The document discusses the critical need for enhanced API security amid an increasing frequency of API security incidents, emphasizing the inadequacies of traditional security strategies in modern application environments. It advocates for a shift-left approach in security practices, including comprehensive API discovery, context awareness, and continuous testing throughout the API lifecycle. Key practices outlined include establishing risk models, implementing real-time monitoring, and leveraging production learnings to inform pre-production environments.

1. Shift Left API Security-
The right Way
Sanjay Nagaraj
CTO and Co-founder, Traceable
sanjay@traceable.ai

2. Israeli Voters Personal Information Exposed
by an API Vulnerability of the Election App
Learn more
Apple Sign-in Service API Vulnerability Allows
A User to Impersonate Anyone Else
Learn more
The YouTube API bug that allowed
unlisted uploads to any channel
Learn more
Starbucks Gift-card Holders can Trick the
Website to Allow Search of Internal Starbucks
Customer Records Learn more
How I could have hacked your Uber
account! Learn more
Flaws in third-party software exposed
dozens of Teslas to remote access
Learn more
91% of organizations had an API Security
incident last year…
Security Magazine - Feb 2021
Shopify Insider Leveraged Order APIs
to Obtain Millions of Customer records
Learn more
Twitter Revealed API exploit
Learn more
API Security is a growing crisis

3. Old approaches problematic for new applications
DAST/IAST: lacks application context, user awareness, visibility
SAST generates too many false positives, latency too high for CI/CD
Lack of API discovery and positive security posture
Bugbounty/Pentesting: doesn’t align with CI/CD or agile, limited
coverage, requires staff to reproduce
Inconsistencies in prod and staging environments

4. Key DevOps inspired trends in Application Security
API Lifecycle
Production/Runtime
Started with runtime API Discovery
& Protection. Doubling down on it
4
Development
Shift-left to close the loop in CI
Pre-production
Active testing to prioritize
security issues to fix in CD
Comprehensive API security for complex, distributed applications needs coverage throughout API lifecycle

5. Next generation =
Discovery + Context + Security

6. How to understand your APIs…
API Catalog
Up to date inventory of APIs
Open API Spec
Automatically create specs for
all endpoints
Conformance
Identify the drift from
expected behavior
Risk Score
Integrated score to identify
APIs that need attention
Sensitive Data
Identify sensitive data
exposure per endpoint

7. Confidential / © Traceable.ai. 2022 P/7
Application Context
Observability: the core foundation of modern AppSec
API ACTIVITY
API Call chain ( East-West)
API Calls in User session
USER ACTIVITY
Identity
Roles & Permissions
DATA FLOW
Across Sequence of Calls
Between Internal Services
To External Services
CODE EXECUTION
API Parameters
Request/Response Data
API Response codes
Edge APIs Internal APIs External Service
rider / view locations
rider / reserver car
rider / process payment
rider / send receipt
01010
01010
01010
01010
01010

8. 8
8
API security testing loop in pre-prod
🔺 Up-to-date visibility into APIs
➢ Detailed API specs
➢ API changes and ownership
➢ API DNA/ baseline
CI/CD Loop
🔺 Establish API risk model
➢ Identify API risk in pre-prod
➢ Establish positive security model
🔺 Use production learnings to
inform pre-production testing
➢ Increased test coverage
➢ Realistic use cases
🔺 Identify vulnerabilities before
they get into Prod
➢ Capture the context of the problem
➢ Communicate to developers through
common tools
➢ Prioritize based on risk

9. ➔ Legacy security testing doesn’t work for modern apps and APIs
➔ API discovery, posture and attack surface management is key to the security of the
modern applications
➔ Application context is important for coverage and accuracy
➔ Data flow and risk drives modern application security
➔ Continuously learning and production-informed testing makes security more relevant
➔ Speed and DevOps’ lead processes are paramount
Recap

10. Sanjay Nagaraj
CTO and Co-founder, Traceable
sanjay@traceable.ai
Questions?

11. Thank you.
Sanjay Nagaraj
CTO and Co-founder, Traceable
sanjay@traceable.ai

13. 13
Gen 2
DAST & Bug Bounty
Application security testing and verification evolution
Next-gen Security
Gen 1
Pen. Testing
● Code-aware / API Centric
● Wide test coverage
● Application/behavior context
● Understand data flow & risk
● Low false positives
● DevSecOps & CI/CD aligned
What’s needed

14. It is fundamental to application
and API security that you have a
deep understanding about how
your pre-prod and production
environments co-exist.

