apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs
Protecting financial-grade APIs - Getting the right API Security stack!
Isabelle Mauny, CTO at 42Crunch
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
Enterprise API management in agile integration
Raghuram Banda, Solution Architect at Entiros Integrations AB
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
The modern digital with API Economy Ecosystems
Harin Honestyandi Parandika, Microservice and Middleware Designer, XL Axiata
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays
apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs
Architecting Scalable Software Platforms for IoT Applications
Pooja Subramanian, Office Technology Principal at ThoughtWorks Technologies & Archanaa Ravikumar, Lead Engineer at BCG Digital Ventures
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Potential of API integrations, common traps and advices
Mathieu Rasse, CEO at Meta API
Extend your legacy SOA/ESB infrastructure to Mobile & IoT
This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps.
Watch this webinar recording to learn about:
- Strengths and weaknesses of your existing ESB/SOA infrastructure
- Architecture strategy: extend and add value to legacy middleware with APIs
- Integration / API use cases in Retail, Manufacturing and Telecom
- The API360 approach to digital strategy
apidays LIVE Paris - The Business of APIs by Jed Ngapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
The Business of APIs: Lessons from building the world's largest API Marketplace
Jed Ng, Tech & API Investor
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
10 commandments for scalable microservices
Archanaa Ravikumar, Lead Engineer at BCG Digital Ventures & Pooja Subramanian, Office Tech Principal, Lead Consultant at ThoughtWorks Technologies
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
Enterprise API management in agile integration
Raghuram Banda, Solution Architect at Entiros Integrations AB
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
The modern digital with API Economy Ecosystems
Harin Honestyandi Parandika, Microservice and Middleware Designer, XL Axiata
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays
apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs
Architecting Scalable Software Platforms for IoT Applications
Pooja Subramanian, Office Technology Principal at ThoughtWorks Technologies & Archanaa Ravikumar, Lead Engineer at BCG Digital Ventures
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Potential of API integrations, common traps and advices
Mathieu Rasse, CEO at Meta API
Extend your legacy SOA/ESB infrastructure to Mobile & IoT
This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps.
Watch this webinar recording to learn about:
- Strengths and weaknesses of your existing ESB/SOA infrastructure
- Architecture strategy: extend and add value to legacy middleware with APIs
- Integration / API use cases in Retail, Manufacturing and Telecom
- The API360 approach to digital strategy
apidays LIVE Paris - The Business of APIs by Jed Ngapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
The Business of APIs: Lessons from building the world's largest API Marketplace
Jed Ng, Tech & API Investor
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
10 commandments for scalable microservices
Archanaa Ravikumar, Lead Engineer at BCG Digital Ventures & Pooja Subramanian, Office Tech Principal, Lead Consultant at ThoughtWorks Technologies
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
APIs as Products in payments, telecommunications and Data-as-a-Service
Zuber Khatib, Managing Partner, RAACOM
My presentation from Nordic APIs 2014 in Stockholm, Sweden.
How can the architecture of one API platform look like? How can you break down things to make this challenge easier?
What is developer experience? And how can it affect the success of your product? Our very own Keshav Vasudevan will take you through everything you need to know.
Developer Support Models: Calibrating Service Level to CommitmentNordic APIs
Developer support models across the industry range from DIY to premium ‘hand-holding’. Program managers are constantly challenged to pick the right mix of support elements without driving up costs. When reviewing support models, calibrating the level of service to the level of developer commitment seems to be the key to making support an effective element of overall program strategy. This session will review industry benchmark research on developer support: how leading programs are using models ranging from DIY to premium in service of building a targeted ecosystem and how they are balancing this with expectations of developer commitment.
