API Security Webinar - Hendra Tanto

•

0 likes•52 views

API Security Webinar by Hendra Tanto Simak penjelasan dari pakar industri tentang trend dan tantangan API dalam tahun 2021. Pelajari bagaimana organisasi dapat membebaskan potensi API, untuk secara efektif menangkis serangan dan melindungi aset API. Masalah-masalah yang muncul di event API Security Challenge juga akan dibahas di sini, dan akan ada hadiah-hadiah menarik bagi semua peserta. Agenda : - Penelusuran trend keamanan API, tantangan dan masalah-masalah keamanan yang sering dihadapi. - Temuan dan Statistik yang dipelajari lewat API Security Challenge - Penelusuran solusi untuk tantangan nyata yang ditemui dalam API Security Challenges - Pengumuman pemenang API Security Challenge

Technology

API SECURITY CHALLENGE
F5 LABS
Hendra Tanto
h.tanto@f5.com

● A1: Broken Object Level Authorization
● A2: Broken Authentication
● A3: Excessive Data Exposure
● A4: Lack of Resources & Rate Limiting
● A5: Broken Function Level Authorization
● A6: Mass Assignment
● A7: Security Misconfiguration
● A8: Injection
● A9: Improper Assets Management
● A10: Insufficient Logging & Monitoring
API Security Top 10
Weak Authentication & Authorization
Information Leakage
Malicious Request
Lack of Visibility

| ©2019 F5 NETWORKS
5
How to Secure API according to Gartner
+? ms +? ms +? ms +? ms +? ms +? ms +? ms
+500 ms

| ©2019 F5
10
API Management – Traffic Management

$| ©2019 F5 NETWORKS 12 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1 Host: partners.uber.com {“nationalPhoneNumber”:”xxxxxxxxxx”,”countryCode”:”1"} { “status”:”failure”, ”data”: { “code”:1009, ”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found” } } #1 #2 Thank you for the driver's Uid!$

$| ©2019 F5 NETWORKS 13 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /marketplace/_rpc?rpc=getConsentScreenDetails HTTP/1.1 … {“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a- 837xxx604ce”} { “status”:”success”, ”data”:{ … ”getUser”:{ “uuid”:”cxxxxxc5f7371e”, ”firstname”:”Maxxxx”, ”lastname”:”XXXX”, … ”email”:”xxxx@gmail.com”, ”emailToken”:”xxxxxxxx”, … ”token”:”b8038ec4143bb4xxxxxx72d”, … ”lastSelectedPaymentProfileUuid”:”xxxxxx”, … ”driverInfo”:{ … }, ”partnerInfo”:{ “address”:”Nxxxxxxx”, ”dateOfBirth”:xxxxxx, ”… } } #3 #4 The driver's entire profile + Token$

| ©2019 F5
21
Billing Service
Edge API Gateway
User Management
Service
Top Up Service
Payment Service
Point Service
Other API
/api/other/topup
/api/other/user
Payment API
/api/payment/inquiry
/api/payment/payment
Billing API
/api/billing/payment
/api/billing/settlement
500 / Second
100 / Second
5000 / Second
Partner 1
Partner 2
NGINX API Gateway Functions

Authorization
Server
Client
Token
Resource Server
Identity
1
2 3
4
Validation
Trust
Resource Owner
5
API Authorization
OAUTH 2.0
“The idea of OAuth is that by
requiring users to pass their
confidential credentials over
the network less frequently,
less bad things can happen.”

The session will discuss a library of solutions implemented at clients for transferring between applications in separate pods. Each configuration has its own merits and use case. The four main categories that will be discussed are - 1. Trickle Feed - uses a combination of inter-pod REST API connection, data management load rule, groovy scripting and scheduled EPM Automate job on a jump server to pick-up the files from source and push to target. 2. Focused On-save Push - pushes an intersection from source to target using inter-pod REST API connection, data management load rule and groovy scripting. 3. Scheduled Push- uses a combination of windows or Linux job, inter-pod REST API connection, groovy scripting, data management load rule and EPM Automate commands to extract and push data en masse from source to target. 4. Json Extract and Load - uses a combination of groovy scripting and inter-pod REST API connection to extract and push an intersection on-save. The audience will walk-away with learnings and understanding of inter-pod configurations, mainly for EPM Cloud planning applications. Snippets of code will form the "gold dust" takeaway from the session.

