INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023
Security Exposure Management in API First World
Sandeep Nain, VP Security and Trust at Carta
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
3. Who am I
Sandeep Nain
VP of Security, Carta
Head of Security Partners, Meta / Facebook
Managing Principal, HPE Fortify
Advisor: Riscosity, Araali Networks
Two decades in information security
Built security organizations and comprehensive security programs
4. Security needs to reduce risk at low operational cost
Devices
Infrastructure
Software Supply Chain
Detect
Vulnerabilities
Triage
Vulnerabilities
Apps
Identify Assets
Identify
Remediator
Remediate
Exposures
Technologies Processes and People
5. Managing security exposures is an expensive manual process that
fails 7/10 times
Inefficient use of security
engineers on monotonous
operational work of
triaging vulnerabilities
a.k.a. identifying
exposures
Fixing non-logic security
exposures is distraction
for engineers thus leaving
exposures unmitigated
Expensive security
engineers tasked to find
the best person to fix the
exposure
ESG Security Posture Management Survey 2021
organizations have experienced cyber attack
that started from unknown, unmanaged or
poorly managed asset
6. We need to eliminate manual operational overhead from
security exposure management.
8. Eliminating manual operational overhead from security
exposure management using “actuator” software
Automatically triages security exposures and identifies root cause
Automatically identifies most appropriate person for mitigation a.k.a.
remediator
Offers exposure remediation within engineering processes
9. Current tech landscape is ripe for such innovation
Adoption of APIs by security technology vendors.
Mass adoption of API-enabled cloud infrastructure
DevOps standardization of release management technologies with API support
11. Step 1: Gather disparate data from existing tech stack
Gather detailed
information in graph
format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Security
exposure
Identified
Time Series
Infra
12. Step 1: Gather disparate data from existing tech stack
Gather detailed
information in graph
format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Security
exposure
Identified
Time Series
Infra
SBOM: accurate and up-to-date data, provenance (i.e.,
origin) of software code or components, and controls on
internal and third-party software components, tools, and
services present in software development processes, and
performing audits and enforcement of these controls on a
recurring basis;”**
SBOM*
Entry Points:
• APIs
• Serverless
Third Party Code:
• Open Source Dependencies
• Commercial Libraries
• Licenses
Data Management
• Data Types
• Data Classification
• Data format
Code Structure
• Repositories
• Code Modules
Orchestration
• Services
• Deployments
Infrastructure
• Terraform
• Dockerfiles
Security Risks*
OSS security risk assessment and SCA
findings
•SAST findings
•Weaknesses in entry points
•Exposed secrets in code
•License compliance issues
•SCA and CI/CD Access control weaknesses
•Infrastructure misconfigurations
•Weak branch protection rules
•Risky material changes
•Missing security tool coverage
*https://apiiro.com/blog/extended-software-bill-of-materials-xbom-sbom/
**https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
14. Step 2: Convert data into actionable intelligence
Gather detailed
information in a
graph format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Auto-prioritize
Security
exposure
Identified
Infrastructure
EPSS
Score
Reachability
Analysis
Exploitability
Context
Time Series
Retrospective Predictive
Infra
Infrastructure
Reachability
Analysis
Reachability
Analysis*
*https://www.phylum.io/automated-vulnerability-reachability
*EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
15. Step 2: Convert data into actionable intelligence
Gather detailed
information in a
graph format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Auto-triage &
prioritize
security
exposure
Infrastructure
EPSS
Score
Reachability
Analysis
Exploitability
Context
Time Series
Retrospective Predictive
Infra
Infrastructure
Reachability
Analysis
Reachability
Analysis*
*https://www.phylum.io/automated-vulnerability-reachability
*EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
Exposure
root-cause
discovered
Technical
Context
SBOM in graphical format
enable you to identify the
source of vulnerable assets
automatically.
16. Step 2: Convert data into actionable intelligence
Gather detailed
information in a
graph format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Auto-triage &
prioritize
security
exposure
Infrastructure
EPSS
Score
Reachability
Analysis
Exploitability
Context
Time Series
Retrospective Predictive
Infra
Infrastructure
Reachability
Analysis
Reachability
Analysis*
*https://www.phylum.io/automated-vulnerability-reachability
*EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
Exposure
root-cause
discovered
Technical
Context
Identify the
remediator
for the
exposure
Resource
tagging; Git
blame
17. Step 2: Convert data into actionable intelligence
Gather detailed
information in a
graph format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Auto-triage &
prioritize
security
exposure
Infrastructure
EPSS
Score
Reachability
Analysis
Exploitability
Context
Time Series
Retrospective Predictive
Infra
Infrastructure
Reachability
Analysis
Reachability
Analysis*
*https://www.phylum.io/automated-vulnerability-reachability
*EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
Exposure
root-cause
discovered
Technical
Context
Identify the
remediator
for the
exposure
Resource
tagging; Git
blame
Infrastructure
Generative AI
(LLM)
Code fix
generated
18. Step 2: Convert data into actionable intelligence
Gather detailed
information in a
graph format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Auto-triage &
prioritize
security
exposure
Infrastructure
EPSS
Score
Reachability
Analysis
Exploitability
Context
Time Series
Retrospective Predictive
Infra
Infrastructure
Reachability
Analysis
Reachability
Analysis*
*https://www.phylum.io/automated-vulnerability-reachability
*EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
Exposure
root-cause
discovered
Technical
Context
Identify the
remediator
for the
exposure
Resource
tagging; Git
blame
One-click
remediation
sent to the
remediator via
Slack
Infrastructure
Generative AI
(LLM)
Code fix
generated
19. Step 2: Convert data into actionable intelligence
Gather detailed
information in a
graph format
CI / CD
Security
Products
CI/CD
Git
Monitor for
assets and
configuration
changes across
organization
Delta
discovered
Auto-triage &
prioritize
security
exposure
Infrastructure
EPSS
Score
Reachability
Analysis
Exploitability
Context
Time Series
Retrospective Predictive
Infra
Infrastructure
Reachability
Analysis
Reachability
Analysis*
*https://www.phylum.io/automated-vulnerability-reachability
*EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
Exposure
root-cause
discovered
Technical
Context
Identify the
remediator
for the
exposure
Resource
tagging; Git
blame
One-click
remediation
sent to the
remediator via
Slack
Infrastructure
Generative AI
(LLM)
Code fix
generated
PR created to
update asset
20. APIs enable security to reduce risk at low operational
cost
Devices
Infrastructure
Software Supply Chain
Detect
Vulnerabilities
Triage
Exposures
Apps
Identify Assets
Identify
Remediator
Remediate
Exposures
Technologies
Facilitate distributed security decision making
Removes pain & provides immediate value to security teams & engineers
21. In future, more organizations to opt for “distributed security decision making”. This will require:
• Elimination of operational work. Enrich information sourced from point solutions in SBOM
format, converts them into security actions and delivers it to the right stake holders quickly.
• Minimum friction for engineering. Usage of most security technologies drop drastically within
first few weeks due to the learning curve and friction. Such automation will meet the users
where they are, and hence provide maximum ROI.
Leveraging APIs to automate security exposure management will
enable ‘distributed security decision making’