DevOps Indonesia, profile picture
Uploaded byDevOps Indonesia
PDF, PPTX63 views

API Security Webinar - Hendra Tanto

The document outlines the top API security challenges, including broken object level authorization, excessive data exposure, and security misconfiguration. It presents specific examples of vulnerabilities, such as a case involving Uber's API, and emphasizes the importance of proper authentication and authorization mechanisms. Additionally, it mentions strategies for securing APIs based on recommendations by industry experts.

Embed presentation

Download as PDF, PPTX
API SECURITY CHALLENGE F5 LABS Hendra Tanto h.tanto@f5.com
● A1: Broken Object Level Authorization ● A2: Broken Authentication ● A3: Excessive Data Exposure ● A4: Lack of Resources & Rate Limiting ● A5: Broken Function Level Authorization ● A6: Mass Assignment ● A7: Security Misconfiguration ● A8: Injection ● A9: Improper Assets Management ● A10: Insufficient Logging & Monitoring API Security Top 10 Weak Authentication & Authorization Information Leakage Malicious Request Lack of Visibility
| ©2019 F5 NETWORKS 5 How to Secure API according to Gartner +? ms +? ms +? ms +? ms +? ms +? ms +? ms +500 ms
| ©2019 F5 9 API Management
| ©2019 F5 10 API Management – Traffic Management
| ©2019 F5 NETWORKS 12 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1 Host: partners.uber.com {“nationalPhoneNumber”:”xxxxxxxxxx”,”countryCode”:”1"} { “status”:”failure”, ”data”: { “code”:1009, ”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found” } } #1 #2 Thank you for the driver's Uid!
| ©2019 F5 NETWORKS 13 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /marketplace/_rpc?rpc=getConsentScreenDetails HTTP/1.1 … {“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a- 837xxx604ce”} { “status”:”success”, ”data”:{ … ”getUser”:{ “uuid”:”cxxxxxc5f7371e”, ”firstname”:”Maxxxx”, ”lastname”:”XXXX”, … ”email”:”xxxx@gmail.com”, ”emailToken”:”xxxxxxxx”, … ”token”:”b8038ec4143bb4xxxxxx72d”, … ”lastSelectedPaymentProfileUuid”:”xxxxxx”, … ”driverInfo”:{ … }, ”partnerInfo”:{ “address”:”Nxxxxxxx”, ”dateOfBirth”:xxxxxx, ”… } } #3 #4 The driver's entire profile + Token
| ©2019 F5 21 Billing Service Edge API Gateway User Management Service Top Up Service Payment Service Point Service Other API /api/other/topup /api/other/user Payment API /api/payment/inquiry /api/payment/payment Billing API /api/billing/payment /api/billing/settlement 500 / Second 100 / Second 5000 / Second Partner 1 Partner 2 NGINX API Gateway Functions
Bank Breach through 3rd Party
Authorization Server Client Token Resource Server Identity 1 2 3 4 Validation Trust Resource Owner 5 API Authorization OAUTH 2.0 “The idea of OAuth is that by requiring users to pass their confidential credentials over the network less frequently, less bad things can happen.”
API Security Webinar - Hendra Tanto

More Related Content

PDF
nter-pod Revolutions: Connected Enterprise Solution in Oracle EPM Cloud
byAlithya
 
PPTX
A Tour of Different API Management Architectures
byNordic APIs
 
PDF
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
byapidays
 
PPTX
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
byapidays
 
PDF
Is Your API Being Abused – And Would You Even Notice If It Was?
byNordic APIs
 
PDF
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
byapidays
 
PDF
apidays LIVE Australia 2020 - Starting and Growing an API security company by...
byapidays
 
PPTX
Adapt or Die Sydney - API Security
byApigee | Google Cloud
 
nter-pod Revolutions: Connected Enterprise Solution in Oracle EPM Cloud
byAlithya
 
A Tour of Different API Management Architectures
byNordic APIs
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
byapidays
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
byapidays
 