A Tour of Different API Management Architectures

Nordic APIs

APIs are fueling innovation and digital transformation initiatives. With the explosive growth in APIs, developers and architects are employing different kinds of architectures to process API traffic. Attend this session to learn about commonly deployed API Management architectures. Approach 1: Centralized API Lifecycle management where the data plane and control plane are tightly coupled . Approach 2: “Hybrid” architectural approach that involves some processing at the edge by microgateways to process API calls between microservices. Approach 3: Decoupled data plane and control plane resulting in no need for microgateways or databases to process API calls.

apidays LIVE Paris - Potential of API integrations, common traps and advices ...

apidays

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

apidays

Is Your API Being Abused – And Would You Even Notice If It Was?

Nordic APIs

APIs are a wonderful thing and bring many benefits, but by their very nature they are also a window into how your business operates. If someone can exploit your system for gain, they will. This presentation will give multiple real examples of API abuse in the wild, via methods such as data scraping, service misuse/cheating, unauthorized aggregation and fake account creation. How is it done, how are existing API controls bypassed, and what are the business implications? The audience will learn that API abusers are inventive and they use smart tools. The audience will also learn who some of these API abusers are, and may be surprised by the result. (Spoiler: they can be your customers!) Finally, some guidance will be given around what additional access controls can be put in place to ensure API based businesses continue to prosper.

apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...

apidays

apidays LIVE Australia 2020 - Starting and Growing an API security company by...

apidays

Adapt or Die Sydney - API Security

Apigee | Google Cloud

WATCH WEBINAR: https://42crunch.com/webinar-questions-azure-pipelines/ REST API Static Security Testing Extension for Microsoft Azure Pipelines: https://bit.ly/42azure Security is an important topic in software development. Unfortunately, security is usually considered too late in software development, and especially in the API lifecycle. Waiting until software and APIs are in production before addressing security concerns can be a severe risk to your organization. Did you know that vulnerabilities found in production cost up to 30x time and money more to fix? There is a solution: by engaging developers early, educating them on API threats and uncovering real actionable issues in your APIs, you can act swiftly and save a lot of effort downstream. In this webinar, we will - Explain the concepts behind “shifting left” and how it can benefit your organization, both at quality and security levels. - Explain how auditing your OpenAPI (aka Swagger) definitions gives early visibility to developers of potential security issues in APIs implementation. - Demonstrate the functionality of the audit and which issues it detects. - Describe how you can leverage audit at build time to ensure only contracts at the required level of security quality can be deployed. - Demonstrate our new Azure Pipelines plugin and its discovery mechanism. - We will be joined in the webinar by Steven Murawski from the Microsoft Azure Cloud Advocacy team.

Kondo-ing API Authorization

Nordic APIs

Deconstructing API Security

Akana

APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...

apidays

London Adapt or Die: Five Things Enterprises Should Know About Serverless

Apigee | Google Cloud

London Adapt or Die: Securing your APIs the Right Way!

Apigee | Google Cloud

Test and Protect Your API

SmartBear

How Apigee Api Management Platform Helps with Digital Excellence

Ram Kumar

How Secure Are Your APIs?

Apigee | Google Cloud

I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop

Apigee | Google Cloud

Api Monitizer by T5 Systems

ONUR FENAR

Apigee Edge Product Demo

Apigee | Google Cloud

APIs are key to making every business a digital business. Businesses need APIs to connect with partners and customers, at any time, on any device, and to participate in the digital ecosystems. To be digital, a scalable flexible API infrastructure is required. Join the Live Demo of Apigee Edge to learn how to: • Easily configure and manage new APIs and enforce security with minimal impact to backend services • Create, manage and monetize API products • Extend API Services to increase flexibility and tailor to business requirements with JavaScript, Java, Python, and Node.js • Provide developers easy, yet secure access to explore, test, and deploy APIs • Use end-to-end visibility across the digital value chain to monitor, measure, and manage success. with unified operational, developer, app performance, and business metrics Apigee Edge enables digital business acceleration with a unified and complete platform, purpose-built for the digital economy. Edge simplifies managing the entire digital value chain with API Services, Developer Services, and Analytics Services. Watch Video: http://youtu.be/7gut1JrOzOM Download Podcast: http://bit.ly/1Cy6p6W