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
The State of SaaS Integration
Gertjan De Wilde, CEO and Founder of Apideck
Centralization and automation of containerized service (microservices) management with the ability to control policies consistently across several service meshes increases visibility and control over all API traffic while enabling enterprises to independently and rapidly deliver on innovation without the bottlenecks. Check out our demo to see how Axway and AMPLIFY Central provide packaged maturity for service mesh management along with centralized policy management of APIs and Microservices that run in the cloud and/or on-premises infrastructure.
apidays LIVE Paris - Driving innovation through External APIs without putting...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Driving innovation through External APIs without putting your business at risk
Guillaume Montard, CEO of Bearer.sh
Contract {Collaboration} Driven Development - APIdays Interface 2020Alianna Inzana
In the API space, much of the conversation around Contract Driven Development has centered on the question “Did we build the API right?“. By using the contract as the foundation for a common understanding of the API, we can answer not only that question, but the equally important - but more elusive - “Did we build the right API?“.
In /Contract/{Collaboration}/DrivenDevelopment, we will discuss how API Specifications and consumer-driven contracts can form the basis for cross-team collaboration in delivering quality services.
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...apidays
apidays LIVE Jakarta 2021 - Accelerating Digitisation
February 24, 2021
5 ways to make your integration more resilient
Jenks Guo, Developer Evangelist at Xero
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipsedmbtr3
From the June 2014 Cloud Foundry Summit:
Title: BUSINESS TRACK: INTRODUCING CLOUD FOUNDRY INTEGRATION FOR ECLIPSE
Speaker: Adam Gunther
Abstract: Are you a developer who uses Eclipse? Do you want to get involved in a project with the goal to provide a first-class Cloud Foundry development environment for Eclipse? If so, then come learn about the Cloud Foundry Integration for Eclipse project. The Cloud Foundry eclipse plug-in allows developers to perform such tasks as deploy applications to Cloud Foundry and view and manage deployed applications and services. Come learn more about the current tools and community, what is planned for the future, and ways you can contribute.
WSO2Con EU 2015: Towards a Winning API StrategyWSO2
WSO2Con EU 2015: Towards a Winning API Strategy
Today, every enterprise agrees that there is a pressing need for business APIs. However, it’s the right API strategy that will make business APIs a winning one.
This session will explain how you could formulate a winning API strategy, and will particularly focus on the following areas:
What are the key ingredients in defining a winning API strategy?
How should the strategy be converted into a set of action items that will create a winning combination?
How can WSO2’s API Management capabilities help?
It will also touch on some real customer scenarios where WSO2′s platform has been a key part in implementing a winning API strategy for these enterprises.
Presenter:
Sumedha Rubasinghe
Director – API Architecture,
WSO2
Lean Method for Building Good APIs for Business – APIOps CyclesNordic APIs
APIs are a piece of technology, but they do have a business purpose and a user, or rather a developer experience which makes them either good or horrible to use and develop. Without great business-oriented APIs, there can be no API economy. In general lean architecture methods exist but are not used enough. They are useful for DevOps and Agile development, but APIs need special attention. There is a need for a “double loop” of DevOps with APIs, that’s one thing. The more important thing is to use methods which help you to treat your API as a product while covering all important business model and architecture areas. Discussions and collaboration is the key to any successful architecture. Still, many of us design our APIs and software in endless meetings or alone, using no methods at all or methods and language known only by IT professionals. The world could do with a lot of better API designs which translate into better business. These were all reasons to develop the creative-commons licensed open and lean APIOps Cycles method (www.apiopscycles.com). This talk tells the basics of the method, plus some examples of how companies have used it.
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
Productising APIs: A journey in how we built API products in SEA
Mike Dickinson, Chief Product Officer at Brankas
Overview of API Management ArchitecturesNordic APIs
APIs are fueling innovation and digital transformation initiatives. With the explosive growth in APIs, developers and architects are employing different kinds of architectures to process API calls. Attend this session to learn about commonly deployed API Management architectures to process API traffic.
Type 1: Centralized data plane and control plane.
Type 2: “Hybrid” architectural approach that involves some processing at the edge by microgateways to process API calls between microservices.
Type 3: Decoupled data plane and control plane resulting in no need for microgateways or databases to process API calls.
