apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden

API Security in the era of
Generative AI
Matt Feigal
June 6, 2023
feigal@google.com; mattfgl@; mattfeigal@hachyderm.io

Apigee Partner Engineer
10 yrs @ enterprise developer / architect
10 yrs @ Google

Generative AI’s Impact to API
Ecosystem
New and Exacerbated
Risks
Patterns for Success
01
02
03
Agenda
00 Hi! (It’s Me)

Place Image Here
Generative AI - Empowering Everyone
Generative AI is a powerful tool which will be used by all
personas in the API ecosystem. Service developers, API
Owners, Network Administrators, Product Owners, Data
Analysts, Security Analysts...
Everyone moves ‘up’ the mountain
****EXAMPLES*****
ChatGPT, Google’s Bard, PaLM, LLMs,
Imagen, Midjourney, DALLE-2…
Codey, Copilot, AutoGPT, LangChain
Novice
Guru
01

Gen AI Use Cases in the API Ecosystem
Collaborator Operations and Toil Service Replacement GenAI APIs
● Complete Tasks via
Chat, IDE, etc
● Text, Code, Images,
Media, Video, Slides,
APIs, Documentation,
…
● Boilerplate,
Transcoding,
Monitoring,
Observability, …
● Last mile - Replace
Services with Prompt →
Data Model
● New Ecosystem (and
Business Model) with
LLM, Data, and LLM
extensions (langchain)
● AIs calling your APIs?
AIs calling other AIs?

Microservices Architectures
Source: https://www.itrelease.com/2018/10/examples-and-types-of-microservices/

Reference Cloud Architecture
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
On-Prem DC
External SaaS
Providers

Reference Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers

Generative AI increases the need for API
Management and API Security. APIs are the
contract for machine-led creation and
consumption.
New and Exacerbated Risks
02

API misconfigurations and Bots are identified as potential two of the top three
threats
Source: https://venturebeat.com/2021/07/27/fugue-36-percent-orgs-suffered-serious-cloud-breach-in-last-year/

14
Source: API Economy | Google Cloud
“By 2022, API abuses will be the most
frequent attack vector resulting in
data breaches for enterprise web
applications.”
- Gartner, API Security: Protect your APIs from Attacks and Data Breaches,
Mark O'Neill, Dionisio Zumerle, 2021
170%
Apigee saw over 170% increase in
abusive API traffic last year
API Security Threats are Evolving and Increasing

!
84%
of companies saw an increase in the number of
bot attacks over the last year (Jan ‘21)
Bot Attacks
Source: Forrester Consulting - State Of Online Fraud And Bot Management
$24B
Lost to credit card fraud by US businesses
Payments
Fraud
!
$1T
Lost to abandoned checkouts or
rejected transactions
53 days
spent on average fully resolving a bot
attack
! API Abuse
!
Account
Takeover
90%
Increase in 2021 alone
50%
of organizations experienced an API
security incident in the last 12 months
77%
of organizations that experienced an API
security incident delayed a rollout
Web Security Threats are Evolving and Increasing

Your APIs need to be secured across all points of interaction
Threat Protection
Behavior Based
Signature Based
Payload Complexity
Spikes
OWASP (SQL injection,
input validation, etc.)
Access Controls
OAuth2
API Keys
Products
Scopes
Quota/Spike Arrest
Logging
Self Service & SSO
IAM Integration
Prov. & DeComm
OpenId Connect
JWT
SAML
Security
Governance
Global Policies
RBAC management
Data Masking
Compliance:
ISO, PCI-DSS, HIPAA,
SOC1&2, CSA STAR
Data Security
TLS
Two-way TLS
IP Access Control
Encrypted Data Store and
Cache
User App Developer API API team Backend

New Risks: Meet the Generative AI Family
Good
Competent
Bad
Attacker
Oops
Buggy

Reference Cloud Architecture with Gen AI
On-Prem DC
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
External SaaS
Providers

Common Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers

Mitigating Risks:
● Paved Path for Developers
● Defense in Depth
● Shield your Generative AI
● Escape Hatches
● Buying Expertise
03 Emerging patterns for success

Place Image Here
Paved Path for Developers
● Easy to be compliant and secure
● Single Path through the system
● Idiomatic, Integrated Tools
● Prioritize Developer Velocity (first class
support for ephemeral or test APIs)

On-Prem DC
Defense In Depth
Apigee
Microservices
Serverless
Functions
Load
Balancing
WAF
Adv API
Security
SWG
SWG
CAPTCHA
External SaaS
Providers

Shield your Generative AI
● Don’t expose your ML API directly!
● Same lessons you’ve learned shielding a
database from direct API calls!
● Incoming: Context engineering Prompt
Engineering
● Outgoing:
○ DLP checks / IP checks
○ Accuracy checks
○ Brand safety checks

Place Image Here
Escape Hatches / Fast Responses
● Multi-tier applications have different release
cadences and risk factors.
● Escape Hatches are quick-twitch Policy
Enforcement Points, Filters, and Shields
● API Gateway/Proxy and Service Mesh are
great resources for dealing with the
following scenarios…

Specific request that exploits a vulnerability. SQL injection,
parser errors, de/ser bugs, protocol edge cases, etc.
Security Breach - such as returning too much data from one
or more services across a variety of scenarios.
Escape Hatches / Fast Response scenarios
Poison Pill Data Exfiltration
Specific requests or request volume that are targeted at
overloading specific services or backends.
Targeted (D)DoS
Slow, sporadic, or steady requests to problematically extract
data from your APIs
Scraping Bots

The Security Space:
Buying Expertise
● Build, vs Buy (or Host)
● Core to your Mission?
● Expertise and Level of Investment
● Cost versus Potential Cost

Deny list Traffic Data Models
Dashboard Advanced API Security
Apigee runtime
Enforcement
How
Mitigation
Block or mark the bot traffic
depending on your needs
API Traffic Data
Continuously monitor billions of
API calls to identify anomalies
Machine Learning Models &
Rules
Continuously recognizing bot
patterns and creating new rules
Apigee Advanced API Security

Know when API are misconfigured
or experiencing abuse.
Managing API Security Configs
Align API proxies to security standards to avoid misconfigured API proxies
Recommend actions to improve
the security posture

Bot & Abuse detection powered by ML
Clustering alerts to reduce volume and provides the relevant context for quick resolution

Recap
● GenAI: New Opportunities, New Risks
● Machine-to-Machine APIs
● Integrated APIM is Critical
● Build Escape Hatches and Buy Expertise when appropriate

Thank you.
Discussion & Demo at our booth today!
Want to learn more?
cloud.google.com/apigee
Try Apigee for free for 60 days
https://apigee.google.com/welcome
Join our Partner network

apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden

Similar to apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden (20)

More from apidays

More from apidays (20)

Recently uploaded

Recently uploaded (20)

apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden