SlideShare a Scribd company logo

LF_APIStrat17_Bulletproofing Your API's

LF_APIStrat
LF_APIStrat

In today’s inter-connected world, the statistics are against you for a secure API. It is not a matter of if but when one simple breach can make front page news, tarnish your organization’s reputation, and cause problems not only for your organization but for external consumers of your API as well. With such loaded consequences, testing and validating access to your application or device for security vulnerabilities needs to become an industry standard. In this session, you'll learn: Shift left your security testing efforts and establish a continuous security testing process Perform API security penetration testing Extend existing functional tests with security scenarios Correlate security vulnerabilities to business requirements

Technology
1 of 19
Download to read offline
Bulletproofing your APIs Nathan Jakubiak, Parasoft jakubiak@parasoft.com Presentation slides: http://sched.co/BiDc
API security is like…
The Traditional Approach to Security Security Problems Dev Stream Dev Stream Dev Stream Dev Stream SecurityQA/Integration It’s too close to the release date! I don’t understand the problem We are no longer working on that code That’s not a ‘real’ problem These problems need fixing I’ll have to retest the whole application Expensive and complex/specialized testing
Automated Security Tests Continuous Integration Static Analysis Unit Testing Functional Tests
Start with API Functional Tests • Identify subset of tests and prepare for security • Run with functional testing tool • Capture traffic and pass to pen test tool • Pen test tool performs checks and reports results Functional Tests Security Tests
Reporting & Analytics Automated Penetration Tests (Parasoft SOAtest) Application Under Test Service Virtualization (Parasoft Virtualize) BurpSuite
Review errors in context of use case
Benefits of leveraging functional tests • Save time by reuse • Scenario is properly set up • Errors get reported in context of use case • Repeatable test for verification • Association with requirements
How to prepare for security • Select a subset of your API functional tests – Maximize attack surface with fewest number of tests – Avoid pen testing same API over and over – Remove parameterization – Skip setup/teardown tests – Be careful with APIs that add items to the DB – Remove assertions
Ensure a stable test environment • Maintain separate functional and security tests • Use separate test runs – Use separate environment, or run security tests last – Use variables in your tests to easily switch between environments (if needed) – Use service virtualization to isolate environments
Summary • Move automated security testing into the continuous testing process • Leverage API functional tests for security testing
Questions? jakubiak@parasoft.com Presentation slides: http://sched.co/BiDc Recorded webinar: https://vimeo.com/parasoft/review/214069660/76182c2c57

Recommended

Top 10 Software Testing Tool to Help You The Most!
Top 10 Software Testing Tool to Help You The Most!Top 10 Software Testing Tool to Help You The Most!
Top 10 Software Testing Tool to Help You The Most!Harish Chand
 
API Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsAPI Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsSmartBear
 
Suhas Ukkalam
Suhas UkkalamSuhas Ukkalam
Suhas Ukkalamcoolpalsuhas
 
Mdc2010 Automated Mobile Testing
Mdc2010 Automated Mobile TestingMdc2010 Automated Mobile Testing
Mdc2010 Automated Mobile Testingmomobangalore
 
QualityGate on CSMR WCRE 2014 conference
QualityGate on CSMR WCRE 2014 conferenceQualityGate on CSMR WCRE 2014 conference
QualityGate on CSMR WCRE 2014 conferenceFrontEndART
 
FrontEndART QualityGate, the ultimate software quality management system
FrontEndART QualityGate, the ultimate software quality management systemFrontEndART QualityGate, the ultimate software quality management system
FrontEndART QualityGate, the ultimate software quality management systemFrontEndART
 
IGT's Intelligent Automation Framework
IGT's Intelligent Automation FrameworkIGT's Intelligent Automation Framework
IGT's Intelligent Automation Frameworkgreyaudrina
 
Testing APIs in the Cloud
Testing APIs in the CloudTesting APIs in the Cloud
Testing APIs in the CloudSmartBear
 

Recommended

Top 10 Software Testing Tool to Help You The Most!
Top 10 Software Testing Tool to Help You The Most!Top 10 Software Testing Tool to Help You The Most!
Top 10 Software Testing Tool to Help You The Most!Harish Chand
 
API Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsAPI Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsSmartBear
 
Suhas Ukkalam
Suhas UkkalamSuhas Ukkalam
Suhas Ukkalamcoolpalsuhas
 
Mdc2010 Automated Mobile Testing
Mdc2010 Automated Mobile TestingMdc2010 Automated Mobile Testing
Mdc2010 Automated Mobile Testingmomobangalore
 
QualityGate on CSMR WCRE 2014 conference
QualityGate on CSMR WCRE 2014 conferenceQualityGate on CSMR WCRE 2014 conference
QualityGate on CSMR WCRE 2014 conferenceFrontEndART
 
FrontEndART QualityGate, the ultimate software quality management system
FrontEndART QualityGate, the ultimate software quality management systemFrontEndART QualityGate, the ultimate software quality management system
FrontEndART QualityGate, the ultimate software quality management systemFrontEndART
 
IGT's Intelligent Automation Framework
IGT's Intelligent Automation FrameworkIGT's Intelligent Automation Framework
IGT's Intelligent Automation Frameworkgreyaudrina
 
Testing APIs in the Cloud
Testing APIs in the CloudTesting APIs in the Cloud
Testing APIs in the CloudSmartBear
 
API Testing with Open Source Code and Cucumber
API Testing with Open Source Code and CucumberAPI Testing with Open Source Code and Cucumber
API Testing with Open Source Code and CucumberSmartBear
 
Just Enough (Automated) Testing
Just Enough (Automated) TestingJust Enough (Automated) Testing
Just Enough (Automated) TestingSauce Labs
 
Api testing and steps to do it
Api testing and steps to do itApi testing and steps to do it
Api testing and steps to do itZoe Gilbert
 
Advanced Mocking for Swagger APIs
Advanced Mocking for Swagger APIsAdvanced Mocking for Swagger APIs
Advanced Mocking for Swagger APIsSmartBear
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with easeKarundeep Gill
 
How to Optimise Continuous Testing
How to Optimise Continuous TestingHow to Optimise Continuous Testing
How to Optimise Continuous TestingSauce Labs
 
Framework For Automation Testing Practice Sharing
Framework For Automation Testing Practice SharingFramework For Automation Testing Practice Sharing
Framework For Automation Testing Practice SharingKMS Technology
 
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...JosephTesta9
 
Setup and run automated test framework for android application
Setup and run automated test framework for android applicationSetup and run automated test framework for android application
Setup and run automated test framework for android applicationKonstantin Natalukha
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?BugRaptors
 
Test Automation Ground Up
Test Automation Ground UpTest Automation Ground Up
Test Automation Ground UpKushan Shalindra Amarasiri - Technical QE Specialist
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
Tashy's resumé
Tashy's resuméTashy's resumé
Tashy's resuméEric Pereira
 
Embedded world 2017
Embedded world 2017Embedded world 2017
Embedded world 2017ChantalWauters
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Advanced Automation in Your API Lifecycle
Advanced Automation in Your API Lifecycle Advanced Automation in Your API Lifecycle
Advanced Automation in Your API Lifecycle SmartBear
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
Gauge from an end user's perspective-fathima harris
Gauge from an end user's perspective-fathima harrisGauge from an end user's perspective-fathima harris
Gauge from an end user's perspective-fathima harrisVodqaBLR
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwarePerforce
 
Deploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test EnvironmentsDeploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test EnvironmentsBas Dijkstra
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 

More Related Content

What's hot

API Testing with Open Source Code and Cucumber
API Testing with Open Source Code and CucumberAPI Testing with Open Source Code and Cucumber
API Testing with Open Source Code and CucumberSmartBear
 
Just Enough (Automated) Testing
Just Enough (Automated) TestingJust Enough (Automated) Testing
Just Enough (Automated) TestingSauce Labs
 
Api testing and steps to do it
Api testing and steps to do itApi testing and steps to do it
Api testing and steps to do itZoe Gilbert
 
Advanced Mocking for Swagger APIs
Advanced Mocking for Swagger APIsAdvanced Mocking for Swagger APIs
Advanced Mocking for Swagger APIsSmartBear
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with easeKarundeep Gill
 
How to Optimise Continuous Testing
How to Optimise Continuous TestingHow to Optimise Continuous Testing
How to Optimise Continuous TestingSauce Labs
 
