INTERFACE, by apidays - APIs: the next 10 years June 8, 9 & 10 2022 Driving the business through secure APIs Gil Shulman, VP Product at Wib ------------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

1. Gil Shulman
VP Product
June 2022
Securely driving the
business via APIs

2. 2022 SERIES OF EVENTS
New York
JULY
(HYBRID)
Australia
SEPTEMBER
(HYBRID)
Singapore
APRIL
(VIRTUAL)
Helsinki & North
MARCH
(VIRTUAL)
Paris
DECEMBER
(HYBRID)
London
OCTOBER
(HYBRID)
Hong Kong
AUGUST
(VIRTUAL)
JUNE (VIRTUAL)
India
MAY
(VIRTUAL)
APRIL (VIRTUAL)
Dubai & Middle East
JUNE
(VIRTUAL)
Check out our API Conferences
www.apidays.global
Want to talk at one of our conferences?
apidays.typeform.com/to/ILJeAaV8

3. Security cannot come at the expense of the organization’s
business objectives
API Security enables business Acceleration

4. The API Economy
Leveraging the API economy allows organization’s objectives to quickly
introduce new services, applications, while reusing APIs
Service acceleration
Fix and enhance functionality
API re-use ; collaboration
Securing an asset that changes daily
What are we protecting? False sense of
security
Vulnerability awareness
Regulatory risk
Potential business impact
Avoid a large exposure window

5. 1. Security vulnerabilities in code
2. Testing process is too long
3. SecOps detected security concerns
4. Wide impact on multiple services leveraging the API
5. Production detected threats of potentially malicious &
abnormal activities
6. PII/PHI exposures
7. Insufficient data to conclude an incident
8. Unconfirmed blocking activities [Manual or automated]
Reasons for Service Rollout delays

6. SecOps doesn't know about or
monitors APIs [hunting, incident
response,etc.]
API
Economy
Inheriting Security issues
API logic failures across services
Vulnerability Management Programs
are blind to API Threats
Incidents, time to Respond
Awareness of ALL APIs
[old, new, deprecated, shadow, unmanaged & others]
SecOps Program Alignment
[Vulnerability Management, Code analysis, Red-teaming..]
Align with Owners SOPs
Don’t become a pain in the ass for security’s sake
Production is too late
Create pre-production stopping points
APIs are becoming the organization’s service backbone

7. Development Testing Production
Adopting risks ; accelerating services
100% Theoretical visibility
0% usage insights
Objective: Get through to production as fast as possible
Current practices : No API testing
Generic testing
Existing practises don't apply
CI/CD Delays
Moving from prevention to detection
Avoiding false sense of security
APIs maintain a business impact
Measuring usage & leveraging
attacker’s smarts
Core synergies between DevOps and SecOps

8. Key principles:
1. Visibility MUSTN’T rely on manual updates [we
never maintain those DBs]
2. Never assume you are covered if you are ONLY
watching part of the API life cycle
3. Don’t annoy other teams with your objective,
make it easy and painless ; play nice
4. Introduce API concerns into existing flows
How to use security to drive the business?

9. Always up to date API
repository
Every change, addition, fix, must be
validated and automatically represented
with its security attributes
ELIMINATE BLINDSPOTS
Transparent to the
CI/CD pipeline
Never introduce delays to the testing
phase, security is just another ticket to fix
NO DELAYs
False Sense of Security
Be sure you know of ALL APIs available to
attackers
ASSUMPTIONS INTRODUCE BLINDSPOTS
Don’t rely on legacy
approaches; attackers don’t
WAF or legacy approaches don’t cover API
vulnerabilities
Auditing, red-teaming, pen-testing don’t
work for APIs
FIXING THE SECURITY GAPS
Synergetic security
across the stages
Getting to production with clear
understanding of business impact, risks,
and acceptable exposures
GETTING TO PRODUCTION WITH MINIMAL
RISK
Minimize exposure
windows
Deliver a solution not only problems
PRODUCTION IS THE LAST STOP
How to use security to drive the business?

10. 1. Automated API Repository with 100% visibility of all APIs and their attributes
2. Security testing MUST be automated and crafted per deployed code version
3. API documentation is not a luxury but a necessity
4. Security solution transparent to DevOps
5. Filling the security gaps in the existing security programs
6. Responsive security, adapting to continuous changes in a language understood by the
responsible team
7. API centric security & understanding API logic attacks
8. Make sure you have answers for the board, CISO, CIO and other stakeholders
What should we be looking for in a strategy?

11. 1. Assumption of security
2. Delays to CI/CD flows
3. Adopting APIs without the insights into their impacts and risks
4. Relying on service audits, red-team exercises & pen-testing for service security
5. Relying on production only detection for security
6. Assuming that a WAF or API gateway secure your services
What to avoid?

12. 1. Absolute visibility into all APIs is a must first step
2. APIs are not a natural extension of the AppSec
existing approaches ; logic is at the core of the
threat
3. Try and connect activities as extensions of existing
programs
4. Don’t augment the ways the involved teams are
used to operate
5. Automate testing, detection & response to a point
you have multiple opportunity to eliminate the
threat
6. Always have answers as multiple personas have
different interests in the DT project
Summary & key points

13. Thank
you