SlideShare a Scribd company logo

2022 APIsecure_API Discovery: First step towards API Security

APIsecure_ Official
APIsecure_ Official

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. API Discovery: First step towards API Security Amod Gupta, Product Manager at Traceable

Technology
1 of 12
Download to read offline
API First step towards API Security Discovery Amod Gupta Product Management, Traceable amod@traceable.ai
GOAL ▪ Define API Discovery in the context of API Security ▪ Minimum set of discovery related features that API Security tools should provide
What makes API discovery challenging ▪ Public cloud ▪ On-premises ▪ Hybrid Deployment Options Microservices architecture has made applications massively distributed Distributed Dev teams are releasing multiple times a week Agile releases
Automatically discover all API endpoints (by inspecting traffic) Group APIs by apps, services, domains etc. so security teams can digest the information Classify APIs as external (public), internal or 3rd party Automatically catalog new APIs and updates to existing APIs API discovery tool should… Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date
Now, that we have an API Catalog, how do we make it actionable
Open API Specification Are APIs being consumed securely? Are APIs being consumed as the developer intended? Are APIs exposing unknown parameters, responses, content-types etc. ? Without Common source of truth between different teams and partners Portability between different security tools Easy to identify which APIs expose sensitive data and where With Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download
Minimum Feature Set We’ve cataloged all the API endpoints We have Open API specifications for them But how do we consume this when there are 1000s of endpoints? CONFORMANCE ANALYSIS Open API spec Developer version ● Missing APIs (Shadow APIs) ● Issues with parameters ● Issues with request/response bodies Open API spec Prod/Test version Doing this at scale… 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale
Sensitive data exposure Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale Catalog of Sensitive Data SSN email age gcp_api_key ip_address credit_card_no address Integrated workflows Detect ● New data exposure ● Policy violations Log ● Create tickets ● Integrations Track & Verify ● Pre-prod environments TIN SIN aws_api_key 4. Sensitive data exposure ● Catalog data types ● Integrated workflows
Risk Score brings it together API Endpoints Risk Score /juiceshop/getorder/{order-id} 8 /juiceshop/create-account 7 /juiceshop/order/checkout/ 5 /juiceshop/account/getaccount/{account-id} 5 /juiceshop/order/notification/ 2 7 Conformance deviations Public or Internal Sensitive Data Exposure HTTP vs HTTPs Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale 4. Sensitive data exposure ● Catalog data types ● Integrated workflows 5. Integrated risk score
Summary API Catalog Automatically create and keep up to date Open API Spec Automatically create and keep up to date Conformance Identify the drift from expected behavior Risk Score Integrated score to identify APIs that need attention Sensitive Data Integrated score to identify APIs that need attention
Questions
THANK YOU

Recommended

INTERFACE, by apidays - API Discovery: First step towards API Security
INTERFACE, by apidays - API Discovery: First step towards API SecurityINTERFACE, by apidays - API Discovery: First step towards API Security
INTERFACE, by apidays - API Discovery: First step towards API Securityapidays
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API IntegrationsNordic APIs
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open StandardsAPIsecure_ Official
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugalapidays
 
Build, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hourBuild, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hourJerome Louvel
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 

Recommended

INTERFACE, by apidays - API Discovery: First step towards API Security
INTERFACE, by apidays - API Discovery: First step towards API SecurityINTERFACE, by apidays - API Discovery: First step towards API Security
INTERFACE, by apidays - API Discovery: First step towards API Securityapidays
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API IntegrationsNordic APIs
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open StandardsAPIsecure_ Official
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugalapidays
 
Build, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hourBuild, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hourJerome Louvel
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
WaveMaker API Success
WaveMaker API SuccessWaveMaker API Success
WaveMaker API SuccessWaveMaker, Inc.
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right WayAPIsecure_ Official
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Using ap is to gather data
Using ap is to gather data Using ap is to gather data
Using ap is to gather data Ke Jiang
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Arun Karthick Manoharan
 