Framework For Automation Testing Practice Sharing
Framework For Automation Testing Practice SharingFramework For Automation Testing Practice Sharing
Framework For Automation Testing Practice SharingKMS Technology
 
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...JosephTesta9
 
Setup and run automated test framework for android application
Setup and run automated test framework for android applicationSetup and run automated test framework for android application
Setup and run automated test framework for android applicationKonstantin Natalukha
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?BugRaptors
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Advanced Automation in Your API Lifecycle
Advanced Automation in Your API Lifecycle Advanced Automation in Your API Lifecycle
Advanced Automation in Your API Lifecycle SmartBear
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
Gauge from an end user's perspective-fathima harris
Gauge from an end user's perspective-fathima harrisGauge from an end user's perspective-fathima harris
Gauge from an end user's perspective-fathima harrisVodqaBLR
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwarePerforce
 
Deploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test EnvironmentsDeploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test EnvironmentsBas Dijkstra
 

What's hot (20)

API Testing with Open Source Code and Cucumber
API Testing with Open Source Code and CucumberAPI Testing with Open Source Code and Cucumber
API Testing with Open Source Code and Cucumber
 
Just Enough (Automated) Testing
Just Enough (Automated) TestingJust Enough (Automated) Testing
Just Enough (Automated) Testing
 
Api testing and steps to do it
Api testing and steps to do itApi testing and steps to do it
Api testing and steps to do it
 
Advanced Mocking for Swagger APIs
Advanced Mocking for Swagger APIsAdvanced Mocking for Swagger APIs
Advanced Mocking for Swagger APIs
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with ease
 
How to Optimise Continuous Testing
How to Optimise Continuous TestingHow to Optimise Continuous Testing
How to Optimise Continuous Testing
 
Framework For Automation Testing Practice Sharing
Framework For Automation Testing Practice SharingFramework For Automation Testing Practice Sharing
Framework For Automation Testing Practice Sharing
 
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
 
Setup and run automated test framework for android application
Setup and run automated test framework for android applicationSetup and run automated test framework for android application
Setup and run automated test framework for android application
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?
 
Test Automation Ground Up
Test Automation Ground UpTest Automation Ground Up
Test Automation Ground Up
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Tashy's resumé
Tashy's resuméTashy's resumé
Tashy's resumé
 
Embedded world 2017
Embedded world 2017Embedded world 2017
Embedded world 2017
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Advanced Automation in Your API Lifecycle
Advanced Automation in Your API Lifecycle Advanced Automation in Your API Lifecycle
Advanced Automation in Your API Lifecycle
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
Gauge from an end user's perspective-fathima harris
Gauge from an end user's perspective-fathima harrisGauge from an end user's perspective-fathima harris
Gauge from an end user's perspective-fathima harris
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Deploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test EnvironmentsDeploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test Environments
 

Similar to LF_APIStrat17_Bulletproofing Your API's

Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023VMware Tanzu
 
Security Validation as Code.pdf
Security Validation as Code.pdfSecurity Validation as Code.pdf
Security Validation as Code.pdfPrancer Io
 
Netserv Software Testing
Netserv Software TestingNetserv Software Testing
Netserv Software Testingsthicks14
 
Diving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesDiving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesQASymphony
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectDevOps.com
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
03 test specification and execution
03 test specification and execution03 test specification and execution
03 test specification and executionClemens Reijnen
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
4&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-5
4&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-54&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-5
4&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-5hemasubbu08
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI AppsRichin Jain
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 

Similar to LF_APIStrat17_Bulletproofing Your API's (20)

Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
 
Security Validation as Code.pdf
Security Validation as Code.pdfSecurity Validation as Code.pdf
Security Validation as Code.pdf
 
Netserv Software Testing
Netserv Software TestingNetserv Software Testing
Netserv Software Testing
 
Diving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the TechnologiesDiving into the World of Test Automation The Approach and the Technologies
Diving into the World of Test Automation The Approach and the Technologies
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-Architect
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
03 test specification and execution
03 test specification and execution03 test specification and execution
03 test specification and execution
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
4&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-5
4&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-54&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-5
4&5.pptx SOFTWARE TESTING UNIT-4 AND UNIT-5
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI Apps
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 