API Management Part 1 - An Introduction to Azure API Management

BizTalk360

Building APIs is not just about technology. APIs enable many new business opportunities, but only if done correctly. Enter API Management platforms to provide the building blocks behind a successful API program. As a result of lucrative opportunities, many Software vendors have emerged or pivoted from their SOA management roots to provide API Management capabilities. In this session, Kent will introduce you to Microsoft’s Azure API Management platform by providing an overview that highlights its capabilities and the opportunities that emerge for organizations. As part of this presentation, Kent will demonstrate how developers can create their first API and discuss strategies for transforming existing services to leverage Azure API Management. This presentation will consist of general guidance on API Management, an Azure API Management portal walk-through and demos that re-enforce the concepts that were introduced.

Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud

The API Economy: Adding Business Value

SmartBear

Data Driven Security

Apigee | Google Cloud

Presentation from the technology track at I Love APIs London 2016 featuring Sridhar Rajagopalan, Apigee. Organisations have been using layered threat protection techniques to protect their crown jewels from cyber criminals. Security protection approaches encompass identification, detection, protection and response to threats. However, these approaches typically address "Known Knowns" threats and are not adequate for protecting your backend and APIs from sophisticated "Known Unknowns" attack vectors. Hackers are exploiting weak mobile apps, stolen keys, and information scrappers (bots) that emulate human behavior to exfiltrate data from your backend. How can you mitigate security threats that are adaptive and blend with legitimate traffic? In this session, we'll present Apigee's innovative data driven security approach that detects intelligent Bots, transaction anomalies and help protect your APIs from cyberthreats, in real-time.

Mining API Traffic Metadata

Nordic APIs

Azure API management dive deep GAB2017

Jorge Arteiro

How to Achieve Agile API Security

Apigee | Google Cloud

Learn about security architecture, security patterns for app and API access control, and best practices for threat management, data security, identity and compliance including: - how to approach API security for your API program? - the API security pillars - threat protection, data security and identity - best practices for integrating identity services into API management - how to meet compliance requirements for API products

Api Management and Demo

DevOps Indonesia

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

apidays

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs October 11 & 12, 2023 https://www.apidays.global/australia/ API Security Breach Analysis & Empowering Devs to Make Secure APIs Jeremy Snyder, Founder and CEO of FireTail ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

What's hot

apidays LIVE Paris - Driving innovation through External APIs without putting...

apidays

REST API Security by Design with Azure Pipelines

42Crunch

Kondo-ing API Authorization

Nordic APIs

Deconstructing API Security

Akana

APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...

apidays

London Adapt or Die: Five Things Enterprises Should Know About Serverless

Apigee | Google Cloud

London Adapt or Die: Securing your APIs the Right Way!

Apigee | Google Cloud

Test and Protect Your API

SmartBear

How Apigee Api Management Platform Helps with Digital Excellence

Ram Kumar

How Secure Are Your APIs?

Apigee | Google Cloud

I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop

Apigee | Google Cloud

Api Monitizer by T5 Systems

ONUR FENAR

Apigee Edge Product Demo

Apigee | Google Cloud

API Management Part 1 - An Introduction to Azure API Management

BizTalk360

Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud

The API Economy: Adding Business Value

SmartBear

Data Driven Security

Apigee | Google Cloud

Mining API Traffic Metadata

Nordic APIs

Azure API management dive deep GAB2017

Jorge Arteiro

How to Achieve Agile API Security

Apigee | Google Cloud

What's hot (20)

apidays LIVE Paris - Driving innovation through External APIs without putting...

REST API Security by Design with Azure Pipelines

Kondo-ing API Authorization

Deconstructing API Security

APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...

London Adapt or Die: Five Things Enterprises Should Know About Serverless

London Adapt or Die: Securing your APIs the Right Way!

