SlideShare a Scribd company logo

apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API Security stack! by Isabelle Mauny

apidays
apidays

apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs Protecting financial-grade APIs - Getting the right API Security stack! Isabelle Mauny, CTO at 42Crunch

Technology
1 of 24
Download to read offline
Protecting Financial Grade APIs Getting the right security stack ISABELLEMAUNY ISABELLE@42CRUNCH.COM
© COPYRIGHT 42CRUNCH | CONFIDENTIAL API Breaches are on the rise! • 300+ breaches reported on apisecurity.io since Oct. 2018 • And those are just the public ones! • Most recurrent causes (combination of): • Lack of Input validation • Lack of Rate Limiting • Data/Exception leakage • BOLA/IDOR (Authorization)
Applications Architecture has changed! Source: https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
© COPYRIGHT 42CRUNCH | CONFIDENTIAL The Fintech case Source: https://www.trendmicro.com/en_us/research/19/i/when-psd2-opens-more-doors-the-risks-of-open-banking.html
TITLE TEXT Complex deployments ✓ 5 FROM PROTECTING THE PERIMETER…
6 …TO PROTECTING THE DATA
7 Hypervisor, VMs Intra-services communication (auth, azn, TLS) App level security (auth, azn, libs, code, images, data) OS / Network / Physical Access API Security Applies at Multiple Levels
© COPYRIGHT 42CRUNCH | CONFIDENTIAL OWASP API Security Top 10 • API1 : Broken Object Level Authorisation • API2 : Broken Authentication • API3 : Excessive Data Exposure • API4 : Lack of Resources & Rate Limiting • API5 : Missing Function/Resource Level Access Control • API6 : Mass Assignment • API7 : Security Misconfiguration • API8 : Injection • API9 : Improper Assets Management • API10 : Insufficient Logging & Monitoring • DOWNLOAD
UBER (SEPT 2019) The Attack ✓ Account takeover for any Uber account from a phone number The Breach ✓ None. This was a bug bounty. Core Issues ✓ First Data leakage : driver internal UUID exposed through error message! ✓ Hacker can access any driver, user, partner profile if they know the UUID ✓ Second Data leakage via the getConsentScreenDetails operation: full account information is returned, when only a few fields are used by the UI. This includes the mobile token used to login onto the account 9 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
API1 (BOLA) MITIGATION Fine-grained authorisation in every controller layer Do not use IDs from API request, use ID from session instead (implement session management in controller layer) Additionally: ✓ Avoid guessable IDs (123, 124, 125…) ✓ Avoid exposing internal IDs via the API ✓ Alternative: GET https://myapis.com/resources/me Prevent data scrapping by putting rate limiting in place (by token, not by IP!) 10
API3 MITIGATION Take control of your JSON schemas ! ✓ Describe the data thoroughly and enforce the format at runtime (outbound) ✓ Review and approve data returned by APIs Never expose tokens/sensitive/exploitable data in API responses Never rely on client apps to filter data : instead, create various APIs depending on consumer, with just the data they need Beware of GraphQL queries! ✓ Validate fields accessed via query 11
© COPYRIGHT 42CRUNCH | CONFIDENTIAL Another API3 vector: JWTs! Recommended best practice: Use opaque tokens for external consumption Use JWTs for internal consumption
FACEBOOK (FEB 2018) The Attack ✓ Account takeover via password reset at https://www.facebook.com/login/ identify?ctx=recover&lwv=110. ✓ facebook.com has rate limiting, beta.facebook.com does not! The Breach ✓ None. This was a bug bounty. Core Issues ✓ Rate limiting missing on beta APIs, which allows brute force guessing on password reset code ✓ Misconfigured security on beta endpoints 13 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it
API2 (BROKEN AUTH) MITIGATION Choose the right authentication depending on data/operation sensitivity ! Enforce 2FA, captcha Use secure storage for credentials Use short-lived access tokens and limit their scope Use MutualTLS when applicable (known/controlled partners) Use OAuth properly (most likely authorization_code with PKCE) ✓ Financial API Grade profiles as reference (https://openid.net/wg/fapi/) Make sure you validate JWTs according to Best Practices (RFC 8725) - https:// www.rfc-editor.org/rfc/rfc8725.txt 14
© COPYRIGHT 42CRUNCH | CONFIDENTIAL Beware of URLs https://www.trendmicro.com/en_us/research/19/i/when-psd2-opens-more-doors-the-risks-of-open-banking.html
API4 (RATE LIMITING) MITIGATION Protect all authentication endpoints from abuse (login, password reset, OAuth endpoints) ✓ Smart rate limiting : by API Key/access token/user identity/fingerprint ✓ Short timespan ✓ Counter example: Instagram, 200 attempts/min/IP for password reset 16 “In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actua easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes”
APACHE STRUTS : EQUIFAX AND MANY MORE (2017) The Attack ✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised. ✓ Example: ✓ Core Issue ✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited during months. 17 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
API 7 MITIGATION Reject requests with unknown path/verbs TLS is on by default ✓ TLS 1.2 minimum with strong cipher suites ✓ Test your API endpoints with SSLLabs.com Change default credentials/ports Automatically inject security headers Keep systems and software at latest level Limit your external dependencies Control those dependencies in-house (enterprise repository) No Trust !! Continuously test for vulnerabilities and leaking secrets (OS, libraries, docker images, kubernetes deployment files, etc.) 18
API 7 MITIGATION 19
API 8 MITIGATION No Trust! (even for internal APIs and for East-West traffic) Validate user input, including headers like Content-Type or Accept Check behaviour of your dev frameworks when wrong Content-Type is used ✓ Many default to sending an exception back but experience varies 20
A10 : LOGS, LOGS, LOGS! Log all API activity Pushed to security platforms such as SIEMs for automated Threat detection. 21
FINAL THOUGHTS! Start worrying about API Security at design time ✓ A vulnerability discovered at production time costs up to 30x more to solve Hack yourselves! ✓ For each functional test, create 10 negative tests ✓ Hammer your APIs with bad data, bad tokens, bad users Automate Security ✓ Inject Security into DevOps practices and don’t really on manual testing of APIs. 22
Thank you! Contact us | info@42crunch.com | 42crunch.com Free security tools from 42Crunch https://42crunch.com/resources-free-tools/
News and tools for better API Security SUBSCRIBE TODAY!

Recommended

apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays
 
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...
apidays
 
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
CA API Management
 
apidays LIVE Paris - The Business of APIs by Jed Ng
apidays LIVE Paris - The Business of APIs by Jed Ngapidays LIVE Paris - The Business of APIs by Jed Ng
apidays LIVE Paris - The Business of APIs by Jed Ng
apidays
 
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...
apidays
 

Recommended

apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays
 
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...
apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...
apidays
 
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays LIVE LONDON - Architecting Scalable Software Platforms for IoT Applic...
apidays
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
CA API Management
 
apidays LIVE Paris - The Business of APIs by Jed Ng
apidays LIVE Paris - The Business of APIs by Jed Ngapidays LIVE Paris - The Business of APIs by Jed Ng
apidays LIVE Paris - The Business of APIs by Jed Ng
apidays
 
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...
apidays LIVE JAKARTA - 10 commandments for scalable microservices by Archanaa...
apidays
 
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience
SmartBear
 
Developer Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to CommitmentDeveloper Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to Commitment
Nordic APIs
 
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices Maturity
Nordic APIs
 
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays LIVE Paris - Driving innovation through External APIs without putting...apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
Alianna Inzana
 
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays
 
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for EclipseCloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
dmbtr3
 
WSO2Con EU 2015: Towards a Winning API Strategy
WSO2Con EU 2015: Towards a Winning API StrategyWSO2Con EU 2015: Towards a Winning API Strategy
WSO2Con EU 2015: Towards a Winning API Strategy
WSO2
 
Lean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps CyclesLean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps Cycles
Nordic APIs
 
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays
 
Public API
Public APIPublic API
Public API
Amir Zuker
 
API Management
API ManagementAPI Management
API Management
Prolifics
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
Nordic APIs
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guoapidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 

More Related Content

What's hot

apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience
SmartBear
 
Developer Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to CommitmentDeveloper Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to Commitment
Nordic APIs
 
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices Maturity
Nordic APIs
 
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays LIVE Paris - Driving innovation through External APIs without putting...apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
Alianna Inzana
 
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays
 
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for EclipseCloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
dmbtr3
 
WSO2Con EU 2015: Towards a Winning API Strategy
WSO2Con EU 2015: Towards a Winning API StrategyWSO2Con EU 2015: Towards a Winning API Strategy
WSO2Con EU 2015: Towards a Winning API Strategy
WSO2
 
Lean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps CyclesLean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps Cycles
Nordic APIs
 
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays
 
Public API
Public APIPublic API
Public API
Amir Zuker
 
API Management
API ManagementAPI Management
API Management
Prolifics
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
Nordic APIs
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guoapidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 

What's hot (20)

apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
apidays LIVE JAKARTA - APIs as Products in payments, telecommunications and D...
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience
 
Developer Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to CommitmentDeveloper Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to Commitment
 
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices Maturity
 
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays LIVE Paris - Driving innovation through External APIs without putting...apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays LIVE Paris - Driving innovation through External APIs without putting...
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
 
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
 
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for EclipseCloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
 
WSO2Con EU 2015: Towards a Winning API Strategy
WSO2Con EU 2015: Towards a Winning API StrategyWSO2Con EU 2015: Towards a Winning API Strategy
WSO2Con EU 2015: Towards a Winning API Strategy
 
Lean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps CyclesLean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps Cycles
 
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
apidays LIVE JAKARTA - Productising APIs: A journey in how we built API produ...
 
Public API
Public APIPublic API
Public API
 
API Management
API ManagementAPI Management
API Management
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guoapidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
apidays LIVE JAKARTA - Machine Learning powered API governance by Jenks Guo
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 

Similar to apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API Security stack! by Isabelle Mauny

apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
Katy Anton
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 

Similar to apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API Security stack! by Isabelle Mauny (20)

apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

More from apidays

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
apidays
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
apidays
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
apidays
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
apidays
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
apidays
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
apidays
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
apidays
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
apidays
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
apidays
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
apidays
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
apidays
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
apidays
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
apidays
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
apidays
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
apidays
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
apidays
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
apidays
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
apidays
 

More from apidays (20)

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 

apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API Security stack! by Isabelle Mauny

  • 1. Protecting Financial Grade APIs Getting the right security stack ISABELLEMAUNY ISABELLE@42CRUNCH.COM
  • 2. © COPYRIGHT 42CRUNCH | CONFIDENTIAL API Breaches are on the rise! • 300+ breaches reported on apisecurity.io since Oct. 2018 • And those are just the public ones! • Most recurrent causes (combination of): • Lack of Input validation • Lack of Rate Limiting • Data/Exception leakage • BOLA/IDOR (Authorization)
  • 3. Applications Architecture has changed! Source: https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
  • 4. © COPYRIGHT 42CRUNCH | CONFIDENTIAL The Fintech case Source: https://www.trendmicro.com/en_us/research/19/i/when-psd2-opens-more-doors-the-risks-of-open-banking.html
  • 5. TITLE TEXT Complex deployments ✓ 5 FROM PROTECTING THE PERIMETER…
  • 7. 7 Hypervisor, VMs Intra-services communication (auth, azn, TLS) App level security (auth, azn, libs, code, images, data) OS / Network / Physical Access API Security Applies at Multiple Levels
  • 8. © COPYRIGHT 42CRUNCH | CONFIDENTIAL OWASP API Security Top 10 • API1 : Broken Object Level Authorisation • API2 : Broken Authentication • API3 : Excessive Data Exposure • API4 : Lack of Resources & Rate Limiting • API5 : Missing Function/Resource Level Access Control • API6 : Mass Assignment • API7 : Security Misconfiguration • API8 : Injection • API9 : Improper Assets Management • API10 : Insufficient Logging & Monitoring • DOWNLOAD
  • 9. UBER (SEPT 2019) The Attack ✓ Account takeover for any Uber account from a phone number The Breach ✓ None. This was a bug bounty. Core Issues ✓ First Data leakage : driver internal UUID exposed through error message! ✓ Hacker can access any driver, user, partner profile if they know the UUID ✓ Second Data leakage via the getConsentScreenDetails operation: full account information is returned, when only a few fields are used by the UI. This includes the mobile token used to login onto the account 9 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
  • 10. API1 (BOLA) MITIGATION Fine-grained authorisation in every controller layer Do not use IDs from API request, use ID from session instead (implement session management in controller layer) Additionally: ✓ Avoid guessable IDs (123, 124, 125…) ✓ Avoid exposing internal IDs via the API ✓ Alternative: GET https://myapis.com/resources/me Prevent data scrapping by putting rate limiting in place (by token, not by IP!) 10
  • 11. API3 MITIGATION Take control of your JSON schemas ! ✓ Describe the data thoroughly and enforce the format at runtime (outbound) ✓ Review and approve data returned by APIs Never expose tokens/sensitive/exploitable data in API responses Never rely on client apps to filter data : instead, create various APIs depending on consumer, with just the data they need Beware of GraphQL queries! ✓ Validate fields accessed via query 11
  • 12. © COPYRIGHT 42CRUNCH | CONFIDENTIAL Another API3 vector: JWTs! Recommended best practice: Use opaque tokens for external consumption Use JWTs for internal consumption
  • 13. FACEBOOK (FEB 2018) The Attack ✓ Account takeover via password reset at https://www.facebook.com/login/ identify?ctx=recover&lwv=110. ✓ facebook.com has rate limiting, beta.facebook.com does not! The Breach ✓ None. This was a bug bounty. Core Issues ✓ Rate limiting missing on beta APIs, which allows brute force guessing on password reset code ✓ Misconfigured security on beta endpoints 13 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it
  • 14. API2 (BROKEN AUTH) MITIGATION Choose the right authentication depending on data/operation sensitivity ! Enforce 2FA, captcha Use secure storage for credentials Use short-lived access tokens and limit their scope Use MutualTLS when applicable (known/controlled partners) Use OAuth properly (most likely authorization_code with PKCE) ✓ Financial API Grade profiles as reference (https://openid.net/wg/fapi/) Make sure you validate JWTs according to Best Practices (RFC 8725) - https:// www.rfc-editor.org/rfc/rfc8725.txt 14
  • 15. © COPYRIGHT 42CRUNCH | CONFIDENTIAL Beware of URLs https://www.trendmicro.com/en_us/research/19/i/when-psd2-opens-more-doors-the-risks-of-open-banking.html
  • 16. API4 (RATE LIMITING) MITIGATION Protect all authentication endpoints from abuse (login, password reset, OAuth endpoints) ✓ Smart rate limiting : by API Key/access token/user identity/fingerprint ✓ Short timespan ✓ Counter example: Instagram, 200 attempts/min/IP for password reset 16 “In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actua easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes”
  • 17. APACHE STRUTS : EQUIFAX AND MANY MORE (2017) The Attack ✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised. ✓ Example: ✓ Core Issue ✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited during months. 17 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
  • 18. API 7 MITIGATION Reject requests with unknown path/verbs TLS is on by default ✓ TLS 1.2 minimum with strong cipher suites ✓ Test your API endpoints with SSLLabs.com Change default credentials/ports Automatically inject security headers Keep systems and software at latest level Limit your external dependencies Control those dependencies in-house (enterprise repository) No Trust !! Continuously test for vulnerabilities and leaking secrets (OS, libraries, docker images, kubernetes deployment files, etc.) 18
  • 20. API 8 MITIGATION No Trust! (even for internal APIs and for East-West traffic) Validate user input, including headers like Content-Type or Accept Check behaviour of your dev frameworks when wrong Content-Type is used ✓ Many default to sending an exception back but experience varies 20
  • 21. A10 : LOGS, LOGS, LOGS! Log all API activity Pushed to security platforms such as SIEMs for automated Threat detection. 21
  • 22. FINAL THOUGHTS! Start worrying about API Security at design time ✓ A vulnerability discovered at production time costs up to 30x more to solve Hack yourselves! ✓ For each functional test, create 10 negative tests ✓ Hammer your APIs with bad data, bad tokens, bad users Automate Security ✓ Inject Security into DevOps practices and don’t really on manual testing of APIs. 22
  • 23. Thank you! Contact us | info@42crunch.com | 42crunch.com Free security tools from 42Crunch https://42crunch.com/resources-free-tools/
  • 24. News and tools for better API Security SUBSCRIBE TODAY!