Is Your API Being Abused – And Would You Even Notice If It Was?
byNordic APIs
 
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
byapidays
 
apidays LIVE Australia 2020 - Starting and Growing an API security company by...
byapidays
 
Adapt or Die Sydney - API Security
byApigee | Google Cloud
 

What's hot

PDF
apidays LIVE Paris - Driving innovation through External APIs without putting...
byapidays
 
PDF
REST API Security by Design with Azure Pipelines
by42Crunch
 
PPTX
Kondo-ing API Authorization
byNordic APIs
 
PPTX
Deconstructing API Security
byAkana
 
PDF
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
byapidays
 
PPTX
London Adapt or Die: Five Things Enterprises Should Know About Serverless
byApigee | Google Cloud
 
PPTX
London Adapt or Die: Securing your APIs the Right Way!
byApigee | Google Cloud
 
PPTX
Test and Protect Your API
bySmartBear
 
PDF
How Apigee Api Management Platform Helps with Digital Excellence
byRam Kumar
 
PDF
How Secure Are Your APIs?
byApigee | Google Cloud
 
PDF
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
byApigee | Google Cloud
 
PDF
Api Monitizer by T5 Systems
byONUR FENAR
 
PPTX
Apigee Edge Product Demo
byApigee | Google Cloud
 
PPTX
API Management Part 1 - An Introduction to Azure API Management
byBizTalk360
 
PDF
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
byApigee | Google Cloud
 
PDF
The API Economy: Adding Business Value
bySmartBear
 
PDF
Data Driven Security
byApigee | Google Cloud
 
PPTX
Mining API Traffic Metadata
byNordic APIs
 
PPTX
Azure API management dive deep GAB2017
byJorge Arteiro
 
PDF
How to Achieve Agile API Security
byApigee | Google Cloud
 
apidays LIVE Paris - Driving innovation through External APIs without putting...
byapidays
 
REST API Security by Design with Azure Pipelines
by42Crunch
 
Kondo-ing API Authorization
byNordic APIs
 
Deconstructing API Security
byAkana
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
byapidays
 
London Adapt or Die: Five Things Enterprises Should Know About Serverless
byApigee | Google Cloud
 
London Adapt or Die: Securing your APIs the Right Way!
byApigee | Google Cloud
 
Test and Protect Your API
bySmartBear
 
How Apigee Api Management Platform Helps with Digital Excellence
byRam Kumar
 
How Secure Are Your APIs?
byApigee | Google Cloud
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
byApigee | Google Cloud
 
Api Monitizer by T5 Systems
byONUR FENAR
 
Apigee Edge Product Demo
byApigee | Google Cloud
 
API Management Part 1 - An Introduction to Azure API Management
byBizTalk360
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
byApigee | Google Cloud
 
The API Economy: Adding Business Value
bySmartBear
 
Data Driven Security
byApigee | Google Cloud
 
Mining API Traffic Metadata
byNordic APIs
 
Azure API management dive deep GAB2017
byJorge Arteiro
 
How to Achieve Agile API Security
byApigee | Google Cloud
 

Similar to API Security Webinar - Hendra Tanto

PDF
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
PDF
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
PDF
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
PPTX
What Is an API? | API Security Explained | API Security Best Practices | Simp...
bySimplilearn
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
byapidays
 
PDF
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
PDF
Better API Security With A SecDevOps Approach
byNordic APIs
 
PDF
Better API Security with Automation
by42Crunch
 
PDF
Enhancing your Security APIs
byApigee | Google Cloud
 
PDF
apidays New York 2023 - A decade of API breaches, courtesy of application fla...
byapidays
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PDF
SecDevOps for API Security
by42Crunch
 
PDF
Secure your api - from basics to beyond
byAlexandre Faria
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
OWASP API Security Top 10 - API World
by42Crunch
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
What Is an API? | API Security Explained | API Security Best Practices | Simp...
bySimplilearn
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
byapidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
Better API Security With A SecDevOps Approach
byNordic APIs
 