Test and Protect Your API

How Apigee Api Management Platform Helps with Digital Excellence

How Secure Are Your APIs?

I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop

Api Monitizer by T5 Systems

Apigee Edge Product Demo

API Management Part 1 - An Introduction to Azure API Management

Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...

The API Economy: Adding Business Value

Data Driven Security

Mining API Traffic Metadata

Azure API management dive deep GAB2017

How to Achieve Agile API Security

Similar to API Security Webinar - Hendra Tanto

Api Management and Demo

DevOps Indonesia

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

apidays

Api economy and why effective security is important (1)

IndusfacePvtLtd

Appdome & OWASP Keynote Presentation | API World 2019

Anne Smith

[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...

WSO2

What do Google, Facebook, Paypal, IRS, T-mobile, and USPS have in common? Answer -- hackers used their APIs to access sensitive customer information. Although these API attacks were exposed, most API-based attacks go undetected these days. This deck will discuss today’s evolving API threat landscape and explore what you can do to both detect and block cyberattacks from authenticated users and hackers who have reverse engineered your API with an integrated solution from WSO2 and PingIntelligence.

Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)

DicodingEvent

APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...

apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 The Present and Future of OWASP API Security Top 10 Inon Shkedy, Co-Author of OWASP API Security Top 10 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

QA Fest 2019. Катерина Овеченко. Тестирование безопасности API

QAFest

Тестирование API на безопасность имеет свои специфики в сравнении с веб приложениями. В своем докладе я расскажу вам про основные уязвимости, которые встречаются в API и как их найти. Я также покажу основные инструменты, с помощью которых можно автоматизаировать тестирование API на безопасность и дам советы, какой инструмент подходит для каких типов приложений. Доклад нацелен на аудиторию, обладающую базовыми знаниями о тестировании безопасности и понимающую основные иньекции.

Takeaways from API Security Breaches Webinar

CA API Management

Examining today's biggest API breaches to mitigate API security vulnerabilities Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position? This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure. You Will Learn -Recent breaches in the news involving APIs -Top attacks that compromise your business -Mitigating steps to protect your business from attacks and unauthorized access -API Management solutions that both enable and protect your business Learn about API Security at http://www.ca.com/api

apidays New York 2023 - A decade of API breaches, courtesy of application fla...

apidays

apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 A decade of API breaches, courtesy of application flaws Jeremy Snyder, Founder at FireTail ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management

seank14

Checkmarx meetup API Security - API Security top 10 - Erez Yalon

Adar Weidman

API Security Webinar - Security Guidelines for Providing and Consuming APIs

DevOps Indonesia

API Security Webinar - Security Guidelines for Providing and Consuming APIs by Faisal Yahya Simak penjelasan dari pakar industri tentang trend dan tantangan API dalam tahun 2021. Pelajari bagaimana organisasi dapat membebaskan potensi API, untuk secara efektif menangkis serangan dan melindungi aset API. Masalah-masalah yang muncul di event API Security Challenge juga akan dibahas di sini, dan akan ada hadiah-hadiah menarik bagi semua peserta. Agenda : - Penelusuran trend keamanan API, tantangan dan masalah-masalah keamanan yang sering dihadapi. - Temuan dan Statistik yang dipelajari lewat API Security Challenge - Penelusuran solusi untuk tantangan nyata yang ditemui dalam API Security Challenges - Pengumuman pemenang API Security Challenge

API Security Webinar : Security Guidelines for Providing and Consuming APIs

DevOps Indonesia

Case Study: Gala Coral Improves the Odds in Retail Gaming and Entertainment w...

CA Technologies

Technology Primer: Customize CA Application Performance Management With Tip...

