SlideShare a Scribd company logo

apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart

apidays
apidays

apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs API Abuse - Comprehension and Prevention David Stewart, CEO at CriticalBlue

1 of 22
Download to read offline
APIDays London 2020 www.approov.io
Because they can... API Abuse - Comprehension & Prevention
API Abuse - Comprehension & Prevention Nordicapis: 5 Modern API Data Breaches https://www.theverge.com/2020/10/22/21529477/mcdonalds-mcbroken- bot-ice-cream-machines-app-engineering At US Fintechs, every $1 in fraud costs $3 in profit Source: LexisNexis® Risk Solutions
An app limits the range/speed an API can manipulate user data. However, a bot can rapidly manipulate and exfiltrate all your valuable data. API Abuse - Comprehension & Prevention In 2018 the average cost of a data breach is $3.86M, up 6.4% from 2017. (Ponemon)
API Flaw Exploitation API Abuse - Comprehension & Prevention Remote Client Impersonation
“Having completed the integration and test in less than 30 days, we deployed the Approov protection and instantly saw the costs due to the fraudsters drop by 90%.” — Emre Kenci, CTO, Papara. https://approov.io/customer/papara
“When an app is capable of being decompiled, it provides the adversary access to sensitive information inside the source code, such as API keys; API secrets; URLs that the app communicates with, which would allow an adversary to then target the APIs of the backend servers…” https://www.fintechsymposium.com/in-plain-sight-the-insecurities-of-mobile-financial-apps.html
New Way: Require apps to prove that they are your live, authentic apps before authorizing API calls. New Result: A good solution rejects all bots and automations while not falsely rejecting any valid app, reducing the costs of fraud in your business. Building and maintaining your own effective solution is very expensive and very time-consuming. Fraud due to automated mobile traffic is growing fast in the fintech sector and authentication of the app, not just an API key, is needed to block it.
If there is even a small pinhole in the platform security, the fraudsters will find it and exploit it. One example is the use of Cloner Apps by end users to have multiple instances of the same app running on a single mobile device. The use of Cloner Apps opens up some pretty serious security holes, and they should be banned in most cases. https://blog.approov.io/cloner-apps-playing-in-a-shared-sandbox
New Way: Add run time environmental and app integrity checks to platform security. New Result: Platform checks validate an app at installation time. Fraudsters continually push new ways to breach platform security, so procedures must be updated frequently in order to keep your fraud costs low. Frequent run time checks are how to block app tampering and block masked fraudulent transactions which are not caught at install time.
“The truth is, there are no known hacks of TLS 1. Rather, these hackers were successful not due to faulty TLS, but because of a lack of software-quality processes.” “...the main criticism facing TLS is that it can be difficult to use safely in real-world environments.” “...these protocols can only be effective if they’re implemented properly, using proven software-quality processes.” https://www.electronicdesign.com/technologies/embedded-revolution/article/21807252/11-myths-about-tls
New Way: Enhance TLS security to lock down communication between app and service. New Result: Done right, enhanced TLS security is effective at protecting API calls, ensuring your fraud costs drop dramatically since fraudsters can’t get in the middle of your traffic and continue their attacks. Enhancing TLS security blocks fraudsters from getting between your app and your service, preventing both the design and execution of fraudulent attacks.
“These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft” “Criminals are not picky — anything that can be accessed can be used in some way” https://www.helpnetsecurity.com/2020/10/23/63-billion-credential-stuffing-attacks-hit-retail-hospitality-travel-industries/
New Way: Bind a specific user authentication with the specific app the user is using, and expire these bound authentications frequently. New Result: Fraud relying on stolen user authentication credentials will only work with short-lived instance-specific app authentication. Assume user and app authentication each reduce fraud by 5x. Binding them together reduces fraud by 25x, instead of just 10x. Combining app and user authentication chokes the scope and velocity of fraudulent transactions.
“We experienced an attack against one of our API endpoints which caused one of our key features to go Out of Service. As a result we spent many man-days putting in place some in-house security but we knew this was only a band-aid and we would quickly need to find something better.” — Ben Levy, VP Engineering, Temi.
New Way: Over-the-air security updates. New Result: Allows continuous and instantaneous updates to security features. No need to release a new app. No friction for users. Instant cut in fraud costs. Over-the-air security updates allow continuous enhancement of security capabilities against emerging threats without the need to release a new app.
You can reduce the costs incurred by fraudsters using your APIs by > 90% within 30 days. However most fintechs/insurtech think that some combination of API keys, rate limiting, TLS/HTTPS encryption, certificate pinning and app hardening will keep the fraudsters at bay. In reality, all of these solutions are either easy to circumvent or don’t protect your API. Follow the 5 step guide to properly protect your API from fraudulent traffic.
● We have many years of expertise around deep introspection of software execution on embedded/mobile platforms. ● No-one had recognized that APIs servicing remote clients such as mobile apps needed a new/dedicated security paradigm. ● There was no specialist solution for protecting APIs connecting mobile apps to backend servers, making such APIs a significant weakness in enterprise platforms. ● We developed a solution based on existing expertise which could protect APIs service mobile apps without requiring storage of secrets in the apps. 2018 Mobile App Security Winner Mobile App Development 2017 API Security Winner
https://approov.io/customer
Ensuring only genuine instances of your mobile app can use your API. API Abuse - Comprehension & Prevention
API Abuse - Comprehension & Prevention Only the analytics engine notices.
Approov API Threat Protection www.approov.io @approov_io https://approov.io/resource/

