Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers, Security Risks and Mitigation Strategies


Published on

The session will focus on delivering the key trends in APIs, API Management Platform technologies and how it is driving the API economy. We will also discuss the key drivers for digital transformation initiatives which include wide acceptance of APIs in Industry 4.0, Connected Devices, Cloud and Payments industry. Next, we will talk about the top 10 security risks in APIs, API Management Platforms, APIs integrations with cloud platforms, IoT/OT devices integrations with third-party applications. Lastly, we will uncover the need for implementing the API security governance framework and how to measure the API security programme’ s success through this governance framework.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers, Security Risks and Mitigation Strategies

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur The Power of APIs API Economy Trends & Market Drivers , Top 10 Security Risks and Mitigation Strategies Suhas Desai Infosys Industry Principal – Cyber Security @desai_suhas
  2. 2. SACON 2020 • Trends in APIs , API Management Platform Technologies • Overview on APIs , API Management Platform & API Economy • Wide acceptance of APIs in Industry 4.0 • Top 10 security risks in APIs, API Management Platforms • API Security Governance Framework • API Security Good Practices What we will discuss today
  3. 3. SACON 2020 Recent News – API Security & Hacks Source:
  4. 4. SACON 2020 Source: Recent News – API Security & Hacks
  5. 5. SACON 2020 The APIs ofPower APIs AI/MLAPI Economy Open Banking Blockchain Cloud APIs The Power of APIs – Trends in Emerging Technologies
  6. 6. SACON 2020 Hype Cycle – API Security & API Threat Protection
  7. 7. SACON 2020 main() { int i=7; printf(“%d”,i++*i++); } Quiz
  8. 8. SACON 2020 • Application Programming Interface • Interface that provides programmatic access to service functionality and data within an application or a database (Gartner) • Interface or Set of definitions or communication protocols used to build/integrate software's • It can used for web based applications, OS, DB, Devices and Libraries APIs - Overview
  9. 9. SACON 2020 • Private/Internal APIs – Enterprises for their own consumption. • Partner – Specific rights/access is required. Third party/paid API consumption. • Public/External/Open APIs – Publically available. Oauth. Types of APIs
  10. 10. SACON 2020 • Database APIs • Devices APIs • Operating Systems APIs • Remote APIs • Web APIs APIs - Examples
  11. 11. SACON 2020 APIs REST JSON XML SOAP RPC Web Services APIs
  12. 12. SACON 2020 API Management Platform are used to manage API life cycle. • Design • Publish (Provisioning / De Provisioning) • Security (through API Gateways) • Analytics • Documentation • API Monetization API Management Platforms for API Life Cycle
  13. 13. SACON 2020 1. Broadcom (CA) API Management Platform 2. Google Apigee API Management Platform 3. IBM API Connect 4. Mulesoft Anypoint Platform 5. TIBCO Cloud Mashery 6. Microsoft Azure API Management (Microsoft) 7. Red Hat 3scale API Management 8. Axway AMPLIFY API Management Top 8 API Management Platforms
  14. 14. SACON 2020 API Economy “The API economy is an enabler for turning a business or organization into a platform.” Kristin R. Moyer, vice president and distinguished analyst at Gartner
  15. 15. SACON 2020 API Monetization Revenue per API call Revenue Sharing Licensing Platforms API Calls
  16. 16. SACON 2020 API Architecture API Management Platforms API Middleware API Gateway Data Processing & Analytics API Connectors Database Operating Systems Web Mobile Devices Enterprise Application Security Compliance Efficiency Analytics APIs at Application or Service Layer Features ChannelsChannels API Initiation/ Requestor/Backend Services Middleware/Platforms
  17. 17. SACON 2020 Top 10 Security Risks API Security Risks Crypto Services Authentication & Authorization APIs Communication Channels Data Security Business Logic Implementation Input Validation API Security Governance API Management Platform Misconfigurations API Gateway and Runtime Risks Security Risks in API Monetization Governance APIs & API Technology Platforms Monetization