CA Technologies

Bring your monitoring solution to a new level by leveraging APIs and extension points with CA APM. In this session, CA Application Performance Management (CA APM) subject matter experts share examples and guidance to perfectly meet monitoring requirements by combining the intelligence of our APM solution with the extensive extension capabilities offered via new APIs. For more information, please visit http://cainc.to/Nv2VOe

F5-API-Security-Best-Practices.pdf

FahmiDzikrullah

WEBINAR: OWASP API Security Top 10

42Crunch

WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

APIsecure 2023 - Learning from a decade of API breaches and why application-c...

apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Learning from a decade of API breaches and why application-centric security is the right path Jeremy Snyder, Founder and CEO at FireTail.io ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Protecting Microservices APIs with 42Crunch API Firewall

42Crunch

In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We’ll use a mix of slides and demos to present: (1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security) (2) Which threat protections must be put in place in a microservices architecture, and where (3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time (4) How to automate threat protection deployment

Similar to API Security Webinar - Hendra Tanto (20)

Api Management and Demo

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...

Api economy and why effective security is important (1)

Appdome & OWASP Keynote Presentation | API World 2019

[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...

Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)

APIsecure 2023 - The Present and Future of OWASP API Security Top 10, Inon Sh...

QA Fest 2019. Катерина Овеченко. Тестирование безопасности API

Takeaways from API Security Breaches Webinar

apidays New York 2023 - A decade of API breaches, courtesy of application fla...

Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management

Checkmarx meetup API Security - API Security top 10 - Erez Yalon

API Security Webinar - Security Guidelines for Providing and Consuming APIs

API Security Webinar : Security Guidelines for Providing and Consuming APIs

Case Study: Gala Coral Improves the Odds in Retail Gaming and Entertainment w...

Technology Primer: Customize CA Application Performance Management With Tip...

F5-API-Security-Best-Practices.pdf

WEBINAR: OWASP API Security Top 10

APIsecure 2023 - Learning from a decade of API breaches and why application-c...

Protecting Microservices APIs with 42Crunch API Firewall

More from DevOps Indonesia

DevSecOps Implementation Journey

DevOps Indonesia

DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022

DevOps Indonesia

Securing an NGINX deployment for K8s

DevOps Indonesia

DevOps Indonesia Meetup #52 - announcement

DevOps Indonesia

Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement

DevOps Indonesia

Securing DevOps Lifecycle

DevOps Indonesia

DevOps Meetup 50 : Securing your Application - Announcement

DevOps Indonesia

Secure your Application with Google cloud armor

DevOps Indonesia

DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia

DevOps Indonesia

Operate Containers with AWS Copilot

DevOps Indonesia

Continuously Deploy Your CDK Application by Petra novandi barus

DevOps Indonesia

DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...

DevOps Indonesia

Securing Your Database Dynamic DB Credentials

DevOps Indonesia

DevOps Indonesia (online) meetup 45 - Announcement

DevOps Indonesia

The Death and Rise of Enterprise DevOps

DevOps Indonesia

API Security Webinar - Credential Stuffing

DevOps Indonesia

API Security Webinar - Security Guidelines for Providing and Consuming APIs by Alexander Marcel Simak penjelasan dari pakar industri tentang trend dan tantangan API dalam tahun 2021. Pelajari bagaimana organisasi dapat membebaskan potensi API, untuk secara efektif menangkis serangan dan melindungi aset API. Masalah-masalah yang muncul di event API Security Challenge juga akan dibahas di sini, dan akan ada hadiah-hadiah menarik bagi semua peserta. Agenda : - Penelusuran trend keamanan API, tantangan dan masalah-masalah keamanan yang sering dihadapi. - Temuan dan Statistik yang dipelajari lewat API Security Challenge - Penelusuran solusi untuk tantangan nyata yang ditemui dalam API Security Challenges - Pengumuman pemenang API Security Challenge

API Security Webinar : Credential Stuffing

DevOps Indonesia

Feature Scoring in Green Field Application Development and DevOps

DevOps Indonesia

DevOps indonesia (Online) Meetup #44 - Announcement

DevOps Indonesia

Introduction to SaltStack (An Event-Based Configuration Management)

DevOps Indonesia

More from DevOps Indonesia (20)

DevSecOps Implementation Journey

DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022

Securing an NGINX deployment for K8s

DevOps Indonesia Meetup #52 - announcement

Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement

Securing DevOps Lifecycle

DevOps Meetup 50 : Securing your Application - Announcement

Secure your Application with Google cloud armor

DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia

Operate Containers with AWS Copilot

Continuously Deploy Your CDK Application by Petra novandi barus

DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...