Recommended

API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
CA API Management
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Verizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsVerizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul Hobbs
Paul Hobbs
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 

Recommended

API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
CA API Management
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Verizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsVerizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul Hobbs
Paul Hobbs
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CloudIDSummit
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
Ashish Jain
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
Mobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowMobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to know
Ashish Jain
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
MDM/MAM/MIM Workshop - CIS 2013
MDM/MAM/MIM Workshop - CIS 2013MDM/MAM/MIM Workshop - CIS 2013
MDM/MAM/MIM Workshop - CIS 2013Ashish Jain
 
The Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppThe Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android App
Appknox
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
How to Protect Mobile Banking Users from BankBot
How to Protect Mobile Banking Users from BankBotHow to Protect Mobile Banking Users from BankBot
How to Protect Mobile Banking Users from BankBot
Zimperium
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
Ping Identity
 
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer APIWearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
kirgy
 
The state of mobile app security
The state of mobile app security The state of mobile app security
The state of mobile app security
Mahima Anand Sharma
 
State of Application Security Vol. 4
State of Application Security Vol. 4State of Application Security Vol. 4
State of Application Security Vol. 4
IBM Security
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
IndusfacePvtLtd
 

More Related Content

What's hot

CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CloudIDSummit
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
Ashish Jain
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
Mobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowMobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to know
Ashish Jain
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
MDM/MAM/MIM Workshop - CIS 2013
MDM/MAM/MIM Workshop - CIS 2013MDM/MAM/MIM Workshop - CIS 2013
MDM/MAM/MIM Workshop - CIS 2013Ashish Jain
 
The Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppThe Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android App
Appknox
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
How to Protect Mobile Banking Users from BankBot
How to Protect Mobile Banking Users from BankBotHow to Protect Mobile Banking Users from BankBot
How to Protect Mobile Banking Users from BankBot
Zimperium
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
Ping Identity
 
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer APIWearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
kirgy
 
The state of mobile app security
The state of mobile app security The state of mobile app security
The state of mobile app security
Mahima Anand Sharma
 
State of Application Security Vol. 4
State of Application Security Vol. 4State of Application Security Vol. 4
State of Application Security Vol. 4
IBM Security
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 

What's hot (20)

CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Mobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to knowMobile Devices in the Enterprise: What IT needs to know
Mobile Devices in the Enterprise: What IT needs to know
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
MDM/MAM/MIM Workshop - CIS 2013
MDM/MAM/MIM Workshop - CIS 2013MDM/MAM/MIM Workshop - CIS 2013
MDM/MAM/MIM Workshop - CIS 2013
 
The Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppThe Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android App
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
How to Protect Mobile Banking Users from BankBot
How to Protect Mobile Banking Users from BankBotHow to Protect Mobile Banking Users from BankBot
How to Protect Mobile Banking Users from BankBot
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer APIWearable Internet Chicken: Exploring the Android Wear Datalayer API
Wearable Internet Chicken: Exploring the Android Wear Datalayer API
 
The state of mobile app security
The state of mobile app security The state of mobile app security
The state of mobile app security
 
State of Application Security Vol. 4
State of Application Security Vol. 4State of Application Security Vol. 4
State of Application Security Vol. 4
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 

Similar to apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart

apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
IndusfacePvtLtd
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech application
nimbleappgenie
 
Top Cybersecurity Challenges Faced By Fintech Applications! .pdf
Top Cybersecurity Challenges Faced By Fintech Applications! .pdfTop Cybersecurity Challenges Faced By Fintech Applications! .pdf
Top Cybersecurity Challenges Faced By Fintech Applications! .pdf
Techugo Inc
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
FuGenx Technologies
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
ColumnInformationSecurity
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
Cognizant
 
Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.
Techugo
 
7 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 20227 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 2022
Cerebrum Infotech
 
WeDo Technologies Blog 2014
WeDo Technologies Blog 2014WeDo Technologies Blog 2014
WeDo Technologies Blog 2014
WeDo Technologies
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
madhuri871014
 
Zymr Fintech app development
Zymr Fintech app development Zymr Fintech app development
Zymr Fintech app development
Zymr Inc
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014Ashlie Steele
 
AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins @ CoinAdvice (4 Mar 2019)AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdf
venkatprasadvadla1
 
La Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesLa Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las Aplicaciones
Asociación de Marketing Bancario Argentino
 

Similar to apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart (20)

apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech application
 
Top Cybersecurity Challenges Faced By Fintech Applications! .pdf
Top Cybersecurity Challenges Faced By Fintech Applications! .pdfTop Cybersecurity Challenges Faced By Fintech Applications! .pdf
Top Cybersecurity Challenges Faced By Fintech Applications! .pdf
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.
 
7 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 20227 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 2022
 
WeDo Technologies Blog 2014
WeDo Technologies Blog 2014WeDo Technologies Blog 2014
WeDo Technologies Blog 2014
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
 
Zymr Fintech app development
Zymr Fintech app development Zymr Fintech app development
Zymr Fintech app development
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
 
AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins @ CoinAdvice (4 Mar 2019)AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins @ CoinAdvice (4 Mar 2019)
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdf
 
La Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesLa Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las Aplicaciones
 

More from apidays

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
apidays
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
apidays
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
apidays
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
apidays
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
apidays
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
apidays
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
apidays
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
apidays
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
apidays
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
apidays
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
apidays
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
apidays
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
apidays
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
apidays
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
apidays
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
apidays
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
apidays
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
apidays
 

More from apidays (20)

