This document discusses how organizations can secure their apps and APIs against various threats. It notes that 84% of companies saw an increase in bot attacks over the last year and 90% saw an increase in account takeover attacks in 2021 alone. It promotes the Google Cloud WAAP solution of Cloud Armor, Apigee, and reCAPTCHA Enterprise to provide layered protection across networks, APIs, and applications. Cloud Armor provides DDoS protection and web application firewall capabilities. Apigee offers secure API management and governance. And reCAPTCHA Enterprise detects fraud across devices and applications hosted on Google Cloud, on-premises, or other clouds. The document advocates for this comprehensive solution to holistically prevent app fraud and abuse
1. App Security
Secure your app
against DDoS, API Abuse,
Hijacking, and Fraud
Tony Pham @ OpsRun.io
IO Extended Cebu
2. Bots
DDoS
Credential Theft
Application Fraud
API Attacks
Unauthorized Access
Data Exfiltration
Infrastructure Attacks
and more
Organizations must
protect against many
different types of attacks
Section 01
3. !
84%
of companies saw an increase in the number of
bot attacks over the last year (Jan ‘21)
Bot Attacks
Source: Forrester Consulting - State Of Online Fraud And Bot Management
$24B
Lost to credit card fraud by US businesses
Payments
Fraud
!
$1T
Lost to abandoned checkouts or
rejected transactions
53 days
spent on average fully resolving a bot
attack
! API Abuse
!
Account
Takeover
90%
Increase in 2021 alone
50%
of organizations experienced an API
security incident in the last 12 months
77%
of organizations that experienced an API
security incident delayed a rollout
Web Security Threats are Evolving and Increasing
6. Gaps in protection increased acquisition and operations cost
Too many point
products to manage
Assembling a comprehensive solution
to prevent app fraud and abuse is a
growing challenge
Too many
vendors to manage
Many products still built
for on-prem world
Section 01
7. You need to be secured across all points of interaction
Threat Protection
Behavior Based
Signature Based
Payload Complexity
Spikes
OWASP (SQL injection,
input validation, etc.)
Access Controls
OAuth2
API Keys
Products
Scopes
Quota/Spike Arrest
Logging
Self Service & SSO
IAM Integration
Prov. & DeComm
OpenId Connect
JWT
SAML
Security
Governance
Global Policies
RBAC management
Data Masking
Compliance:
ISO, PCI-DSS, HIPAA,
SOC1&2, CSA STAR
Data Security
TLS
Two-way TLS
IP Access Control
Encrypted Data Store
and Cache
User App Developer API API team Backend
8. Layered defence of applications
Google Cloud WAAP Solution: Cloud Armor, Apigee, reCAPTCHA Enterprise
Good and bad
traffic from Internet
DDoS and Web Attack
Defense on Global Edge
Web apps & APIs hosted
on Google Cloud
Web apps & APIs hosted
on-premises
Web apps & APIs hosted
on other clouds
Cloud
Cloud Armor
Intelligent API defense
Apigee
Advanced Bot & Fraud
Detection
reCAPTCHA Enterprise
9. Detects and prevents
direct API Access
Detects fraudulent
activity on applications
and blocks
Blocks scaled attacks
Attackers API Abuse
Credential Stuffing
Account Takeovers
Payments Fraud
Network Client Application
API
DDoS
Detects and prevents
direct API Access
Detects fraudulent
activity on applications
and blocks
Blocks scaled attacks
Layered defence of applications
Google Cloud WAAP Solution: Cloud Armor, Apigee, reCAPTCHA Enterprise
11. Cloud Armor: DDoS Protection & WAF
HTTP(S) Load
Balancing
HTTPS
us-central
App
instance
Autoscaling
us-west
App
instance
Autoscaling
asia
App
instance
Autoscaling
Cloud Armor