More from LF_APIStrat

LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
 
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...LF_APIStrat
 
LF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API TestingLF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API TestingLF_APIStrat
 
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity ModelLF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity ModelLF_APIStrat
 
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...LF_APIStrat
 
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing DocsLF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing DocsLF_APIStrat
 
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API BoostersLF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API BoostersLF_APIStrat
 
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...LF_APIStrat
 
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your DocumentationLF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your DocumentationLF_APIStrat
 
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience TeamLF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience TeamLF_APIStrat
 
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then DiscoverabilityLF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then DiscoverabilityLF_APIStrat
 
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...LF_APIStrat
 
LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions LF_APIStrat
 
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...LF_APIStrat
 
LF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision TreesLF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision TreesLF_APIStrat
 
LF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In OrderLF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In OrderLF_APIStrat
 
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...LF_APIStrat
 
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...LF_APIStrat
 
LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World LF_APIStrat
 
LF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIsLF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIsLF_APIStrat
 

More from LF_APIStrat (20)

LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
 
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
 
LF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API TestingLF_APIStrat17_Super-Powered REST API Testing
LF_APIStrat17_Super-Powered REST API Testing
 
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity ModelLF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
 
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
 
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing DocsLF_APIStrat17_Things I Wish People Told Me About Writing Docs
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
 
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API BoostersLF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
 
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
 
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your DocumentationLF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
 
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience TeamLF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
 
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then DiscoverabilityLF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
 
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
 
LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions LF_APIStrat17_REST API Microversions
LF_APIStrat17_REST API Microversions
 
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
 
LF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision TreesLF_APIStrat17_Case Study: Cold Decision Trees
LF_APIStrat17_Case Study: Cold Decision Trees
 
LF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In OrderLF_APIStrat17_Getting Your API House In Order
LF_APIStrat17_Getting Your API House In Order
 
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
 
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
 
LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World LF_APIStrat17_Open Data vs. the World
LF_APIStrat17_Open Data vs. the World
 
LF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIsLF_APIStrat17_Practical DevSecOps for APIs
LF_APIStrat17_Practical DevSecOps for APIs
 

Recently uploaded

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

LF_APIStrat17_Bulletproofing Your API's

  • 1.
  • 2. Bulletproofing your APIs Nathan Jakubiak, Parasoft jakubiak@parasoft.com Presentation slides: http://sched.co/BiDc
  • 3. API security is like…
  • 4.
  • 5.
  • 6.
  • 7. The Traditional Approach to Security Security Problems Dev Stream Dev Stream Dev Stream Dev Stream SecurityQA/Integration It’s too close to the release date! I don’t understand the problem We are no longer working on that code That’s not a ‘real’ problem These problems need fixing I’ll have to retest the whole application Expensive and complex/specialized testing
  • 8.
  • 9. Automated Security Tests Continuous Integration Static Analysis Unit Testing Functional Tests
  • 10. Start with API Functional Tests • Identify subset of tests and prepare for security • Run with functional testing tool • Capture traffic and pass to pen test tool • Pen test tool performs checks and reports results Functional Tests Security Tests
  • 11. Reporting & Analytics Automated Penetration Tests (Parasoft SOAtest) Application Under Test Service Virtualization (Parasoft Virtualize) BurpSuite
  • 12.
  • 13. Review errors in context of use case
  • 14. Benefits of leveraging functional tests • Save time by reuse • Scenario is properly set up • Errors get reported in context of use case • Repeatable test for verification • Association with requirements
  • 15. How to prepare for security • Select a subset of your API functional tests – Maximize attack surface with fewest number of tests – Avoid pen testing same API over and over – Remove parameterization – Skip setup/teardown tests – Be careful with APIs that add items to the DB – Remove assertions
  • 16. Ensure a stable test environment • Maintain separate functional and security tests • Use separate test runs – Use separate environment, or run security tests last – Use variables in your tests to easily switch between environments (if needed) – Use service virtualization to isolate environments
  • 17. Summary • Move automated security testing into the continuous testing process • Leverage API functional tests for security testing
  • 18.
  • 19. Questions? jakubiak@parasoft.com Presentation slides: http://sched.co/BiDc Recorded webinar: https://vimeo.com/parasoft/review/214069660/76182c2c57