Securing Your Database Dynamic DB Credentials

DevOps Indonesia (online) meetup 45 - Announcement

The Death and Rise of Enterprise DevOps

API Security Webinar - Credential Stuffing

API Security Webinar : Credential Stuffing

Feature Scoring in Green Field Application Development and DevOps

DevOps indonesia (Online) Meetup #44 - Announcement

Introduction to SaltStack (An Event-Based Configuration Management)

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

Free Complete Python - A step towards Data Science

RinaMondal9

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days

Artificial Intelligence for XMLDevelopment

Large Language Model (LLM) and it’s Geospatial Applications

20240609 QFM020 Irresponsible AI Reading List May 2024

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Monitoring Java Application Security with JDK Tools and JFR Events

National Security Agency - NSA mobile device best practices

DevOps and Testing slides at DASA Connect

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

Free Complete Python - A step towards Data Science

20240607 QFM018 Elixir Reading List May 2024

Epistemic Interaction - tuning interfaces to provide information for AI support

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Essentials of Automations: The Art of Triggers and Actions in FME

Removing Uninteresting Bytes in Software Fuzzing

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Elizabeth Buie - Older adults: Are we really designing for our future selves?

The Art of the Pitch: WordPress Relationships and Sales

API Security Webinar - Hendra Tanto

1. API SECURITY CHALLENGE F5 LABS Hendra Tanto h.tanto@f5.com

4. ● A1: Broken Object Level Authorization ● A2: Broken Authentication ● A3: Excessive Data Exposure ● A4: Lack of Resources & Rate Limiting ● A5: Broken Function Level Authorization ● A6: Mass Assignment ● A7: Security Misconfiguration ● A8: Injection ● A9: Improper Assets Management ● A10: Insufficient Logging & Monitoring API Security Top 10 Weak Authentication & Authorization Information Leakage Malicious Request Lack of Visibility

11.

12. | ©2019 F5 NETWORKS 12 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1 Host: partners.uber.com {“nationalPhoneNumber”:”xxxxxxxxxx”,”countryCode”:”1"} { “status”:”failure”, ”data”: { “code”:1009, ”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found” } } #1 #2 Thank you for the driver's Uid!

13. | ©2019 F5 NETWORKS 13 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /marketplace/_rpc?rpc=getConsentScreenDetails HTTP/1.1 … {“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a- 837xxx604ce”} { “status”:”success”, ”data”:{ … ”getUser”:{ “uuid”:”cxxxxxc5f7371e”, ”firstname”:”Maxxxx”, ”lastname”:”XXXX”, … ”email”:”xxxx@gmail.com”, ”emailToken”:”xxxxxxxx”, … ”token”:”b8038ec4143bb4xxxxxx72d”, … ”lastSelectedPaymentProfileUuid”:”xxxxxx”, … ”driverInfo”:{ … }, ”partnerInfo”:{ “address”:”Nxxxxxxx”, ”dateOfBirth”:xxxxxx, ”… } } #3 #4 The driver's entire profile + Token

14.

15.

16.

17.

18.

19.

20.

21. | ©2019 F5 21 Billing Service Edge API Gateway User Management Service Top Up Service Payment Service Point Service Other API /api/other/topup /api/other/user Payment API /api/payment/inquiry /api/payment/payment Billing API /api/billing/payment /api/billing/settlement 500 / Second 100 / Second 5000 / Second Partner 1 Partner 2 NGINX API Gateway Functions

22.

23.

24. Bank Breach through 3rd Party

25. Authorization Server Client Token Resource Server Identity 1 2 3 4 Validation Trust Resource Owner 5 API Authorization OAUTH 2.0 “The idea of OAuth is that by requiring users to pass their confidential credentials over the network less frequently, less bad things can happen.”

API Security Webinar - Hendra Tanto

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to API Security Webinar - Hendra Tanto

Similar to API Security Webinar - Hendra Tanto (20)

More from DevOps Indonesia

More from DevOps Indonesia (20)

Recently uploaded

Recently uploaded (20)

API Security Webinar - Hendra Tanto