INTERFACE, by apidays - APIs: the next 10 years
June 8, 9 & 10 2022
Driving the business through secure APIs
Gil Shulman, VP Product at Wib
------------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Deep dive into the API industry with our reports:
https://www.apidays.global/industry-reports/
Subscribe to our global newsletter:
https://apidays.typeform.com/to/i1MPEW
2. 2022 SERIES OF EVENTS
New York
JULY
(HYBRID)
Australia
SEPTEMBER
(HYBRID)
Singapore
APRIL
(VIRTUAL)
Helsinki & North
MARCH
(VIRTUAL)
Paris
DECEMBER
(HYBRID)
London
OCTOBER
(HYBRID)
Hong Kong
AUGUST
(VIRTUAL)
JUNE (VIRTUAL)
India
MAY
(VIRTUAL)
APRIL (VIRTUAL)
Dubai & Middle East
JUNE
(VIRTUAL)
Check out our API Conferences
www.apidays.global
Want to talk at one of our conferences?
apidays.typeform.com/to/ILJeAaV8
3. Security cannot come at the expense of the organization’s
business objectives
API Security enables business Acceleration
4. The API Economy
Leveraging the API economy allows organization’s objectives to quickly
introduce new services, applications, while reusing APIs
Service acceleration
Fix and enhance functionality
API re-use ; collaboration
Securing an asset that changes daily
What are we protecting? False sense of
security
Vulnerability awareness
Regulatory risk
Potential business impact
Avoid a large exposure window
5. 1. Security vulnerabilities in code
2. Testing process is too long
3. SecOps detected security concerns
4. Wide impact on multiple services leveraging the API
5. Production detected threats of potentially malicious &
abnormal activities
6. PII/PHI exposures
7. Insufficient data to conclude an incident
8. Unconfirmed blocking activities [Manual or automated]
Reasons for Service Rollout delays
6. SecOps doesn't know about or
monitors APIs [hunting, incident
response,etc.]
API
Economy
Inheriting Security issues
API logic failures across services
Vulnerability Management Programs
are blind to API Threats
Incidents, time to Respond
Awareness of ALL APIs
[old, new, deprecated, shadow, unmanaged & others]
SecOps Program Alignment
[Vulnerability Management, Code analysis, Red-teaming..]
Align with Owners SOPs
Don’t become a pain in the ass for security’s sake
Production is too late
Create pre-production stopping points
APIs are becoming the organization’s service backbone
7. Development Testing Production
Adopting risks ; accelerating services
100% Theoretical visibility
0% usage insights
Objective: Get through to production as fast as possible
Current practices : No API testing
Generic testing
Existing practises don't apply
CI/CD Delays
Moving from prevention to detection
Avoiding false sense of security
APIs maintain a business impact
Measuring usage & leveraging
attacker’s smarts
Core synergies between DevOps and SecOps
8. Key principles:
1. Visibility MUSTN’T rely on manual updates [we
never maintain those DBs]
2. Never assume you are covered if you are ONLY
watching part of the API life cycle
3. Don’t annoy other teams with your objective,
make it easy and painless ; play nice
4. Introduce API concerns into existing flows
How to use security to drive the business?
9. Always up to date API
repository
Every change, addition, fix, must be
validated and automatically represented
with its security attributes
ELIMINATE BLINDSPOTS
Transparent to the
CI/CD pipeline
Never introduce delays to the testing
phase, security is just another ticket to fix
NO DELAYs
False Sense of Security
Be sure you know of ALL APIs available to
attackers
ASSUMPTIONS INTRODUCE BLINDSPOTS
Don’t rely on legacy
approaches; attackers don’t
WAF or legacy approaches don’t cover API
vulnerabilities
Auditing, red-teaming, pen-testing don’t
work for APIs
FIXING THE SECURITY GAPS
Synergetic security
across the stages
Getting to production with clear
understanding of business impact, risks,
and acceptable exposures
GETTING TO PRODUCTION WITH MINIMAL
RISK
Minimize exposure
windows
Deliver a solution not only problems
PRODUCTION IS THE LAST STOP
How to use security to drive the business?
10. 1. Automated API Repository with 100% visibility of all APIs and their attributes
2. Security testing MUST be automated and crafted per deployed code version
3. API documentation is not a luxury but a necessity
4. Security solution transparent to DevOps
5. Filling the security gaps in the existing security programs
6. Responsive security, adapting to continuous changes in a language understood by the
responsible team
7. API centric security & understanding API logic attacks
8. Make sure you have answers for the board, CISO, CIO and other stakeholders
What should we be looking for in a strategy?
11. 1. Assumption of security
2. Delays to CI/CD flows
3. Adopting APIs without the insights into their impacts and risks
4. Relying on service audits, red-team exercises & pen-testing for service security
5. Relying on production only detection for security
6. Assuming that a WAF or API gateway secure your services
What to avoid?
12. 1. Absolute visibility into all APIs is a must first step
2. APIs are not a natural extension of the AppSec
existing approaches ; logic is at the core of the
threat
3. Try and connect activities as extensions of existing
programs
4. Don’t augment the ways the involved teams are
used to operate
5. Automate testing, detection & response to a point
you have multiple opportunity to eliminate the
threat
6. Always have answers as multiple personas have
different interests in the DT project
Summary & key points
Hi everyone, I am Gil Shulman and I am from wib security focusing on API e2e automated visibility & security.
I would like to use this session to offer some tools to address the security concerns associated with API affecting the business objectives especially when it comes to digital transformation projects
In this session we will be discussing how to increase application delivery trajectory, while transparently introducing security into the across all API phases. We will also be discussing what to avoid and promote. So lets dive into it
Rule 1, security cannot be the reason of a delay to a service/application roll-out or update
Rule 2, Become a partner not an annoyance
API economy is a fact of life, what do we need to consider, on the one hand while the security challenge is….
Leveraging the API economy sets organization’s objectives to quickly introduce new services, applications, while reusing APIs
What does it means:
Quickly accelerate the introduction of services, effecting the organization’s bottom line
Quickly fix or introduce new functionality
Re-using APIs and increasing collaboration between teams
Challenges created:
How to keep those services secure if they keep on changing, in some cases multiple times a day
How to truly understand how many APIs are active?
What risks are being regularly introduced?
What are regulatory issues we are potentially creating
What is the effect of API vulnerabilities on the organization?
This is the state of most organizations…….
Before we dive into security we need to understand the impact APIs might have on the organization
Multiple services inherit security issues and security fixes
API logic failures leveraged across services [BOLA is a great example]
Vulnerability management programs are not accounting for this threat
SecOps operations dont address APIs - hunting, incident investigation
Incident’s Time to resolve
THe modern organization services are built on top an API infrastructure