The talk that was presented at the APISecure 2022 conference, in which I discuss why I believe that 'API Security' is merely a small portion of the actual problem space, which is application security, and how you can leverage multi-layer protection using a single unified CNAPP platform to achieve smart defense in depth.
7. Let’s look at a simple scenario
STORAGE
BUCKET
WORKLOAD
API GATEWAY
API CALL
FILE UPLOAD
FILE UPLOAD INSPECTION
RUNTIME PROTECTION
VULNERABILITY SCANNING
API PROTECTION
1. FILE UPLOAD VIA WEB FORM
A file processing microservice, deployed as a container
2. API CALL WITH FILE LOCATION
3. PROCESSING, EXPLOITS VULN, RCE
4. STEALS SECRET, TAKEOVER CLOUD ACCOUNT
CLOUD SECURITY POSTURE
SMART
DEFENSE IN
DEPTH
API CALL
9. 9
API data
App data
flow tracing
Workload
behavioral
protection
User session
behavior data
Vulnerability
scanning
Correlate API data w/ app
flow tracing; accurate
cross-cloud data leak
prevention
Trace workload
anomalies to source API;
root cause analysis; auto
virtual patches
Merge API traffic w/
session data; efficient
account fraud prevention,
across devices
Overlay API stats on 4C’s
vulns. & misconfigs; smart
risk priortization; reduce
dev costs
Data leak prevention
Workload
protection with
root cause analysis
Account fraud
prevention
Smart risk
prioritization
Web traffic
Cloud events
File uploads
...
10. False sense of
security
Fail to secure all
application layers
10
Siloed & fragmented
security protections
APIs are a key element in every modern application. However, APIs are just
one element among many others.
If you only focus on securing APIs:
To realize the full potential of cloud native app sec,
API security must be a part of a holistic approach.
11. Host Security
Cloud Workload
Protection
Secure hosts,
containers, and
serverless across the
application cycle
Container Security
Serverless Security
Web Application & API Security
Cloud Infrastructure
Entitlement Management
Enforce permissions
and secure identities
across workloads and
clouds
IAM Security
Securing modern cloud-native applications with Prisma Cloud
Cloud Network
Security
Monitor and secure
cloud networks, enforce
micro-segmentation
Identity-Based
Microsegmentation
Cloud-native Network Security
Visibility, Compliance & Governance
Cloud Security
Posture Management
Monitor posture,
detect and respond to
threats, maintain
compliance
Threat Detection
Data Security
DevSecOps
Integrate and perform
infrastructure and
application security in
the CI/CD pipeline
Code Security
Supply Chain Security
Where does API security fit in?