APImetrics Product Overview March 2015
APImetrics Product Overview March 2015APImetrics Product Overview March 2015
APImetrics Product Overview March 2015apimetrics
 
API Testing with Frisby and Mocha
API Testing with Frisby and MochaAPI Testing with Frisby and Mocha
API Testing with Frisby and MochaLyudmila Anisimova
 
Deploy a web API in 15'
Deploy a web API in 15'Deploy a web API in 15'
Deploy a web API in 15'Restlet
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Microsoft 365 Developer
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
[Workshop] Managing the API lifecycle with Open Source Technologies
[Workshop] Managing the API lifecycle with Open Source Technologies[Workshop] Managing the API lifecycle with Open Source Technologies
[Workshop] Managing the API lifecycle with Open Source TechnologiesWSO2
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
The ultimate api checklist by Blendr.io
The ultimate api checklist by Blendr.ioThe ultimate api checklist by Blendr.io
The ultimate api checklist by Blendr.ioBlendr.io
 
Diving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesDiving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesQASymphony
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...Curiosity Software Ireland
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Developing Apps: Exposing Your Data Through Araport
Developing Apps: Exposing Your Data Through AraportDeveloping Apps: Exposing Your Data Through Araport
Developing Apps: Exposing Your Data Through AraportMatthew Vaughn
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...APIsecure_ Official
 

More Related Content

Similar to 2022 APIsecure_API Discovery: First step towards API Security

2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right WayAPIsecure_ Official
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Using ap is to gather data
Using ap is to gather data Using ap is to gather data
Using ap is to gather data Ke Jiang
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Arun Karthick Manoharan
 
APImetrics Product Overview March 2015
APImetrics Product Overview March 2015APImetrics Product Overview March 2015
APImetrics Product Overview March 2015apimetrics
 
API Testing with Frisby and Mocha
API Testing with Frisby and MochaAPI Testing with Frisby and Mocha
API Testing with Frisby and MochaLyudmila Anisimova
 
Deploy a web API in 15'
Deploy a web API in 15'Deploy a web API in 15'
Deploy a web API in 15'Restlet
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Microsoft 365 Developer
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
[Workshop] Managing the API lifecycle with Open Source Technologies
[Workshop] Managing the API lifecycle with Open Source Technologies[Workshop] Managing the API lifecycle with Open Source Technologies
[Workshop] Managing the API lifecycle with Open Source TechnologiesWSO2
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
The ultimate api checklist by Blendr.io
The ultimate api checklist by Blendr.ioThe ultimate api checklist by Blendr.io
The ultimate api checklist by Blendr.ioBlendr.io
 
Diving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesDiving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesQASymphony
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...Curiosity Software Ireland
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Developing Apps: Exposing Your Data Through Araport
Developing Apps: Exposing Your Data Through AraportDeveloping Apps: Exposing Your Data Through Araport
Developing Apps: Exposing Your Data Through AraportMatthew Vaughn
 

Similar to 2022 APIsecure_API Discovery: First step towards API Security (20)

WaveMaker API Success
WaveMaker API SuccessWaveMaker API Success
WaveMaker API Success
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Using ap is to gather data
Using ap is to gather data Using ap is to gather data
Using ap is to gather data
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016
 
APImetrics Product Overview March 2015
APImetrics Product Overview March 2015APImetrics Product Overview March 2015
APImetrics Product Overview March 2015
 
API Testing with Frisby and Mocha
API Testing with Frisby and MochaAPI Testing with Frisby and Mocha
API Testing with Frisby and Mocha
 
Deploy a web API in 15'
Deploy a web API in 15'Deploy a web API in 15'
Deploy a web API in 15'
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
[Workshop] Managing the API lifecycle with Open Source Technologies
[Workshop] Managing the API lifecycle with Open Source Technologies[Workshop] Managing the API lifecycle with Open Source Technologies
[Workshop] Managing the API lifecycle with Open Source Technologies
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
 