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart

  • 2. Because they can... API Abuse - Comprehension & Prevention
  • 3. API Abuse - Comprehension & Prevention Nordicapis: 5 Modern API Data Breaches https://www.theverge.com/2020/10/22/21529477/mcdonalds-mcbroken- bot-ice-cream-machines-app-engineering At US Fintechs, every $1 in fraud costs $3 in profit Source: LexisNexis® Risk Solutions
  • 4. An app limits the range/speed an API can manipulate user data. However, a bot can rapidly manipulate and exfiltrate all your valuable data. API Abuse - Comprehension & Prevention In 2018 the average cost of a data breach is $3.86M, up 6.4% from 2017. (Ponemon)
  • 5. API Flaw Exploitation API Abuse - Comprehension & Prevention Remote Client Impersonation
  • 6. “Having completed the integration and test in less than 30 days, we deployed the Approov protection and instantly saw the costs due to the fraudsters drop by 90%.” — Emre Kenci, CTO, Papara. https://approov.io/customer/papara
  • 7. “When an app is capable of being decompiled, it provides the adversary access to sensitive information inside the source code, such as API keys; API secrets; URLs that the app communicates with, which would allow an adversary to then target the APIs of the backend servers…” https://www.fintechsymposium.com/in-plain-sight-the-insecurities-of-mobile-financial-apps.html
  • 8. New Way: Require apps to prove that they are your live, authentic apps before authorizing API calls. New Result: A good solution rejects all bots and automations while not falsely rejecting any valid app, reducing the costs of fraud in your business. Building and maintaining your own effective solution is very expensive and very time-consuming. Fraud due to automated mobile traffic is growing fast in the fintech sector and authentication of the app, not just an API key, is needed to block it.
  • 9. If there is even a small pinhole in the platform security, the fraudsters will find it and exploit it. One example is the use of Cloner Apps by end users to have multiple instances of the same app running on a single mobile device. The use of Cloner Apps opens up some pretty serious security holes, and they should be banned in most cases. https://blog.approov.io/cloner-apps-playing-in-a-shared-sandbox
  • 10. New Way: Add run time environmental and app integrity checks to platform security. New Result: Platform checks validate an app at installation time. Fraudsters continually push new ways to breach platform security, so procedures must be updated frequently in order to keep your fraud costs low. Frequent run time checks are how to block app tampering and block masked fraudulent transactions which are not caught at install time.
  • 11. “The truth is, there are no known hacks of TLS 1. Rather, these hackers were successful not due to faulty TLS, but because of a lack of software-quality processes.” “...the main criticism facing TLS is that it can be difficult to use safely in real-world environments.” “...these protocols can only be effective if they’re implemented properly, using proven software-quality processes.” https://www.electronicdesign.com/technologies/embedded-revolution/article/21807252/11-myths-about-tls
  • 12. New Way: Enhance TLS security to lock down communication between app and service. New Result: Done right, enhanced TLS security is effective at protecting API calls, ensuring your fraud costs drop dramatically since fraudsters can’t get in the middle of your traffic and continue their attacks. Enhancing TLS security blocks fraudsters from getting between your app and your service, preventing both the design and execution of fraudulent attacks.
  • 13. “These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft” “Criminals are not picky — anything that can be accessed can be used in some way” https://www.helpnetsecurity.com/2020/10/23/63-billion-credential-stuffing-attacks-hit-retail-hospitality-travel-industries/
  • 14. New Way: Bind a specific user authentication with the specific app the user is using, and expire these bound authentications frequently. New Result: Fraud relying on stolen user authentication credentials will only work with short-lived instance-specific app authentication. Assume user and app authentication each reduce fraud by 5x. Binding them together reduces fraud by 25x, instead of just 10x. Combining app and user authentication chokes the scope and velocity of fraudulent transactions.
  • 15. “We experienced an attack against one of our API endpoints which caused one of our key features to go Out of Service. As a result we spent many man-days putting in place some in-house security but we knew this was only a band-aid and we would quickly need to find something better.” — Ben Levy, VP Engineering, Temi.
  • 16. New Way: Over-the-air security updates. New Result: Allows continuous and instantaneous updates to security features. No need to release a new app. No friction for users. Instant cut in fraud costs. Over-the-air security updates allow continuous enhancement of security capabilities against emerging threats without the need to release a new app.
  • 17. You can reduce the costs incurred by fraudsters using your APIs by > 90% within 30 days. However most fintechs/insurtech think that some combination of API keys, rate limiting, TLS/HTTPS encryption, certificate pinning and app hardening will keep the fraudsters at bay. In reality, all of these solutions are either easy to circumvent or don’t protect your API. Follow the 5 step guide to properly protect your API from fraudulent traffic.
  • 18. ● We have many years of expertise around deep introspection of software execution on embedded/mobile platforms. ● No-one had recognized that APIs servicing remote clients such as mobile apps needed a new/dedicated security paradigm. ● There was no specialist solution for protecting APIs connecting mobile apps to backend servers, making such APIs a significant weakness in enterprise platforms. ● We developed a solution based on existing expertise which could protect APIs service mobile apps without requiring storage of secrets in the apps. 2018 Mobile App Security Winner Mobile App Development 2017 API Security Winner
  • 20. Ensuring only genuine instances of your mobile app can use your API. API Abuse - Comprehension & Prevention
  • 21. API Abuse - Comprehension & Prevention Only the analytics engine notices.
  • 22. Approov API Threat Protection www.approov.io @approov_io https://approov.io/resource/