APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Harnessing the Speed of Innovation
Jyoti Bansal, CEO & Founder at Traceable
1. Harnessing the
Speed of Innovation
Jyoti Bansal
Co-Founder and CEO, Traceable
jyoti@traceable.ai
2. ▪ Introduction
▪ The evolution of modern app development
▪ How to solve for complex API challenges
▪ Securing APIs in the new world
▪ What the future holds
Agenda
3. Software Code and
APIs are Everywhere
Nos of Developers
45 million
Nos of APIs
1.2 Billion
100 Million
< 10 Million
< 1 Million
2020 2030
2.8 have been written in the past 20 years.
Trillion Lines of Code
2010
25 Million
VS
4. APIs Connect
Everyone and Everything
IDC predicts by 2022, 90% of new
enterprise applications worldwide will be
developed as cloud-native, using agile
methodologies and API-driven
architectures that leverage microservices,
containers, and serverless functions.
IDC FutureScape: Worldwide Cloud 2020
Predictions, Doc # US44640719, October 2019
API
Cloud
Services
Healthcare
Mobile
Services
Real
Estate
E-commerce
Govern
ment
Education
Crypto
Financial
Services
Insurance
Media/
Entertai
nment
Hi-Tech
5. Growing API
Security Crisis
91% of organizations had an API
Security incident last year…
Security Magazine - Feb 2021
Data Breaches & Exfiltration
Business Fraud
Sensitive Data Exposure
Customer & Employee Privacy Violations
Regulatory Fines
Intellectual Property Theft
6. Business Fraud via API
Allowed attacker to make unlimited
cryptocurrency trades between
different currency accounts
Learn more
Attackers could initiate orders and trade
cryptocurrency they did not have by
modifying the API - the coinbase validation
logic did not verify source account properly,
and processed the trade normally.
Hacker could take over Apple iCloud
Accounts by exploiting the password
reset API endpoint of “Forgot Password”
function
Missing logic
validation check
in a retail
brokerage API
endpoint
Allowed attacker to bypass 2-Factor
authentication, SMS verification and
password validation rate limits
Learn more
Rate limiting
protection failed
to work as
designed
APIs hijacked and modified
7. API Attacks Are Hard to Detect
▪ Mostly Unknown threats
▪ Malicious usage of APIs for
unauthorized activities
▪ Exploit your own code and business
logic
Hard to Detect and High Signal to
Noise Ratio
Countless
Attack Surfaces
11. You Can’t Secure
What You Can’t See
Application Context
API ACTIVITY
Edge API Calls
Internal API Calls
Sequence of API Calls
USER ACTIVITY
Identity
Devices
Roles & Permissions
DATA FLOW
Across Sequence of Calls
Between Internal Services
To External Services
CODE EXECUTION
API Parameters
Request/Response Data
Errors & Latency
rider / view locations
rider / reserver car
rider / process payment
rider / send receipt
01010
01010
01010
01010
01010
Observability is the core foundation of application security
Edge APIs Internal APIs External Service
13. What the future holds…
Transformation
journeys that
integrate
speed,
innovation.
01 02 03
APIs will become
the primary
vector of attack.
Even more
adoption of
APIs as the
primary method
of delivering
value.
14. Top Three Approaches Needed
for API Security
Observability is Key
Data Lake
and Threat Hunting
▪ Capture and correlate all
transactions and data for all APIs
and microservices (internal,
external, shadow, orphaned, 3rd
party)
▪ Comprehensive breadth and
depth of data captured for
application security &
observability
▪ Store every data trace from
all API and data transactions
▪ All data is explorable,
searchable, and filterable
▪ Enables deep root cause
analysis and threat hunting
▪ Build full application context
▪ Understand user behavior
across all activity and time
based on user attribution of
every transaction.
▪ Correlate all activities across
sessions and time into user
storylines
Machine Learning
Platform for Context
15. Culture and Collaboration is Key
Data transparency
is the foundation
of collaboration.
01 02 03
API security
has to be part
of development
culture.
Continuous
learning
between API
Development
and Security
teams.