SlideShare a Scribd company logo

5 step plan to securing your APIs

💻 Javier Garza

Learn some common API attack vectors and a five-step plan that you can implement to help protect your APIs

Software
1 of 42
Download to read offline
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Five Step Plan to Securing Your APIs Javier Garza SEC211-S Sr. Developer Evangelist Akamai Technologies
Developer Evangelist @Akamai (San Francisco, CA) • 15+ years at Akamai helping large enterprises run fast and secure apps at the Edge • Co-author of O’Reilly’s “Learning HTTP/2” book, blogger, speaker, one-liner king • Motto: Share what you know, and learn what you don’t • Hobbies: challenging workouts, non-profit volunteering@jjaviergarza Speaker Javier Garza
Agenda Introduction Understand the Attack VectorsPart Mitigate the attacks with a 5 Step PlanPart Leverage the EdgePart Wrap-up 1 2 3
Understand The attack vectors
Source: Akamai ESSL Network, SOTI Q1 2019 Web Hits by Content Type 2014 Growth of API Use Text / HTML - 54% Text / XML - 14% App / HTML - 26% App / JSON - 6%
API calls now dominate overall web hits Source: Akamai ESSL Network, SOTI Q1 2019 83% API Growth of API Use Text / HTML - 17% Text / XML - 14% App / JSON - 69% Web Hits by Content Type 2018
Challenges in API Security - Often InfoSec/DevSecOps is looped too late in the development process - API security is often complex (multiple standards, limited number of tools, lack of expertise) - Great level of effort to apply API security at scale, specially across diverse cloud infrastructure - Hard to stay up to date with new vulnerabilities
APIs are a Primary Target for Attackers Today 4X more credential stuffing attacks on APIs #shellshock#heartbleed #poodle#fappening #DROWN #snappening
API Security Top 10 A1: Broken Object Level Authorization A2: Broken Authentication A3: Excessive Data Exposure A4: Lack of Resources & Rate Limiting A5: Broken Function Level Authorization A6: Mass Assignment A7: Security Misconfiguration A8: Injection A9: Improper Assets Management A10: Insufficient Logging & Monitoring Source: https://www.owasp.org/images/5/59/API_Security_Top_10_RC.pdf
API Security: client > network > server On Prem API servers Cloud API servers
4 Areas where your APIs are vulnerable 1 DDoS Attacks 3 SQL Injection Attacks 2 Parameter Attacks 4 Credential Stuffing Attacks
Denial of Service Targeted attack Source: API & Security Trends for 2018 Misconfigured Automation scripts
Parameter Attacks An important step for any resilient API implementation is to sanitize all incoming data to confirm that it is valid and will not cause harm. http://www.estore.com/items/items.asp?admin=true&show_all=true
SQL Injection Attacks SQL query: sql_query= " SELECT ItemName, ItemDescription FROM Item WHERE ItemNumber = "& Request.QueryString("ItemID") Normal request: http://www.estore.com/items/items.asp?itemid=999 SQL Injection: http://www.estore.com/items/items.asp?itemid=999;DROP TABLE Users 76% of attacks are SQL injections
Credential Stuffing Attacks With clients that don’t render JavaScript a lot of the typical credential stuffing defenses just don’t work. Aggressive botnets will overwhelm origin with login requests. credential stuffing attempts in 8 months Source: Akamai SOTI 1Q 2019 (Observed on Akamai Intelligent Edge Platform, 2018 28billion
4 Areas where your APIs are vulnerable 1 DDoS Attacks 3 SQL Injection Attacks 2 Parameter Attacks 4 Credential Stuffing Attacks Recap:
Mitigation Know how to stop the attack.
Step 1: DDOS Mitigation
The Types. Denial of Services attacks Volumetric flooding Process consumption attack Range Attack
Volumetric flooding - Overwhelm APIs with a flood of HTTP/HTTPS requests. - Attacks can leverage IoT devices. (Mirai Botnet). - One way to do this is by purchasing access to a "booter service" - which is a marketing term for "DDoS for Hire".
Mitigation - Network controls - - blacklisting IPs and CIDR range. - - IP reputation lists - Rate limits - - defining thresholds. - Slow posts - - protect against attacks that try to consume application resources by opening an HTTP connection and then sending data very slowly. - Authentication - - Mutual Auth (client certs)
Step 2: Protect processes
Target CPU/RAM - Focus on allocations rather than network bandwidth. Hash Collision – Commonly known consumption attack Malicious JSON - Overwhelm the CPU by sending bulk of malicious JSON. Process consumption attacks
Mitigation Setting the limit on the number of the keys. Set maximum nesting depth
Step 3: Range attacks / Scraping
Scraping / Range Attack - Trying to retrieval of large volume of data leading to DDoS like conditions.
Mitigation - Setting the limit on the allowed range.
Step 4: Protect credentials
Bots stealing your credentials. Credentials Abuse - 30% of all API authentication attempts are fraudulent. - Credential abuse tools are easily accessible thanks to public source code repositories
Mitigation - Good practices; i.e. Don’t give them hints regarding valid users and password, password recovery, etc. - Rate controls on login, password recovery, etc. - Strong authentication (two-factor auth, biometric/security keys), OAuth, OpenID - Human behavior detection (automatically distinguish if the user is a human or not)
Step 5: Manage bots
Understand about bots. Bot Management - Bots represent up to 50% or more of their overall website traffic. - All bots are not equal and can’t be managed the same way. - Good bots, vs bad bots. - Identify, categorize, manage, and report on bot traffic.
Mitigation - Enforce quotas - Analyze traffic and try to categorize known bot traffic - Use a bot detection tool
Leverage Edge Thwart attack closer to your origin
CDN evolving into Secured Edge Platform. The edge of the Internet - Migration from central processing to distributed edge processing (infrastructure offload + performance) - CDN technologies has evolved to thwart attack closer to the source Source: https://business.nasdaq.com/marketinsite/2018/Corp/The-Future-Is-Moving-To-The-Edge.html
Thwart attacks closer to the source. Why fighting attacks at the edge? Fight your attacks far away from your origin servers and keep your infrastructure safe - Defend your attacks closer to the source. - Integrated protection for your APIs without compromising on your performance. - Apply machine learning to outsmart your attackers.
Secure APIs = Security + Management
With API Gateway API Management Manage and govern all your API operations at the edge. -Prevent Intentional/Unintentional abuses -Rate limiting -Quotas -Authentication -Rule based Defense shield on the edge
Demo
The strategy API Security VERIFY DEFEND ANALYZE Ensure we comply with the rules defined Implement measures to enforce all APIs (both internal and external) Identify what you need to secure SECURE Authorization, Authentication, validation, Rate limiting, etc
Develop an API Protection Plan Today Within 7 days you should: − Assess your APIs and identify potential security risks Within 1 month you should: − Understand who is accessing your APIs from where and how − Define appropriate API security measures Within 3 months you should: − Select a security solution which allows customizable and automated API protection tailored to your organization’s needs − Drive an implementation project to protect all public and private APIs
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Slides: https://www.slideshare.net/JavierGarza18@jjaviergarza

