SlideShare a Scribd company logo

Achieve AI-Powered API Privacy using Open Source

Download as PPTX, PDF
G
Gianluca Brigandi

LASCON 2019 Presentation

Technology
1 of 19
ACHIEVE AI-POWERED API PRIVACY USING OPEN SOURCE LASCON 2019, Austin, TX Gianluca Brigandi CEO : Atricore Inc. / Veridax gianluca@veridax.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
• Exploring concrete solutions – not YAPAT (Yet-Another-Privacy-Awareness-Talk) • Introduce Grass roots approach for application privacy • What can we mix-and-match TODAY to start making progress before regulations hit you • How AI (DNN specifically) can enable new capabilities in terms of hardening our apps privacy-wise What is this talk about?
What is Privacy? State or condition of being free from being observed or disturbed by other people.
Privacy-by-design Principles (by Prof. Ann Cavoukian) Proactive not reactive; Preventative not remedial Privacy as the default setting Privacy embedded into design Full functionality – positive-sum, not zero-sum End-to-end security – full lifecycle protection Visibility and transparency – keep it open Respect for user privacy – keep it user-centric
1.2B Personal Records Breached in 2017 Cost breakdown • $140B Direct Cost • + Class Action Liability • + Lost Business • + Regulator Penalties
Why “fixing” Privacy is challenging • Cuts across Infrastructure, Data, Applications and Processes Has to address what’s inside and outside the perimeter • Must coordinate with laws and regulations (e.g. GDPR, CCPA) • Fairly new discipline: embryonic body of knowledge operating at 10K feet • Lack of accessible tools to enable faster adoption • Little insight on how to leverage security tools and techniques to introduce automation • Requires strong and effective Governance model with CxO support
Agile PbD – The bazaar mindset (The Catheral & the Bazaar - Eric Raymond) • Agile adoption with a grass-roots strategy • Leverages current enterprise security practices: threat modeling • Builds on OS security tech that can bring value to the table: static and dynamic code analysis, behavioral analytics • Plays nice with existent DevSecOps processes and toolchain: automate privacy controls • Proactive vs Reactive – Accommodating regulatory demands instead of reacting “out of the blue”
PbD - Cathedral vs. Bazaar Policy-driven implementation Engineering-driven Hierarchical: Owned by compliance, top-down information flow Graph: Owned by engineering team and compliance. Everyone can contribute Siloed – disconnected from the security architecture Built around the existing security architecture and capabilities Infrastructure and Data First, Applications as a second thought Applications as first-class citizens Mindset that buying COTS software will translate to solving the problem Build and Adopt, buy as a last resort
From Idea to Implementation PrivAPI
Challenges • Missing Dataset • Scale and variety of APIs – No standards! • Manual labeling too laborious and expensive • Consumption-ready PII is not publicly available • Lack of FOSS references for inspiration
High-level Architecture
Synthetic Dataset Generation: Bird’s Eye REST Request Generation OpenAPI stack API descriptor Compiled API descriptor PII types and their regexes Mock PII fields generation OpenAPI descriptors Labeled Mock API Requests Automatic Labeling Unlabeled Request Oversampling Mock REST Request Generation
Synthetic Dataset Generation: Flow • OpenAPI descriptor gets compiled • PrivAPI takes over request generation • Instead of sending it throughout the wire, it generates a mock request containing mocked fields based on specified format (e.g. SSN, Dates) • Labels mock request based on trigger words • Oversamples minority class (i.e. PII requests) • Saves it
Model Training: Bird’s Eye Vectorize Mock Request Vocabulary Creation Keras + TensorFlow Labeled Mock API Request Labeled API Requests Dataset Analytics Model LSTM Deep Neural Network Training Embeddings Produces
Model Training: Flow a) PrivAPI Dataset generated in the previous step gets loaded b) Vocabulary is created from it c) Vector embeddings are calculated for every API request d) LSTM Deep Neural Network is created by learning from API requests e) Analytics model is saved
Classifying: Bird’s Eye Vectorization Keras + TensorFlow API Request Real world API Traffic Analytics Model LSTM Deep Neural Network Prediction Embeddings Consumes Is PII Classification
Classifying: Flow a) PrivAPI analytics model generated in the previous step, along with the vocabulary, are loaded b) Analytics model (LSTM) created in the previous step is loaded c) Target “real” API request is read and vectorized d) Prediction task is executed for API request e) Prediction results, whether the submitted API request contains or does not contain, PII – are presented
Demo Time!
References • http://towardsdatascience.com/detecting-personal-data-within-api-communication-using- deep-learning-9e52a1ff09c6 • https://github.com/veridax/privapi

Recommended

DevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open Source
DevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open SourceDevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open Source
DevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open SourceGianluca Brigandi
 
Content Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortalsContent Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortalsAxway
 
Hardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introductionHardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introductionGeeksLab Odessa
 
SaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceSaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceTayyaba Farhat
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Career in IT - HMTIF UB Platform 2014
Career in IT - HMTIF UB Platform 2014Career in IT - HMTIF UB Platform 2014
Career in IT - HMTIF UB Platform 2014Eryk Budi Pratama
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 

Recommended

DevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open Source
DevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open SourceDevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open Source
DevSecCon London 2019 - Achieve AI-Powered API Privacy Using Open SourceGianluca Brigandi
 
Content Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortalsContent Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortalsAxway
 
Hardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introductionHardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introductionGeeksLab Odessa
 
SaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceSaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-serviceTayyaba Farhat
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Career in IT - HMTIF UB Platform 2014
Career in IT - HMTIF UB Platform 2014Career in IT - HMTIF UB Platform 2014
Career in IT - HMTIF UB Platform 2014Eryk Budi Pratama
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
 
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataSecuring Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataPistoia Alliance
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using ElasticFaithWestdorp
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsAraf Karsh Hamid
 
Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Elasticsearch
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Brief on my skill sets
Brief on my skill setsBrief on my skill sets
Brief on my skill setsSharda S. Khati
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...DevOps.com
 
Experience Credentials
Experience CredentialsExperience Credentials
Experience CredentialsSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...Ashok K DL
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Yusuf Hadiwinata Sutandar
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak
 

More Related Content

What's hot

(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
 
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataSecuring Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataPistoia Alliance
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using ElasticFaithWestdorp
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Elasticsearch
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...DevOps.com
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...Ashok K DL
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Yusuf Hadiwinata Sutandar
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 

What's hot (20)

(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
 
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataSecuring Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using Elastic
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search Search for all with Elastic Enterprise Search
Search for all with Elastic Enterprise Search
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
Brief on my skill sets
Brief on my skill setsBrief on my skill sets
Brief on my skill sets
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
 
Experience Credentials
Experience CredentialsExperience Credentials
Experience Credentials
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
Happiest Minds – The Mindful IT Company is Hiring for Infrastructure Manageme...
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 

Similar to Achieve AI-Powered API Privacy using Open Source

Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak
 
Cisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud PlatformCisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud PlatformShashi Kiran
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWSKrzysztof Kąkol
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloudKrzysztof Kąkol
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007Neil Matatall
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015Lora O'Haver
 
Webinar: How and Why to Containerize Your Legacy Applications
Webinar: How and Why to Containerize Your Legacy ApplicationsWebinar: How and Why to Containerize Your Legacy Applications
Webinar: How and Why to Containerize Your Legacy ApplicationsStorage Switzerland
 
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer DemandPaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer DemandCisco IT
 
Wicsa2011 cloud tutorial
Wicsa2011 cloud tutorialWicsa2011 cloud tutorial
Wicsa2011 cloud tutorialAnna Liu
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
WSO2Con'14 US - Roadmap to a Connected Business
WSO2Con'14 US - Roadmap to a Connected BusinessWSO2Con'14 US - Roadmap to a Connected Business
WSO2Con'14 US - Roadmap to a Connected BusinessAsanka Abeysinghe
 
Fast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWSFast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWSAmazon Web Services
 
Advancing Cloud Initiatives and Removing Barriers to Adoption
Advancing Cloud Initiatives and Removing Barriers to AdoptionAdvancing Cloud Initiatives and Removing Barriers to Adoption
Advancing Cloud Initiatives and Removing Barriers to AdoptionRightScale
 
Unblocking Innovation for Digital Transformation
Unblocking Innovation for Digital TransformationUnblocking Innovation for Digital Transformation
Unblocking Innovation for Digital TransformationAmazon Web Services
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014Amazon Web Services
 
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open SourceNetflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Sourceaspyker
 

Similar to Achieve AI-Powered API Privacy using Open Source (20)

Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
Cisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud PlatformCisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud Platform
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWS
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloud
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007
 
OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015OpenStack at Cisco, June 2015
OpenStack at Cisco, June 2015
 
Webinar: How and Why to Containerize Your Legacy Applications
Webinar: How and Why to Containerize Your Legacy ApplicationsWebinar: How and Why to Containerize Your Legacy Applications
Webinar: How and Why to Containerize Your Legacy Applications
 
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer DemandPaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
PaaS Lessons: Cisco IT Deploys OpenShift to Meet Developer Demand
 
Wicsa2011 cloud tutorial
Wicsa2011 cloud tutorialWicsa2011 cloud tutorial
Wicsa2011 cloud tutorial
 
resume4
resume4resume4
resume4
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
WSO2Con'14 US - Roadmap to a Connected Business
WSO2Con'14 US - Roadmap to a Connected BusinessWSO2Con'14 US - Roadmap to a Connected Business
WSO2Con'14 US - Roadmap to a Connected Business
 
Fast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWSFast, Secure Deployments with Docker on AWS
Fast, Secure Deployments with Docker on AWS
 
