apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity
Report
Share
•0 likes•37 views
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity
•0 likes•37 views
Report
Share
Download to read offline
apidays London 2023 - APIs for Smarter Platforms and Business Processes September 13 & 14, 2023 https://www.apidays.global/london/ Overengineering Weakens your API Security Dr. David Vazquez Cortizo at APInity ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/
Recommended
More Related Content
Similar to apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity
![[WSO2 Summit Sydney 2019] Building a Successful API Strategy from Scratch and...](https://cdn.slidesharecdn.com/ss_thumbnails/wso2summitsydney2019buildingasuccessfulapistrategyfromscratchandwinningit-190308025748-thumbnail.jpg?width=384&fit=bounds)
Similar to apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity(20)
![[WSO2 Summit Sydney 2019] Building a Successful API Strategy from Scratch and...](https://cdn.slidesharecdn.com/ss_thumbnails/wso2summitsydney2019buildingasuccessfulapistrategyfromscratchandwinningit-190308025748-thumbnail.jpg?width=768&fit=bounds)
![[Workshop] Managing the API lifecycle with Open Source Technologies](https://cdn.slidesharecdn.com/ss_thumbnails/workshopmanagingtheapilifecyclewithopensourcetechnologies1-190704142905-thumbnail.jpg?width=768&fit=bounds)
More from apidays
More from apidays(20)
Recently uploaded
![[DSC Europe 23] Milos Grubjesic Empowering Business with Pepsico s Advanced M...](https://cdn.slidesharecdn.com/ss_thumbnails/dsceurope23milosgrubjesicempoweringbusinesswithpepsicosadvancedmlplatform3-231128225740-80a4b074-thumbnail.jpg?width=384&fit=bounds)
Recently uploaded(20)
![[DSC Europe 23] Milos Grubjesic Empowering Business with Pepsico s Advanced M...](https://cdn.slidesharecdn.com/ss_thumbnails/dsceurope23milosgrubjesicempoweringbusinesswithpepsicosadvancedmlplatform3-231128225740-80a4b074-thumbnail.jpg?width=768&fit=bounds)
![[DSC Europe 23] Zsolt Feleki - Machine Translation should we trust it.pptx](https://cdn.slidesharecdn.com/ss_thumbnails/dsceurope23zsoltfeleki-machinetranslationshouldwetrustit-231128230607-05e0d0cd-thumbnail.jpg?width=768&fit=bounds)
![[DSC Europe 23] Stefan Mrsic_Goran Savic - Evolving Technology Excellence.pptx](https://cdn.slidesharecdn.com/ss_thumbnails/pgsjzcgsfwagzsywivwo-stefan-mrsic-goran-savic-evolving-technology-excellence-231129142112-da067636-thumbnail.jpg?width=768&fit=bounds)
![[DSC Europe 23] Spela Poklukar & Tea Brasanac - Retrieval Augmented Generation](https://cdn.slidesharecdn.com/ss_thumbnails/spelapoklukarteabrasanacprez-231129000106-d6582d1b-thumbnail.jpg?width=768&fit=bounds)
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity
- 1. Overengineering weakens your API security David Vazquez Cortizo Managing Director
- 2. 2 ● Two truisms (?) ○ The importance of API security ○ The energy (budget) of your organization is limited for security ● Treat security waste (over engineering and bureaucracy) as a security threat ● Take a natural and energy-efficient approach to security through ○ A simple framework ○ Tooling ○ Mindset Preamble
- 3. Agenda ● A simple framework to address API security ● Governance - Architecture and Development ● Transparency ● API Operations ● Mindset ● Closing
- 4. 4 A simple framework to address API security OAUTH2 OAUTH2 scopes ACL RBAC TLS1.2 Mutual TLS TLS1.3 end2end encryption Fine-grained authorization
- 5. 5 ● Understand and challenge your needs - remove waste ○ Consider getting rid of your IP whitelisting ● What do you do with your API Gateways? ○ Consider your options: ■ SaaS ■ Managed service from your cloud provider ■ APIM vendor ○ Bring together API Gateway & Identity & Access Management solution ○ Separate domains - Security & Operations layer vs Accessibility layer Governance - Architecture
- 6. Marketplace & Platform Features Publish your APIs and Digital Products (Applications) into the catalog Control the visibility of your services through private, public and internal plans Organise your products into services within workspaces. Enrich them with marketing details and business insights Invite external companies to consume your services with their own workspace that they control and manage Provide a multi-branded and multi-catalog experience. Business units have their own organisation & workspaces External companies manage their own subscriptions and applications in a secure and compliant way Manage your APIs across the full API lifecycle from Design to Sunset Visualize analytics of your API traffic down to each individual request and obtain performance and use insights Use standard policies to control usage in a secure and compliant way Highly available infrastructure in APIM with 99.99% availability across 4 global regions Standards, Governance and Expertise centralised around the platform to provide a one-stop CoE for APIs Define Rate limits, transactions and pricing for Metering and Monetization and promote new revenue streams and innovation Marketplace Platform
- 7. 7 ● Layered approach to security for Zero Trust ○ Three doors : Web layer / API Gateway / Destination server ○ External token replacement mechanism before the API Gateway Governance - Architecture
- 8. 8 ● Leverage ISO 27001 Certification - shift security left ○ Identify security-related tickets during product refinement ○ Establish security roles inside the teams and early approval processes ● Standardize API development ○ Authentication and Access control ○ Input validation libraries, error handling, CORS policies, μservice templates ● Integrate tools in your Continuous Integration pipeline ○ Verification of 3rd party libraries (versions, security threats) ○ Code quality checks & API quality Governance - Secure development life cycle
- 9. 9 ● Impossible to secure APIs you do not know exist and whether or not are in use ○ You need to know your API state ● APIs as Digital Products ○ Opportunities - Monetization ○ Risks - Security and Operations ● Use API Risk assessment to prioritize security measures ○ Level of use of the API, who and how Transparency and Discoverability What the eyes don't see the heart doesn't grieve
- 10. 10 ● Alarms and Monitoring ● Robust API logging and smart processing of these logs API Operations Source: Antonio Damasio - Descartes´ error Is anybody abusing my API state? How would I know? Follow Nature´s algorithm to develop brains- Detect, defend, prevent ● Rate limiting ● Ingress / Egress control ● Periodic security assessments ● Security posture - tooling for SIEM
- 11. 11 ● Your security budget is limited - Act responsibly ○ Be bold: Eliminate waste from your security and compliance processes ● Understand and challenge needs and requirements ○ Need a self-managed API Gateway? ● Stay rational - Avoid over engineering & Make decisions - Go for tooling! ○ Consider your core business and possible competitive advantage ○ Consider the capabilities of the organization ○ Remember the lifetime obligation to maintain and evolve the code you own Mindset
- 12. 12 ● Addressed API security with a mix of security framework, tooling and mindset ● Presented a simple framework to address API security in five dimensions ● Gave a few examples of tooling ● Mindset Summary
- 13. The API Marketplace company E-Commerce Journey | Gateway agnostic | Regulated Industries