Better API Security with Automation
by42Crunch
 
Enhancing your Security APIs
byApigee | Google Cloud
 
apidays New York 2023 - A decade of API breaches, courtesy of application fla...
byapidays
 
API SECURITY
byTubagus Rizky Dharmawan
 
SecDevOps for API Security
by42Crunch
 
Secure your api - from basics to beyond
byAlexandre Faria
 

More from DevOps Indonesia

PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
PDF
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
PDF
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
byDevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
byDevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
PDF
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
API Security Webinar : Credential Stuffing
byDevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
Secure your Application with Google cloud armor
byDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
Operate Containers with AWS Copilot
byDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
API Security Webinar : Credential Stuffing
byDevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 

Recently uploaded

PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Designing a Blog Using Wordpress
bymarkzubi50
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
How to build hackthon projects from ZERO!
byishantyadav1111
 

API Security Webinar - Hendra Tanto

  • 1.
    API SECURITY CHALLENGE F5LABS Hendra Tanto h.tanto@f5.com
  • 4.
    ● A1: BrokenObject Level Authorization ● A2: Broken Authentication ● A3: Excessive Data Exposure ● A4: Lack of Resources & Rate Limiting ● A5: Broken Function Level Authorization ● A6: Mass Assignment ● A7: Security Misconfiguration ● A8: Injection ● A9: Improper Assets Management ● A10: Insufficient Logging & Monitoring API Security Top 10 Weak Authentication & Authorization Information Leakage Malicious Request Lack of Visibility
  • 5.
    | ©2019 F5NETWORKS 5 How to Secure API according to Gartner +? ms +? ms +? ms +? ms +? ms +? ms +? ms +500 ms
  • 9.
  • 10.
    | ©2019 F5 10 APIManagement – Traffic Management
  • 12.
    | ©2019 F5NETWORKS 12 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /p3/fleet-manager/_rpc?rpc=addDriverV2 HTTP/1.1 Host: partners.uber.com {“nationalPhoneNumber”:”xxxxxxxxxx”,”countryCode”:”1"} { “status”:”failure”, ”data”: { “code”:1009, ”message”:”Driver ‘47d063f8–0xx5e-xxxxx-b01a-xxxx’ not found” } } #1 #2 Thank you for the driver's Uid!
  • 13.
    | ©2019 F5NETWORKS 13 HOW I COULD HAVE HACKED YOUR UBER ACCOUNT April 2019 discovered by Taking control of accounts, all accounts ... Uber POST /marketplace/_rpc?rpc=getConsentScreenDetails HTTP/1.1 … {“language”:”en”,”userUuid”:”xxxx–776–4xxxx1bd-861a- 837xxx604ce”} { “status”:”success”, ”data”:{ … ”getUser”:{ “uuid”:”cxxxxxc5f7371e”, ”firstname”:”Maxxxx”, ”lastname”:”XXXX”, … ”email”:”xxxx@gmail.com”, ”emailToken”:”xxxxxxxx”, … ”token”:”b8038ec4143bb4xxxxxx72d”, … ”lastSelectedPaymentProfileUuid”:”xxxxxx”, … ”driverInfo”:{ … }, ”partnerInfo”:{ “address”:”Nxxxxxxx”, ”dateOfBirth”:xxxxxx, ”… } } #3 #4 The driver's entire profile + Token
  • 21.
    | ©2019 F5 21 BillingService Edge API Gateway User Management Service Top Up Service Payment Service Point Service Other API /api/other/topup /api/other/user Payment API /api/payment/inquiry /api/payment/payment Billing API /api/billing/payment /api/billing/settlement 500 / Second 100 / Second 5000 / Second Partner 1 Partner 2 NGINX API Gateway Functions
  • 24.
  • 25.
    Authorization Server Client Token Resource Server Identity 1 2 3 4 Validation Trust ResourceOwner 5 API Authorization OAUTH 2.0 “The idea of OAuth is that by requiring users to pass their confidential credentials over the network less frequently, less bad things can happen.”