Advancing Cloud Initiatives and Removing Barriers to Adoption
Advancing Cloud Initiatives and Removing Barriers to AdoptionAdvancing Cloud Initiatives and Removing Barriers to Adoption
Advancing Cloud Initiatives and Removing Barriers to Adoption
 
Unblocking Innovation for Digital Transformation
Unblocking Innovation for Digital TransformationUnblocking Innovation for Digital Transformation
Unblocking Innovation for Digital Transformation
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
 
Boot camp - Migration to AWS
Boot camp - Migration to AWSBoot camp - Migration to AWS
Boot camp - Migration to AWS
 
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open SourceNetflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Source
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Achieve AI-Powered API Privacy using Open Source

  • 1. ACHIEVE AI-POWERED API PRIVACY USING OPEN SOURCE LASCON 2019, Austin, TX Gianluca Brigandi CEO : Atricore Inc. / Veridax gianluca@veridax.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. • Exploring concrete solutions – not YAPAT (Yet-Another-Privacy-Awareness-Talk) • Introduce Grass roots approach for application privacy • What can we mix-and-match TODAY to start making progress before regulations hit you • How AI (DNN specifically) can enable new capabilities in terms of hardening our apps privacy-wise What is this talk about?
  • 3. What is Privacy? State or condition of being free from being observed or disturbed by other people.
  • 4. Privacy-by-design Principles (by Prof. Ann Cavoukian) Proactive not reactive; Preventative not remedial Privacy as the default setting Privacy embedded into design Full functionality – positive-sum, not zero-sum End-to-end security – full lifecycle protection Visibility and transparency – keep it open Respect for user privacy – keep it user-centric
  • 5. 1.2B Personal Records Breached in 2017 Cost breakdown • $140B Direct Cost • + Class Action Liability • + Lost Business • + Regulator Penalties
  • 6. Why “fixing” Privacy is challenging • Cuts across Infrastructure, Data, Applications and Processes Has to address what’s inside and outside the perimeter • Must coordinate with laws and regulations (e.g. GDPR, CCPA) • Fairly new discipline: embryonic body of knowledge operating at 10K feet • Lack of accessible tools to enable faster adoption • Little insight on how to leverage security tools and techniques to introduce automation • Requires strong and effective Governance model with CxO support
  • 7. Agile PbD – The bazaar mindset (The Catheral & the Bazaar - Eric Raymond) • Agile adoption with a grass-roots strategy • Leverages current enterprise security practices: threat modeling • Builds on OS security tech that can bring value to the table: static and dynamic code analysis, behavioral analytics • Plays nice with existent DevSecOps processes and toolchain: automate privacy controls • Proactive vs Reactive – Accommodating regulatory demands instead of reacting “out of the blue”
  • 8. PbD - Cathedral vs. Bazaar Policy-driven implementation Engineering-driven Hierarchical: Owned by compliance, top-down information flow Graph: Owned by engineering team and compliance. Everyone can contribute Siloed – disconnected from the security architecture Built around the existing security architecture and capabilities Infrastructure and Data First, Applications as a second thought Applications as first-class citizens Mindset that buying COTS software will translate to solving the problem Build and Adopt, buy as a last resort
  • 9. From Idea to Implementation PrivAPI
  • 10. Challenges • Missing Dataset • Scale and variety of APIs – No standards! • Manual labeling too laborious and expensive • Consumption-ready PII is not publicly available • Lack of FOSS references for inspiration
  • 12. Synthetic Dataset Generation: Bird’s Eye REST Request Generation OpenAPI stack API descriptor Compiled API descriptor PII types and their regexes Mock PII fields generation OpenAPI descriptors Labeled Mock API Requests Automatic Labeling Unlabeled Request Oversampling Mock REST Request Generation
  • 13. Synthetic Dataset Generation: Flow • OpenAPI descriptor gets compiled • PrivAPI takes over request generation • Instead of sending it throughout the wire, it generates a mock request containing mocked fields based on specified format (e.g. SSN, Dates) • Labels mock request based on trigger words • Oversamples minority class (i.e. PII requests) • Saves it
  • 14. Model Training: Bird’s Eye Vectorize Mock Request Vocabulary Creation Keras + TensorFlow Labeled Mock API Request Labeled API Requests Dataset Analytics Model LSTM Deep Neural Network Training Embeddings Produces
  • 15. Model Training: Flow a) PrivAPI Dataset generated in the previous step gets loaded b) Vocabulary is created from it c) Vector embeddings are calculated for every API request d) LSTM Deep Neural Network is created by learning from API requests e) Analytics model is saved
  • 16. Classifying: Bird’s Eye Vectorization Keras + TensorFlow API Request Real world API Traffic Analytics Model LSTM Deep Neural Network Prediction Embeddings Consumes Is PII Classification
  • 17. Classifying: Flow a) PrivAPI analytics model generated in the previous step, along with the vocabulary, are loaded b) Analytics model (LSTM) created in the previous step is loaded c) Target “real” API request is read and vectorized d) Prediction task is executed for API request e) Prediction results, whether the submitted API request contains or does not contain, PII – are presented