APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. The Real World, API Security Edition: When best practices stop being polite and start being real Sean Boulter, Principal Security Engineer at Salt Security

1. api security edition:
When best practices stop being
polite and start being real

2. © 2022 Salt Security, Inc. All rights reserved.
Software is
eating the world

3. © 2022 Salt Security, Inc. All rights reserved.
API security predictions were accurate
“As 2022 approaches, this prediction could arguably
be counted as “missed” — but only because we
underestimated the steep rise in attacks on APIs.”

4. © 2022 Salt Security, Inc. All rights reserved.
API security best practices help reduce risk
Three areas we’ll be focusing on today:
1. API documentation, discovery, and cataloging
2. Runtime protection
3. API-centric security operations

5. 1. api documentation, discovery
and cataloging

6. © 2022 Salt Security, Inc. All rights reserved.
Use machine formats like OpenAPI Specification
• Standardizing on machine formats enables
other life cycle activities and integration
work with suppliers
• Most organizations have pockets of OAS and
Swagger, but practices aren’t universal
• Recognize limitations of schema analysis
for finding issues and business logic flaws
• Disparity between documented design and
deployed APIs is common, aka API drift

7. © 2022 Salt Security, Inc. All rights reserved.
Tag and label APIs and microservices consistently
• Developers are empowered to help the
organization and its security strategy
• Tagging and labeling is an enabler of many
DevOps best practices
– Improves integrity of software supply
chain when done consistently and
verified
– Aids SOC analysts and security
operations as part of forensics and
incident response
– Useful for compliance activity, and CI/CD
build pipelines become a system of
record

8. © 2022 Salt Security, Inc. All rights reserved.
Industry: Business travel
management
“With Salt we can see exactly
how our APIs are designed to
work and how they’re reacting
when they’re used and misused.”
-- Tarik Ghbeish, Product &
Security Engineering
Customer example of pitfalls related to lack of API inventory
Customer challenges
• COVID forced rapid platform adjustments and enhancements that spurred more APIs
• Needed API visibility to stay in line with agile development
Salt Security key capabilities
API discovery
• Discovers all APIs automatically and continuously
• Maintains an up-to-date catalog of all APIs
• Captures granular details to eliminate blind spots and help teams assess risk
Sensitive data exposure prevention
• Details where APIs expose sensitive data
• Provides updates when new or updated APIs impact data exposure

9. 2. Runtime protection

10. © 2022 Salt Security, Inc. All rights reserved.
Use threat protection features of your API gateways and API management
• Many gateways provide basic message
filtering mechanisms in addition to access
control enforcement
• This form of threat protection may satisfy
some basic security use cases but leaves
gaps in API protection
• Overloading API gateways impacts service
performance, particularly in microservices
architectures
• Maintenance of rules and signatures is
often a gray area or operational nightmare

11. © 2022 Salt Security, Inc. All rights reserved.
Seek more than rate limiting and traffic management to stop attacks
• Rate limiting mechanisms are commonly
found in many network elements
• Use and quota limits within API gateways
are useful for API monetization and basic
security control
• Rate limiting stops some basic attacks and
API abuse, but it falls over for distributed
architectures and advanced attackers
• Most useful for internal APIs and partner
APIs where API consumers are known and
request volume is predictable

12. © 2022 Salt Security, Inc. All rights reserved.
Customer challenges
• Protecting APIs at the core of the Finastra FusionFabric.cloud service
• Preventing ATO, compromised apps calling APIs, and exploitation of OWASP API Security
Top 10
Salt Security key capabilities
Attack prevention
• IDs attackers using advanced techniques to evade rate limiting and other protections
• Blocks attackers in early reconnaissance stages
Risk reduction
• Provides insights to developers and partners on potential vulnerabilities and sensitive
data exposure
• Helps mitigate risk and prevent vulnerable APIs from launching
Customer example of pitfalls related to inadequate runtime protection
Industry: FinTech
“Salt has automatically blocked
tens of 1000s of credential
stuffing attacks. Without Salt,
we’d be out of business.”
--Nir Valtman, VP product and
data security

13. 3. api-centric security operations

14. © 2022 Salt Security, Inc. All rights reserved.
Account for multiple personas and work streams in the organization
• Telemetry of full API call chains and data flows
provides necessary technical detail and drives
machine analysis
• Development, Operations, and Security teams
need different information at different times
of the API life cycle
• Integrate with IT systems to aid in DFIR
collaboration and remediation workflow
• Security insights should be tailored per role
– Is an issue resulting from code?
– Or is it an infrastructure misconfiguration?

15. © 2022 Salt Security, Inc. All rights reserved.
Surface actionable API events, don’t just dump data into SIEM
• SecOps fatigue is common and application
expertise is often lacking
• Select tooling that interoperates with
organizational SIEM and SOAR
• Strike a balance between too many and too
little data feeds
• Focus on improving signal-to-noise ratio
and reducing false positives

16. © 2022 Salt Security, Inc. All rights reserved.
Customer example of pitfalls related to inefficient SecOps
Customer challenges
• Detecting and preventing attacks targeting the unique logic of core APIs
• Preventing attacks missed by NG-WAFs and bot mitigation tools
Salt Security key capabilities
Attack prevention
• Correlates attack activity to pinpoint attackers early during reconnaissance
• Reduces alerts with a consolidated attacker timeline
• Provides SOC teams with context needed for quick action
Risk reduction
• Provides insights to identify, prioritize, and eliminate vulnerabilities
• Enables teams to continuously harden APIs
• Helps developers make APIs more secure before launching into production
Industry: Mobile marketing
analytics and attribution
“With visibility, protection, and
remediation in one solution,
Salt helps us respond to issues
faster and understand exactly
what needs to be fixed.”
--Guy Flechter, CISO

17. © 2022 Salt Security, Inc. All rights reserved.
Salt – the API context
you need
17

18. © 2022 Salt Security, Inc. All rights reserved.
Top use cases for API security
Discover
shadow APIs
Prevent sensitive data
exposure
Stop API
attacks
Prevent account
takeover
Prevent data
exfiltration
Reduce investigation
time
Provide remediation
insights
Simplify compliance

19. © 2022 Salt Security, Inc. All rights reserved.
Additional resources
• API Security for Dummies
• API Security Evaluation Guide
• API Security Best Practices Guide and Checklist
• OWASP API Security Top 10 Explained
• State of API Security Q1 2022
• API Threat Research: Detailed Financial Records Exposed on Financial Services Platform
• API Threat Research: Elastic Stack Misconfiguration Allows Data Extraction
Still have questions or want more info? Reach out!
• Email: sean@salt.security
• LinkedIn: https://www.linkedin.com/in/seanboulter/
19
Over 50 security best practices
spread across 12 focus areas

20. Thank you for attending!
sean@salt.security