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
APIs are everywhere: powering mobile apps, enabling cloud computing, connecting people through social networks and helping to create the Internet of Things. Organizations of every kind are evaluating how they can leverage APIs and replicate the success of companies like Amazon, Google and Salesforce.
Join this webinar to learn about the #API360 model for enterprise API success. This model covers the full spectrum of considerations for companies looking to succeed with APIs for the long haul. You will also hear more about the upcoming #API360 Summit that will take place in Dallas on February 26.
You Will Learn
• How leading Web companies have used APIs to boost revenues and market share
• How to create an enterprise API strategy that will yield real business results
• How to institutionalize best practices that will allow your APIs to evolve and grow
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Succeeding with API Programs
Kiran Nadgir, Head of APIs and UX Platforms at Silicon Valley Bank
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Protecting financial grade API: adopting the right security stack
Isabelle Mauny, Co-founder & Field CTO at 42Crunch
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
APIs as Products in payments, telecommunications and Data-as-a-Service
Zuber Khatib, Managing Partner, RAACOM
My presentation from Nordic APIs 2014 in Stockholm, Sweden.
How can the architecture of one API platform look like? How can you break down things to make this challenge easier?
What is developer experience? And how can it affect the success of your product? Our very own Keshav Vasudevan will take you through everything you need to know.
Developer Support Models: Calibrating Service Level to CommitmentNordic APIs
Developer support models across the industry range from DIY to premium ‘hand-holding’. Program managers are constantly challenged to pick the right mix of support elements without driving up costs. When reviewing support models, calibrating the level of service to the level of developer commitment seems to be the key to making support an effective element of overall program strategy. This session will review industry benchmark research on developer support: how leading programs are using models ranging from DIY to premium in service of building a targeted ecosystem and how they are balancing this with expectations of developer commitment.
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
The State of SaaS Integration
Gertjan De Wilde, CEO and Founder of Apideck
Centralization and automation of containerized service (microservices) management with the ability to control policies consistently across several service meshes increases visibility and control over all API traffic while enabling enterprises to independently and rapidly deliver on innovation without the bottlenecks. Check out our demo to see how Axway and AMPLIFY Central provide packaged maturity for service mesh management along with centralized policy management of APIs and Microservices that run in the cloud and/or on-premises infrastructure.
apidays LIVE Paris - Driving innovation through External APIs without putting...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Driving innovation through External APIs without putting your business at risk
Guillaume Montard, CEO of Bearer.sh
Contract {Collaboration} Driven Development - APIdays Interface 2020Alianna Inzana
In the API space, much of the conversation around Contract Driven Development has centered on the question “Did we build the API right?“. By using the contract as the foundation for a common understanding of the API, we can answer not only that question, but the equally important - but more elusive - “Did we build the right API?“.
In /Contract/{Collaboration}/DrivenDevelopment, we will discuss how API Specifications and consumer-driven contracts can form the basis for cross-team collaboration in delivering quality services.
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...apidays
apidays LIVE Jakarta 2021 - Accelerating Digitisation
February 24, 2021
5 ways to make your integration more resilient
Jenks Guo, Developer Evangelist at Xero
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipsedmbtr3
From the June 2014 Cloud Foundry Summit:
Title: BUSINESS TRACK: INTRODUCING CLOUD FOUNDRY INTEGRATION FOR ECLIPSE
Speaker: Adam Gunther
Abstract: Are you a developer who uses Eclipse? Do you want to get involved in a project with the goal to provide a first-class Cloud Foundry development environment for Eclipse? If so, then come learn about the Cloud Foundry Integration for Eclipse project. The Cloud Foundry eclipse plug-in allows developers to perform such tasks as deploy applications to Cloud Foundry and view and manage deployed applications and services. Come learn more about the current tools and community, what is planned for the future, and ways you can contribute.
WSO2Con EU 2015: Towards a Winning API StrategyWSO2
WSO2Con EU 2015: Towards a Winning API Strategy
Today, every enterprise agrees that there is a pressing need for business APIs. However, it’s the right API strategy that will make business APIs a winning one.
