Versioning ● Developer Tools / IDE ● Developer Portal API Platform Layer
  • 25. ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer ○ Gateway layer ○ Monitoring layer ○ CI/CD layer ○ API Platform layer ○ Service Layer Technology Swiss Cheese
  • 26. ● Applications ● Databases ● Microservices ● Integrated SOA Services ● SaaS Componentry ● Third Party systems Service Layer
  • 27. ● Technology Swiss Cheese ○ Network layer ○ Auth layer ○ Protocol layer ○ Gateway layer ○ Monitoring layer ○ CI/CD layer ○ API Platform layer ○ Service Layer Technology Swiss Cheese
  • 28. ● Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer Human Swiss Cheese ● Human Swiss Cheese ○ Developer Documentation layer
  • 29. ● API development guidelines ● How-tos, FAQs and knowledge bases ● Well-written API specs Developer Documentation Layer
  • 30. Human Swiss Cheese ● Human Swiss Cheese ○ Developer Documentation layer ○ Operating Model layer ● Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer
  • 31. ● How the business manages its API Program ● How it facilitates the API lifecycle from ideation through to implementation and operations ● APIs as Products ● How the business empowers and manages its engineers ● How the business uses API analytics to inform its decision-making Operating Model Layer
  • 32. Human Swiss Cheese ● Human Swiss Cheese ○ Developer Documentation layer ○ Operating Model layer ○ Business Mindset layer ● Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer
  • 33. ● How the business promotes API security internally ● How it demonstrates its understanding of security ● How the culture of IT security is embedded from the top down Business Mindset Layer
  • 34. Human Swiss Cheese ● Human Swiss Cheese ○ Developer Documentation layer ○ Operating Model layer ○ Business Mindset layer ○ Bonus layer - Community ● Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer
  • 35. ● The API community! ● White hats ● Bug bounties ● Bloggers ● Researchers ● Evangelists Bonus Layer - Community
  • 36. Building up the layers ● Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer ● Human Swiss Cheese Developer Documentation layer, Operating Model layer, Business Mindset Layer, Bonus layer - Community
  • 37. Just another API-based system Assumptions: 1. The APIs are meant to be called by an app that’s running on a device, but are easy enough to discover 2. Traffic is load balanced and passes a firewall 3. Requests are authenticated and authorisation is sought for data access 4. There may be a few versions of the API in production, to support legacy apps 5. The API endpoint is hosted in the public cloud. 6. Its proxy has been deployed using a SaaS API gateway that resides inside any number of virtualized groups.
  • 38. Swiss Cheese In Action Let’s focus on three examples that are covered in OWASP 10, and how the Swiss Cheese Model gives us a different way to think about them… 1. An attacker trying to gain unauthorised access to run APIs 2. An Attacker trying to exploit obvious patterns in IDs and codes through an enumeration attack 3. Attacker trying to insert SQL into your API to trick a database to perform an action: SQL injection attack
  • 39. Attack 1: Gaining unauthorized access ● An attacker is attempting to gain access to information that their identity should not allow them to see ● The request might look legitimate enough, they may already have an account ● Or the attacker may be trying to brute-force IDs or passwords to log in to different accounts
  • 40. Attack 1: Gaining unauthorized access ● Technology Swiss Cheese ○ Network layer - WAF does nothing - the request looks normal ○ Auth layer - Detects unauthorized access attempt ○ Protocol layer - Defines the tightness of the auth requirements ○ Gateway layer - Blocks unauthorized access attempt ○ Monitoring layer - Detects unusual params, traffic patterns, auth attempts ○ CI/CD layer - Prevents code without necessary auth being deployed ○ API Platform layer - Provides tools to implement the auth model ○ Service Layer - Provides deeper auth checks on apps and services ● Human Swiss Cheese ○ Developer Documentation layer - Educates developers on auth policy ○ Operating Model layer - Ensures auth best practices are in place ○ Business Mindset layer - Inspires adoption of auth best practices ○ Community layer - Educates and innovates API auth
  • 41. Attack 2: Enumeration ● An attacker already has access to the system ● They’re trying to manipulate API calls by guessing identifiers in the request ● Or they may be trying to harvest data to look for patterns in identifiers