Recommended

DevOps and Application Security
DevOps and Application SecurityDevOps and Application Security
DevOps and Application SecurityShahee Mirza
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
 

Recommended

DevOps and Application Security
DevOps and Application SecurityDevOps and Application Security
DevOps and Application SecurityShahee Mirza
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Alert Logic
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionAmazon Web Services
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom PresentationAlert Logic
 
Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Quý Nguyễn Minh
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Careers in Security
Careers in SecurityCareers in Security
Careers in SecurityJason Chan
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
 

More Related Content

What's hot

Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Alert Logic
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionAmazon Web Services
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom PresentationAlert Logic
 
Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Quý Nguyễn Minh
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Careers in Security
Careers in SecurityCareers in Security
Careers in SecurityJason Chan
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

What's hot (20)

Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
 
Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Secure rest api on microservices vws2016
Secure rest api on microservices vws2016
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 

Similar to 5 step plan to securing your APIs

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...apidays
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your APISmartBear
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 

Similar to 5 step plan to securing your APIs (20)

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
C01461422
C01461422C01461422
C01461422
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 

More from 💻 Javier Garza

Securing your APIs at Scale (talk at Postman galaxy 2020)
Securing your APIs at Scale (talk at Postman galaxy 2020)Securing your APIs at Scale (talk at Postman galaxy 2020)
Securing your APIs at Scale (talk at Postman galaxy 2020)💻 Javier Garza
 
Build Distributed Architectures at the Edge
Build Distributed Architectures at the EdgeBuild Distributed Architectures at the Edge
Build Distributed Architectures at the Edge💻 Javier Garza
 
Automating the management of Akamai properties with Open Source
Automating the management of Akamai properties with Open SourceAutomating the management of Akamai properties with Open Source
Automating the management of Akamai properties with Open Source💻 Javier Garza
 
AWS re:Invent "The secrets to building and delivering amazing apps at scale"
AWS re:Invent "The secrets to building and delivering amazing apps at scale"AWS re:Invent "The secrets to building and delivering amazing apps at scale"
AWS re:Invent "The secrets to building and delivering amazing apps at scale"💻 Javier Garza
 