This session will explain how you could formulate a winning API strategy, and will particularly focus on the following areas:
What are the key ingredients in defining a winning API strategy?
How should the strategy be converted into a set of action items that will create a winning combination?
How can WSO2’s API Management capabilities help?
It will also touch on some real customer scenarios where WSO2′s platform has been a key part in implementing a winning API strategy for these enterprises.
Presenter:
Sumedha Rubasinghe
Director – API Architecture,
WSO2
Lean Method for Building Good APIs for Business – APIOps CyclesNordic APIs
APIs are a piece of technology, but they do have a business purpose and a user, or rather a developer experience which makes them either good or horrible to use and develop. Without great business-oriented APIs, there can be no API economy. In general lean architecture methods exist but are not used enough. They are useful for DevOps and Agile development, but APIs need special attention. There is a need for a “double loop” of DevOps with APIs, that’s one thing. The more important thing is to use methods which help you to treat your API as a product while covering all important business model and architecture areas. Discussions and collaboration is the key to any successful architecture. Still, many of us design our APIs and software in endless meetings or alone, using no methods at all or methods and language known only by IT professionals. The world could do with a lot of better API designs which translate into better business. These were all reasons to develop the creative-commons licensed open and lean APIOps Cycles method (www.apiopscycles.com). This talk tells the basics of the method, plus some examples of how companies have used it.
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
Productising APIs: A journey in how we built API products in SEA
Mike Dickinson, Chief Product Officer at Brankas
Overview of API Management ArchitecturesNordic APIs
APIs are fueling innovation and digital transformation initiatives. With the explosive growth in APIs, developers and architects are employing different kinds of architectures to process API calls. Attend this session to learn about commonly deployed API Management architectures to process API traffic.
Type 1: Centralized data plane and control plane.
Type 2: “Hybrid” architectural approach that involves some processing at the edge by microgateways to process API calls between microservices.
Type 3: Decoupled data plane and control plane resulting in no need for microgateways or databases to process API calls.
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
APIs are everywhere: powering mobile apps, enabling cloud computing, connecting people through social networks and helping to create the Internet of Things. Organizations of every kind are evaluating how they can leverage APIs and replicate the success of companies like Amazon, Google and Salesforce.
Join this webinar to learn about the #API360 model for enterprise API success. This model covers the full spectrum of considerations for companies looking to succeed with APIs for the long haul. You will also hear more about the upcoming #API360 Summit that will take place in Dallas on February 26.
You Will Learn
• How leading Web companies have used APIs to boost revenues and market share
• How to create an enterprise API strategy that will yield real business results
• How to institutionalize best practices that will allow your APIs to evolve and grow
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Succeeding with API Programs
Kiran Nadgir, Head of APIs and UX Platforms at Silicon Valley Bank
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Protecting financial grade API: adopting the right security stack
Isabelle Mauny, Co-founder & Field CTO at 42Crunch
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West).
In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time.
We’ll use a mix of slides and demos to present:
(1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security)
(2) Which threat protections must be put in place in a microservices architecture, and where
(3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time
(4) How to automate threat protection deployment
WATCH WEBINAR: https://youtu.be/LLVOouA4pbs
Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. "This is an eye opener" is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar.
Through a mix of slides and demos, we will describe the top 5 issues our security audit reports, what they are and why they matter, including:
- Potentials attacks linked to each issue
- How they can be remediated
- Example request/response and reports
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
WATCH WEBINAR: https://youtu.be/SywcVCvgXP0
Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or o¬utput validation. Here are a few illustrative real-life examples on this:
• Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated.
• Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email.
• CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value.
• Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication.
To protect APIs from such issues, an API-native, positive security approach is required: we create a whitelist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above?
What you’ll learn:
• Why WAFs fail in protecting APIs
• How a whitelist protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples)
• How to build a proper whitelist for API security
In most companies security is driven by compliance regulations. The policies are designed to contain the security vulnerabilities each company is interested to comply with. These vulnerabilities can be measured only at the end, after the software has been developed, which is way too late. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to create a more secure the software from the start? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (which can be measured only at the end, after the software has been developed) to focus on the security controls, which can be used from beginning in software development cycle. Recommended to all builders and security professionals interested to build a more secure software from the start.