  • 42. Attack 2: Enumeration ● Technology Swiss Cheese ○ Network layer - Does nothing - request looks normal ○ Auth layer - Does nothing - request looks normal ○ Protocol layer - Helps define sensible API taxonomy ○ Gateway layer - Does nothing - request looks normal ○ Monitoring layer - Detects unusual request parameters or traffic patterns ○ CI/CD layer - Prevents code with sequential IDs being deployed ○ API Platform layer - Provides tools to translate vulnerable IDs ○ Service Layer - Provides tools to translate or use alternative ID schemes ● Human Swiss Cheese ○ Developer Documentation layer - Educates developers on ID policy ○ Operating Model layer - Ensures ID best practices are in place ○ Business Mindset layer - Inspires adoption of ID best practices ○ Community layer - Educates and innovates API security
  • 43. Attack 3: SQL Injection ● An attacker already has access to the system ● They know that down the line, services are interacting with legacy RDBMS ● They know of 100s of ways to try and exploit vulnerabilities
  • 44. Attack 3: SQL Injection ● Technology Swiss Cheese ○ Network layer - Does nothing - request looks normal ○ Auth layer - Does nothing - request looks normal ○ Protocol layer - Helps define sensible API taxonomy ○ Gateway layer - Filters out SQL in request parameters ○ Monitoring layer - Alerted to SQL injection attempt ○ CI/CD layer - Prevents code with SQL vulnerability being deployed ○ API Platform layer - Provides tools to parse for SQL injection ○ Service Layer - Provides tools to prevent execution of dynamic SQL ● Human Swiss Cheese ○ Developer Documentation layer - Educates devs on use of dynamic SQL ○ Operating Model layer - Ensures dynamic SQL best practices are in place ○ Business Mindset layer - Inspires adoption of SQL best practices ○ Community layer - Educates and innovates API security
  • 45. What we see happening… Without thinking about layers ● Security is often done at the wrong point ● Assumptions are made about who’s job this is ● The technical and human pieces don’t line up ● There’s no holistic API operating model ● Human behaviour is vastly under-considered “Block everything with the WAF!” CEO has taken the finest security course available “Another team owns these legacy services” “People and Culture have provided you with a training budget” “Just get it done quickly on this under-configured API gateway” “The docs are in Confluence!”
  • 46. What we see happening… ● Technology Swiss Cheese ○ Network layer - Trying to detect everything at the WAF ○ Auth layer - Basic auth, shared accounts, broad permissions ○ Protocol layer - API taxonomy not tightly defined ○ Gateway layer - Configured for throughput, not security ○ Monitoring layer - Focused on system warnings not security events ○ CI/CD layer - Basic Linting / warnings but nothing enforced ○ API Platform layer - Capabilities applied sparsely and inconsistently ○ Service Layer - Legacy / third party services executed without question ● Human Swiss Cheese ○ Developer Documentation layer - Scant guidelines, inconsistent style ○ Operating Model layer - No genuine end-to-end view of API Program ○ Business Mindset layer - Security is a technical IT problem ○ Community layer - Reactive search over active participation
  • 47. What should be happening… Thinking about layers Accepting you can’t detect every attack with one tool Allowing each layer to do its job Spending the time to unite your teams to instill security at every layer Making use of everything that your API platform and other tools provide Making sure engineers and the business have the time to focus on each layer
  • 48. What a good stack of cheese looks like ● Technology Swiss Cheese - constantly iterating and evolving ○ Network layer - WAF detecting unusual traffic patterns and alerting you ○ Auth layer - A modern framework with real-time control ○ Protocol layer - Taxonomy specifying APIs succinctly and giving nothing away ○ Gateway layer - Configured to use every provided security tool ○ Monitoring layer - Extensive coverage across every layer, proactive alerting ○ CI/CD layer - Rigid, extensive test automation against mandatory criteria ○ API Platform layer - Security framework applied universally from top down ○ Service Layer - Services executed with extreme caution ● Human Swiss Cheese - staying in front of the curve ○ Developer Documentation layer - Full API dev guidelines, made easy to follow ○ Operating Model layer - Governance across the whole API lifecycle ○ Business Mindset layer - Instilling a security-first mindset ○ Community layer - Active participation in the community!
  • 49. Terem Australia & NZ API Survey 2023