The secret to building and delivering amazing apps at scale
The secret to building and delivering amazing apps at scaleThe secret to building and delivering amazing apps at scale
The secret to building and delivering amazing apps at scale💻 Javier Garza
 
Optimize your life - Javier Garza
Optimize your life - Javier GarzaOptimize your life - Javier Garza
Optimize your life - Javier Garza💻 Javier Garza
 
Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)
Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)
Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)💻 Javier Garza
 

More from 💻 Javier Garza (7)

Securing your APIs at Scale (talk at Postman galaxy 2020)
Securing your APIs at Scale (talk at Postman galaxy 2020)Securing your APIs at Scale (talk at Postman galaxy 2020)
Securing your APIs at Scale (talk at Postman galaxy 2020)
 
Build Distributed Architectures at the Edge
Build Distributed Architectures at the EdgeBuild Distributed Architectures at the Edge
Build Distributed Architectures at the Edge
 
Automating the management of Akamai properties with Open Source
Automating the management of Akamai properties with Open SourceAutomating the management of Akamai properties with Open Source
Automating the management of Akamai properties with Open Source
 
AWS re:Invent "The secrets to building and delivering amazing apps at scale"
AWS re:Invent "The secrets to building and delivering amazing apps at scale"AWS re:Invent "The secrets to building and delivering amazing apps at scale"
AWS re:Invent "The secrets to building and delivering amazing apps at scale"
 
The secret to building and delivering amazing apps at scale
The secret to building and delivering amazing apps at scaleThe secret to building and delivering amazing apps at scale
The secret to building and delivering amazing apps at scale
 
Optimize your life - Javier Garza
Optimize your life - Javier GarzaOptimize your life - Javier Garza
Optimize your life - Javier Garza
 
Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)
Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)
Real world experiences with HTTP/2 (Michael Gooding, Javier Garza from Akamai)
 

Recently uploaded

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...masabamasaba
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durbanmasabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 

Recently uploaded (20)