Better API Security With A SecDevOps ApproachNordic APIs
In an ever agile world where APIs are designed and implemented at an incredible rate, securing APIs is often a last moment thought and security teams as a obstacle. Security vulnerabilities are bugs, and like any other bug must be found as early as possible. In this session, Isabelle explains how developers can take advantage of an automated approach to discover and fix security issues as early as possible and how security teams can put the right tools in place to ensure that their security requirements are met as part of the API lifecycle. We will talk about static/dynamic code analysis, OpenAPI and dynamic security policies.
API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
The Dev, Sec and Ops of API Security - API World42Crunch
The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect.
Downside: The more APIs, the higher the security risk!
API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs.
Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language.
In this presentation you will learn:
Security risks at each stage of the API lifecycle, and how to mitigate them.
How to implement an end-to-end automated API security model that development, security and operations teams will love.
How to think positive! Why a positive security model works.
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...apidays
Keynote 1: APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines, ShortSea
Vesa Vähämaa, Head of Group IT, Software at Finnlines Plc
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...apidays
From Chaos to Calm: Navigating Emerging API Security Challenges
Eli Arkush, Principal Solutions Engineer, API Security at Akamai
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - What is next now that your organization created a (si...apidays
What is next now that your organization created a (significant) set of APIs?
Rogier van Boxtel, Director, Pre Sales Consulting - Axway
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...apidays
There’s no AI without API, but what does this mean for Security?
Timo Rüppell, VP of Product - FireTail.io
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...apidays
Sustainable IT and API Performance - How to Bring Them Together
Merja Kajava, Founder - Aavista Oy
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...apidays
Security Vulnerabilities in your APIs
Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...apidays
Data, API’s and Banks, with AI on top
Sergio Giraldo, IT Lead - ING
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...apidays
Data Ecosystems Driving the Green Transition
Olli Kilpeläinen, VP - Data Platform & Ecosystem at Betolar
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...apidays
Bridging the Gap Between Backend and Frontend API Testing with K6
Ayush Goyal, Senior Software Engineer - Grafana Labs
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaangoapidays
API Compliance by Design
Marjukka Niinioja, APItalista & Founding Partner - Osaango
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...apidays
ABLOY goes API economy – Transformation story
Hanna Sillanpää Head of Digital Solutions PU - Abloy
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuploapidays
The subtle art of API rate limiting
Josh Twist, Co-founder & CEO at Zuplo
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...apidays
ESTful API Patterns and Practices
Mike Amundsen, Author of "Design and Build Great APIs", API Strategist & Advisor at amundsen.com, Inc.
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adamsapidays
Putting AI into API Security
Corey Ball, Author and Sr. Manager Pentest at Moss Adams
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Prototype-first - A modern API development workflow b...apidays
Prototype-first - A modern API development workflow
Tom Akehurst, CTO and Co-Founder at WireMock
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...apidays
Post-Quantum API Security: Preparing your APIs for Q-day
Francois Lascelles, Distinguished Engineer at Broadcom and CTO at Layer7
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...apidays
Increase your productivity with no-code GraphQL mocking
Hugo Guerrero, Chief Software Architect, APIs & Integration Developer Advocate at Red Hat
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danoneapidays
Driving API & EDA Success: Comparing CoE & C4E Models for Organizational Enablement
Marcelo Caponi, Global Product Manager - API & Integration at Danone
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...apidays
Build a terrible API for people you hate
Jim Bennett, Principal Developer Advocate at liblab
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...apidays
API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains
Tristan Kalos, Co-founder and CEO at Escape
Antoine Carossio, Co-Founder & CTO at Escape
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
9. UBER (SEPT 2019)
The Attack
✓ Account takeover for any Uber account from a phone number
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ First Data leakage : driver internal UUID exposed through error message!