  18. 18. SACON 2020 #define merge(a, b) int main(void) { printf("%d ", merge(20, 40)); return 0; } Quiz
  19. 19. SACON 2020 Approach - Secure API Life Cycle 1. API Design & Architecture, Specification Document Review 2. Black/Grey Box Risk Assessment of APIs/Web Services/Micro Services (e.g. REST-JSON, SOAP-XML), API Management Platforms/Gateways, ESB/SOA. 3. Data Security & Cryptographic Controls Review 4. Configuration & Audit Logs Review 5. Calculating Severity Score based on threat & impact of the vulnerability. 6. Risk Mitigation 1. Design API Management Platform Architecture 2. Implement Security Controls API Management Platforms 3. Implement Security Configurations of API Management Platforms 1. API provisioning & de- provisioning 2. Security Governance through Platform 3. Monitor Security Incidence 4. Incidence Management API Platform Management & Sustenance Programme API Platform Implementation API Security Assessment Secured API Management Platform Provisioning & De-provisioning Incident Monitoring & Management 1. Review of Current Security Processes & Policies. 2. Documents & Evidence Validation against Compliance Audit Points 3. Data Security & Cryptographic Controls Review 4. Calculating Risk Score based on threat & impact against non- compliance point. API Security Audit Compliant API Ecosystem Policies & Procedures Advisory on Roadmap & Strategy Secured API Ecosystem Security Assurance in APIs, Digital Channels & Platform Implementation Managed Services
  20. 20. SACON 2020 API Security Governance Framework Security Governance Risk Compliance Policy Management Assurance BCP & DR Awareness Monitoring & Logging SIEM Threat Intelligence Analytics Traffic Monitoring API Metering and Billing API Management API Provisioning Entity/Resource Onboarding API Governance, Risk & Compliance Traffic Mediation Versioning API Security PKI, OAuth2, OpenID Connect Digital Signature Threat Protection Input/Schema Validation Traffic Shaping Data Security Data Encryption Data Masking Data Classification DRM Data Loss Prevention Network Security WAF IDS/IPS Advanced Persistent Threats Gateway Security DoS Prevention Unified Threat Management
  21. 21. SACON 2020 OWASP – API Security Broken Object Level Authorization Excessive Data Exposure Mass AssignmentBroken Function Level Authorization Broken User Authentication Security Misconfiguration Improper Assets Management API Security Top 10 2019 Lack of Resources & Rate Limiting Insufficient Logging & Monitoring Injection
  22. 22. SACON 2020 • Fiddler • Wireshark • Metasploit Framework • SoapUI Pro • Katalon • Apigee • Postman • Parasoft Soatest • Jmeter API Security Assessment Tools
  23. 23. SACON 2020 Good Practices to secure APIs 1 Enforce Strong SSL/TLS encryption over a Communication Channel Digitally Sign the API Request Data with Current Timestamp in Request Headers to Prevent against from Request Tampering & Replay Attacks. Encrypt Sensitive Request Payloads while Requesting an API. Never expose API Sessions Tokens or Keys, Passwords in URL, instead pass it through API Request Headers. Validate & Sanitize Users Untrusted Input before processing at the Backend. Authenticate API Resources and Requesting Entities mutually using PKI certificates. Make use of OAuth/OpenID Connect for Authorization based on Users Control Access to the API Resources. 2 3 4 5 6 Set Quota Limit on Usage of Bandwidth, API Requests processing per unit time to avoid Denial of Service Attacks. 7 Implement and Make Use of Audit Logging & Monitoring Features to Uncover API Transaction Processing Disputes that may have happened in the Past. Setting up SLAs, Performance Benchmarks, Ensure Regulatory Governance, Risk & Compliance (GRC) Policy & Procedures are being properly followed, according to below standards. For e.g. Sarbanes Oxley (SOX), PCI DSS, GDPR, HIPAA, COBIT etc. 8
  24. 24. SACON 2020 • Secure Design of API, API Management Platform • Security Governance and Security Assurance • Good Practices in API Life Cycle Summary
  25. 25. SACON 2020Source:: Linux Journal : Author – Suhas Desai Crypto + Steganography with Python Need community contribution to embed more cryptography & steganography libraries and APIs!
  26. 26. SACON 2020 For more details please contact: Suhas Desai, Industry Principal – Infosys E: Thank You!