IP Allow/Deny
Geo
WAF
Custom rules (L3-L7)
Defense against L3/L4 volumetric
and protocol DDoS attacks
12. Google Cloud Armor
Mitigate infrastructure DDoS attacks with Global
HTTP(S) Load Balancing (TCP SYN floods, Amplification
attacks, IP fragmentation attacks, etc)
Allow or block traffic based on IP, Geo, and custom
match parameters (L3-L7 etc)
Defend against application layer attacks with OWASP
Top 10 (e.g. SQLi, XSS, etc.). Use in combination with IAP
Telemetry: Decisions logged to Cloud Logging and
Monitoring dashboard, and Cloud Security Command
Center
13. Capability
L3/L4 DDoS Defense
IP, ASN & Geo based rules
WAF rules (OWASP T10)
Custom Rules Language
Fraud & Bot Management (Preview)
Adaptive Protection
Managed Protection Plus
CDN / Edge Policies
Rate Limiting
Telemetry & CSCC Findings
Named IP Lists (3rd Party)
Google Cloud
Armor
Global HTTP(S)
Load Balancer
Application
instances
US West region
Application
instances
Asia region
Google Cloud
Regions
Google Cloud Armor
Current Capabilities
14. Cloud Armor Adaptive Protection
ML based L7 (Application Layer) DDoS detection and protection
Application / Service
CA - AP
User-Agent
Geography
Value
Attack
Likelihood
% Attack % Baseline
Firefox 80% 40% 4%
IE 80% 60% 1%
Value Attack
Likelihood
% Attack % Baseline
CN 80% 50% 0%
HK 80% 50% 0%
Attack detected
Confidence
Suggested WAF Rule
● % Attack Impacted
● % Baseline Impacted
Attack Signature
HTTP GET Flood
HTTP GET Flood
HTTP POST Flood
HTTP POST Flood
Alert
WAF Rule
Learn Baseline Detect Attack Suggest Rule Mitigate
16. Secure API management: Verify API keys,
generate and validate OAuth access tokens,
implement JSON threat protection, Rate limiting,
Quotas and more.
Govern Access Create API Products, set
permissions and usage Quota on API Product.
Govern which consumers can access which APIs
API Analytics: Analyze API trends (most popular
APIs), source of API traffic, types of client
applications etc.
Integrated Services: Google Cloud integration
including Identity and Access Management (IAM),
and Cloud Logging
Apigee
Section 04
Section 03
17. /accounts
/payments
/claims
API Catalog
API Monetization
API Products
API Marketplace
Client/SDK
Extensions
Transformation
Security
Orchestration
Abuse
Prevention
& AI/ML
Developer Usage
Metrics
Business
KPIs
Performance
Metrics
API Program
Metrics
API Monitoring &
Advanced Ops
Monitoring &
Analytics
Developer
Services
Apigee
SaaS, Hybrid &
Multi-cloud Gateways
API Runtime
Gateway
Services
Apigee API Management
18. Advanced
API Security
Design and build Secure APIs
Operate Secure APIs
Leverage Google security knowhow
Section 04
Section 04
Section 03
19. Deny list Traffic Data Models
Dashboard Advanced API Security
Apigee runtime
Enforcement
How
Mitigation
Block or mark the bot traffic depending on
your needs
API Traffic Data
Continuously monitor billions of API calls to
identify anomalies Machine Learning Models
& Rules
Continuously recognizing bot patterns
Section 04
Section 04
Section 03
20. New API abuse detection dashboards powered by ML
Clustering alerts to reduce volume and provides the relevant context for quick resolution
25. reCAPTCHA Enterprise Detects Fraud
All device types
and at the edge
(Mobile, IOT, Web)
Apps and Services on
Google Cloud
Apps and Services
hosted on-premises
Apps and Services
hosted on other cloud
Cloud
All types of fraud are covered
across all device types
Full
Fraud
Solution
Account Takeovers
Credential stuffing, 2FA,
Password Leaks
Payments Fraud
Detection of fraudulent transactions
On the payments page
Scraping
Scraping abuse