✓ Hacker can access any driver, user, partner profile if they know the UUID
✓ Second Data leakage via the getConsentScreenDetails operation: full account
information is returned, when only a few fields are used by the UI. This includes the
mobile token used to login onto the account
9
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
10. API1 (BOLA) MITIGATION
Fine-grained authorisation in every controller layer
Do not use IDs from API request, use ID from session instead (implement
session management in controller layer)
Additionally:
✓ Avoid guessable IDs (123, 124, 125…)
✓ Avoid exposing internal IDs via the API
✓ Alternative: GET https://myapis.com/resources/me
Prevent data scrapping by putting rate limiting in place (by token, not by IP!)
10
11. API3 MITIGATION
Take control of your JSON schemas !
✓ Describe the data thoroughly and enforce the format at runtime (outbound)
✓ Review and approve data returned by APIs
Never expose tokens/sensitive/exploitable data in API responses
Never rely on client apps to filter data : instead, create various APIs
depending on consumer, with just the data they need
Beware of GraphQL queries!
✓ Validate fields accessed via query
11
13. FACEBOOK (FEB 2018)
The Attack
✓ Account takeover via password reset at https://www.facebook.com/login/
identify?ctx=recover&lwv=110.
✓ facebook.com has rate limiting, beta.facebook.com does not!
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ Rate limiting missing on beta APIs, which allows brute force guessing on
password reset code
✓ Misconfigured security on beta endpoints
13
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it
14. API2 (BROKEN AUTH) MITIGATION
Choose the right authentication depending on data/operation sensitivity !
Enforce 2FA, captcha
Use secure storage for credentials
Use short-lived access tokens and limit their scope
Use MutualTLS when applicable (known/controlled partners)
Use OAuth properly (most likely authorization_code with PKCE)
✓ Financial API Grade profiles as reference (https://openid.net/wg/fapi/)
Make sure you validate JWTs according to Best Practices (RFC 8725) - https://
www.rfc-editor.org/rfc/rfc8725.txt
14
16. API4 (RATE LIMITING) MITIGATION
Protect all authentication endpoints from abuse (login, password reset,
OAuth endpoints)
✓ Smart rate limiting : by API Key/access token/user identity/fingerprint
✓ Short timespan
✓ Counter example: Instagram, 200 attempts/min/IP for password reset
16
“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actua
easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to
perform the complete attack of one million codes”
17. APACHE STRUTS : EQUIFAX AND MANY MORE (2017)
The Attack
✓ Remote command injection attack: server executes commands written in ONGL language when a
Content-Type validation error is raised.
✓ Example:
✓
Core Issue
✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited
during months.
17
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
18. API 7 MITIGATION
Reject requests with unknown path/verbs
TLS is on by default
✓ TLS 1.2 minimum with strong cipher suites
✓ Test your API endpoints with SSLLabs.com
Change default credentials/ports
Automatically inject security headers
Keep systems and software at latest level
Limit your external dependencies
Control those dependencies in-house (enterprise repository)
No Trust !! Continuously test for vulnerabilities and leaking secrets (OS, libraries, docker images,
kubernetes deployment files, etc.)
18
20. API 8 MITIGATION
No Trust! (even for internal APIs and for East-West traffic)
Validate user input, including headers like Content-Type or
Accept
Check behaviour of your dev frameworks when wrong
Content-Type is used
✓ Many default to sending an exception back but experience varies
20
21. A10 : LOGS, LOGS, LOGS!
Log all API activity
Pushed to security platforms such as SIEMs for automated Threat
detection.
21
22. FINAL THOUGHTS!
Start worrying about API Security at design time
✓ A vulnerability discovered at production time costs up to 30x more to solve
Hack yourselves!
✓ For each functional test, create 10 negative tests
✓ Hammer your APIs with bad data, bad tokens, bad users
Automate Security
✓ Inject Security into DevOps practices and don’t really on manual testing of APIs.
22
23. Thank you!
Contact us | info@42crunch.com | 42crunch.com
Free security tools from 42Crunch
https://42crunch.com/resources-free-tools/