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 

5 step plan to securing your APIs

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Five Step Plan to Securing Your APIs Javier Garza SEC211-S Sr. Developer Evangelist Akamai Technologies
  • 2. Developer Evangelist @Akamai (San Francisco, CA) • 15+ years at Akamai helping large enterprises run fast and secure apps at the Edge • Co-author of O’Reilly’s “Learning HTTP/2” book, blogger, speaker, one-liner king • Motto: Share what you know, and learn what you don’t • Hobbies: challenging workouts, non-profit volunteering@jjaviergarza Speaker Javier Garza
  • 3. Agenda Introduction Understand the Attack VectorsPart Mitigate the attacks with a 5 Step PlanPart Leverage the EdgePart Wrap-up 1 2 3
  • 5. Source: Akamai ESSL Network, SOTI Q1 2019 Web Hits by Content Type 2014 Growth of API Use Text / HTML - 54% Text / XML - 14% App / HTML - 26% App / JSON - 6%
  • 6. API calls now dominate overall web hits Source: Akamai ESSL Network, SOTI Q1 2019 83% API Growth of API Use Text / HTML - 17% Text / XML - 14% App / JSON - 69% Web Hits by Content Type 2018
  • 7. Challenges in API Security - Often InfoSec/DevSecOps is looped too late in the development process - API security is often complex (multiple standards, limited number of tools, lack of expertise) - Great level of effort to apply API security at scale, specially across diverse cloud infrastructure - Hard to stay up to date with new vulnerabilities
  • 8. APIs are a Primary Target for Attackers Today 4X more credential stuffing attacks on APIs #shellshock#heartbleed #poodle#fappening #DROWN #snappening
  • 9. API Security Top 10 A1: Broken Object Level Authorization A2: Broken Authentication A3: Excessive Data Exposure A4: Lack of Resources & Rate Limiting A5: Broken Function Level Authorization A6: Mass Assignment A7: Security Misconfiguration A8: Injection A9: Improper Assets Management A10: Insufficient Logging & Monitoring Source: https://www.owasp.org/images/5/59/API_Security_Top_10_RC.pdf
  • 10. API Security: client > network > server On Prem API servers Cloud API servers
  • 11. 4 Areas where your APIs are vulnerable 1 DDoS Attacks 3 SQL Injection Attacks 2 Parameter Attacks 4 Credential Stuffing Attacks
  • 12. Denial of Service Targeted attack Source: API & Security Trends for 2018 Misconfigured Automation scripts
  • 13. Parameter Attacks An important step for any resilient API implementation is to sanitize all incoming data to confirm that it is valid and will not cause harm. http://www.estore.com/items/items.asp?admin=true&show_all=true
  • 14. SQL Injection Attacks SQL query: sql_query= " SELECT ItemName, ItemDescription FROM Item WHERE ItemNumber = "& Request.QueryString("ItemID") Normal request: http://www.estore.com/items/items.asp?itemid=999 SQL Injection: http://www.estore.com/items/items.asp?itemid=999;DROP TABLE Users 76% of attacks are SQL injections
  • 15. Credential Stuffing Attacks With clients that don’t render JavaScript a lot of the typical credential stuffing defenses just don’t work. Aggressive botnets will overwhelm origin with login requests. credential stuffing attempts in 8 months Source: Akamai SOTI 1Q 2019 (Observed on Akamai Intelligent Edge Platform, 2018 28billion
  • 16. 4 Areas where your APIs are vulnerable 1 DDoS Attacks 3 SQL Injection Attacks 2 Parameter Attacks 4 Credential Stuffing Attacks Recap:
  • 17. Mitigation Know how to stop the attack.
  • 19. The Types. Denial of Services attacks Volumetric flooding Process consumption attack Range Attack
  • 20. Volumetric flooding - Overwhelm APIs with a flood of HTTP/HTTPS requests. - Attacks can leverage IoT devices. (Mirai Botnet). - One way to do this is by purchasing access to a "booter service" - which is a marketing term for "DDoS for Hire".
  • 21. Mitigation - Network controls - - blacklisting IPs and CIDR range. - - IP reputation lists - Rate limits - - defining thresholds. - Slow posts - - protect against attacks that try to consume application resources by opening an HTTP connection and then sending data very slowly. - Authentication - - Mutual Auth (client certs)
  • 23. Target CPU/RAM - Focus on allocations rather than network bandwidth. Hash Collision – Commonly known consumption attack Malicious JSON - Overwhelm the CPU by sending bulk of malicious JSON. Process consumption attacks
  • 24. Mitigation Setting the limit on the number of the keys. Set maximum nesting depth
  • 25. Step 3: Range attacks / Scraping
  • 26. Scraping / Range Attack - Trying to retrieval of large volume of data leading to DDoS like conditions.
  • 27. Mitigation - Setting the limit on the allowed range.
  • 29. Bots stealing your credentials. Credentials Abuse - 30% of all API authentication attempts are fraudulent. - Credential abuse tools are easily accessible thanks to public source code repositories
  • 30. Mitigation - Good practices; i.e. Don’t give them hints regarding valid users and password, password recovery, etc. - Rate controls on login, password recovery, etc. - Strong authentication (two-factor auth, biometric/security keys), OAuth, OpenID - Human behavior detection (automatically distinguish if the user is a human or not)
  • 32. Understand about bots. Bot Management - Bots represent up to 50% or more of their overall website traffic. - All bots are not equal and can’t be managed the same way. - Good bots, vs bad bots. - Identify, categorize, manage, and report on bot traffic.
  • 33. Mitigation - Enforce quotas - Analyze traffic and try to categorize known bot traffic - Use a bot detection tool
  • 34. Leverage Edge Thwart attack closer to your origin
  • 35. CDN evolving into Secured Edge Platform. The edge of the Internet - Migration from central processing to distributed edge processing (infrastructure offload + performance) - CDN technologies has evolved to thwart attack closer to the source Source: https://business.nasdaq.com/marketinsite/2018/Corp/The-Future-Is-Moving-To-The-Edge.html
  • 36. Thwart attacks closer to the source. Why fighting attacks at the edge? Fight your attacks far away from your origin servers and keep your infrastructure safe - Defend your attacks closer to the source. - Integrated protection for your APIs without compromising on your performance. - Apply machine learning to outsmart your attackers.
  • 37. Secure APIs = Security + Management
  • 38. With API Gateway API Management Manage and govern all your API operations at the edge. -Prevent Intentional/Unintentional abuses -Rate limiting -Quotas -Authentication -Rule based Defense shield on the edge
  • 39. Demo
  • 40. The strategy API Security VERIFY DEFEND ANALYZE Ensure we comply with the rules defined Implement measures to enforce all APIs (both internal and external) Identify what you need to secure SECURE Authorization, Authentication, validation, Rate limiting, etc
  • 41. Develop an API Protection Plan Today Within 7 days you should: − Assess your APIs and identify potential security risks Within 1 month you should: − Understand who is accessing your APIs from where and how − Define appropriate API security measures Within 3 months you should: − Select a security solution which allows customizable and automated API protection tailored to your organization’s needs − Drive an implementation project to protect all public and private APIs
  • 42. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Slides: https://www.slideshare.net/JavierGarza18@jjaviergarza