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
The ultimate api checklist by Blendr.io
The ultimate api checklist by Blendr.ioThe ultimate api checklist by Blendr.io
The ultimate api checklist by Blendr.io
 
Diving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesDiving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the Technologies
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Developing Apps: Exposing Your Data Through Araport
Developing Apps: Exposing Your Data Through AraportDeveloping Apps: Exposing Your Data Through Araport
Developing Apps: Exposing Your Data Through Araport
 

More from APIsecure_ Official

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...APIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the oddsAPIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and IdentityAPIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API EcosystemsAPIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API VulnerabilitiesAPIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIsAPIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterpriseAPIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API BreachesAPIsecure_ Official
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIsAPIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSecAPIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid CredentialsAPIsecure_ Official
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...APIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral AnalyticsAPIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of InnovationAPIsecure_ Official
 
2022 APIsecure_We’re Not in AppSec Anymore Toto
2022 APIsecure_We’re Not in AppSec Anymore Toto2022 APIsecure_We’re Not in AppSec Anymore Toto
2022 APIsecure_We’re Not in AppSec Anymore TotoAPIsecure_ Official
 

More from APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
 
2022 APIsecure_We’re Not in AppSec Anymore Toto
2022 APIsecure_We’re Not in AppSec Anymore Toto2022 APIsecure_We’re Not in AppSec Anymore Toto
2022 APIsecure_We’re Not in AppSec Anymore Toto
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

2022 APIsecure_API Discovery: First step towards API Security

  • 1. API First step towards API Security Discovery Amod Gupta Product Management, Traceable amod@traceable.ai
  • 2. GOAL ▪ Define API Discovery in the context of API Security ▪ Minimum set of discovery related features that API Security tools should provide
  • 3. What makes API discovery challenging ▪ Public cloud ▪ On-premises ▪ Hybrid Deployment Options Microservices architecture has made applications massively distributed Distributed Dev teams are releasing multiple times a week Agile releases
  • 4. Automatically discover all API endpoints (by inspecting traffic) Group APIs by apps, services, domains etc. so security teams can digest the information Classify APIs as external (public), internal or 3rd party Automatically catalog new APIs and updates to existing APIs API discovery tool should… Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date
  • 5. Now, that we have an API Catalog, how do we make it actionable
  • 6. Open API Specification Are APIs being consumed securely? Are APIs being consumed as the developer intended? Are APIs exposing unknown parameters, responses, content-types etc. ? Without Common source of truth between different teams and partners Portability between different security tools Easy to identify which APIs expose sensitive data and where With Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download
  • 7. Minimum Feature Set We’ve cataloged all the API endpoints We have Open API specifications for them But how do we consume this when there are 1000s of endpoints? CONFORMANCE ANALYSIS Open API spec Developer version ● Missing APIs (Shadow APIs) ● Issues with parameters ● Issues with request/response bodies Open API spec Prod/Test version Doing this at scale… 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale
  • 8. Sensitive data exposure Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale Catalog of Sensitive Data SSN email age gcp_api_key ip_address credit_card_no address Integrated workflows Detect ● New data exposure ● Policy violations Log ● Create tickets ● Integrations Track & Verify ● Pre-prod environments TIN SIN aws_api_key 4. Sensitive data exposure ● Catalog data types ● Integrated workflows
  • 9. Risk Score brings it together API Endpoints Risk Score /juiceshop/getorder/{order-id} 8 /juiceshop/create-account 7 /juiceshop/order/checkout/ 5 /juiceshop/account/getaccount/{account-id} 5 /juiceshop/order/notification/ 2 7 Conformance deviations Public or Internal Sensitive Data Exposure HTTP vs HTTPs Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale 4. Sensitive data exposure ● Catalog data types ● Integrated workflows 5. Integrated risk score
  • 10. Summary API Catalog Automatically create and keep up to date Open API Spec Automatically create and keep up to date Conformance Identify the drift from expected behavior Risk Score Integrated score to identify APIs that need attention Sensitive Data Integrated score to identify APIs that need attention