15. What drives modern Attack Surface Management
Broader attack surface with micro services
Fluid, dynamic, and opaque APIs
Continuous awareness of context and prod usage

16. Behavior Engine
User Trust
API Risk
Posture
User
Behavior
API
Behavior
Application DNA
Data
Behavior
Code
Behavior
USER ACTIVITY
API ACTIVITY
CODE EXECUTION
DATA FLOW
Suspicious activity
flagging
False positive reduction
Data flow & exposure
Business logic attack
detection
ATO protection
Security analytics
Unknown attack
detection
Accelerated incident
response
Forensics
Threat hunting
Compliance / auditing
Context+ML = Next-Gen Application Security

17. P/17
The new model for application and API security
Discover your
environment
API Posture
and Security Testing
Run-time Protection
and Analytics
● Catalog all APIs: review risk
scores and exposed sensitive
parameters.
● Sensitive data flows: Identify
sensitive data types in the system
and their flowe across APIs.
● 3rd-party API abuse: Catalog
3rd-party services & identify
abuse
● Evaluate and measure API risk
based on likelihood and
impact
● Detect vulnerabilities within
traffic and application context
● Manage API policies and
change
● Use learnings from prood
traffic in security testing to
increase coverage and leverage
● Real-time detection of
session-based and
request-based attacks
● Proactive protection
● Prevent API abuse and bot
● Block internal fraud.
● Threat hunting: find threats,
capture requests and
responses.
Include aspects of 3rd party testing for continuous loop through organization

18. 18
18
Complete security testing loop pre-prod
✓ Know all the APIs in your
app pre-prod
✓ Detailed API specs
including name, service,
headers, parameters, and
payloads
✓ Identification of risky API
changes in pre-prod
✓ Identify API endpoints that
handle sensitive data
✓ API definition updates based
on live traffic
✓ Notification of new and
changed APIs
✓ Identify missing API tests
✓ Exercise all API’s with real
world traffic
CI/CD Loop
Alternate version of Slide 14

19. 19
19
Run Security Observability In Pre-Prod
✓ Know all the APIs in your app before Prod
✓ Detailed API specs including the name, parent
service, headers, parameters, and payloads
✓ API definition updates based on live traffic
✓ Identification of risky API changes in pre-prod
✓ Identify API endpoints that handle sensitive data
✓ Notification of new and changed APIs
✓ Identify missing API tests
Pre-production
environments
● Part of CD testing
● Test with “life-like” data
● Exercise all your APIs

20. 20
20
Risk reduction and threat remediation pre-prod
CI/CD Loop
API Discovery
and Risk Mgmt
Aggregated
Security Events
Transaction
details from
Security Events
✓ Prioritize security
focus on higher risk
APIs
✓ Resolving of
unexpected/unwanted
behaviors
✓ Remediate threats
faster
✓ Perform deep
forensics
✓ Triage attacks faster
✓ Decrease analysis time
Alternate version of Slide 17

21. 21
21
Security Observability In the Dev Feedback Loop
● From results of API discovery and risk monitoring
✓ Prioritize security focus on higher risk APIs
● From transaction details surrounding security events
✓ Remediate threats faster
✓ Faster troubleshooting and resolving of
unexpected/unwanted behaviors
✓ Perform deep forensics
● From aggregated security events
✓ Triage attacks faster
✓ Decrease analysis time
Production Feedback
Loop to Dev
● Data & analysis from
production traffic
● Info used in CI/CD
Pipeline