The document discusses the growing prevalence of APIs in enterprises, highlighting security concerns as API traffic increases and vulnerabilities are expected to double by 2024. It outlines the attack surface of APIs, mentioning existing security solutions are inadequate for the unique challenges posed by APIs. Key recommendations include employing behavioral analytics for threat detection and improving API security frameworks to address vulnerabilities effectively.

1. 2
How many APIs do you have?
How convenient do you find it to manage your APIs?
Dou you think your APIs are well secured?
Introduction

2. 3
APIs: The
Attack Surface
That Connects
Us All
Stefan Mardak
Enterprise Security Architect. Principal

3. 4
1061
Average number of applications per enterprise
Including mission-critical applications
Source: 2023 Connectivity Benchmark Report by MuleSoft In collaboration with Deloitte Digital

4. 5
By 2024, API abuses
and related data
breaches will nearly
double.1
Existing application
security solutions not
built for APIs
31%
web traffic is APIs 2
1 Gartner: Top 10 Things Software Engineering Leaders Need to Know About APIs
2 Akamai threat researchers have identified that 31% of all traffic protected by
Akamai is API traffic
More APIs deployed
every day
More API traffic
More API attacks
The API Security Environment

5. 6
What is your API landscape?
Business
Unit A
Business
Unit B
East-West APIs
Inside your organization
App A App B
App C
North-South
APIs you open to
the outside
Authenticated
Web app, Mobile APIs | B2C
Mobile App
Website
Partner APIs | B2B

6. 7
API’s Have a Large Attack Surface
Known Threat Protection
(Bot Mitigation, WAF)
Authentication &
Authorization
(API Gateway)
DDoS Protection
(DNS, Infrastructure, Layer 7)
Cloud Security
(CWPP, CSPM, SWSEG)
Account Takeover
Unauthorized
Data Access
Data
Harvesting
Authenticated Users &
Partners are the Riskiest
B2B / Partner
Integration
User Access
Fraud / Business
Logic Abuse

7. 8
OWASP Top 10 API Security Risks – 2023
https://owasp.org/API-Security/editions/2023/en/0x11-t10/ 8
Only #1 can be addressed by Authentication & Authorization at an API gateway

8. 9
API Security Problems
Today’s Focus
Tomorrow’s Focus
Discover your complete API
footprint - including rogue, legacy,
admin, zombie, etc.
Prevent OWASP Top 10
vulnerabilities and misconfigurations
from hitting production.
Stop business logic abuse such as
data scraping or data exfiltration
using behavioral analytics.
Discover
Shadow APIs
Determine
Vulnerable APIs
Detect
API Abuse

9. 10
Reinventing API Security
AI-Driven | 100% SaaS Platform | Data rich | API Detection and Response
Continuous API
Discovery
Risk Audit &
Posture Alerts
Behavioral Alerts
Detection & Response
Be
Visibility & Investigations & Threat Hunting
Shadow APIs Vulnerable APIs API Abuse

10. 11
Why you need API Security?
• Discovery of APIs in
any environment
• Determine risk posture
(OWASP API Top 10)
• Understanding API user
behavior
• Detect API abuse
• Perform Investigations and
threat hunting
API Security Problems
WAAP
Focused on External Threats.
B2C only.
Detection: Signatures & ML
API GATEWAY
Focused on gateway functions.
AuthN l AuthZ l Rate limiting
Detection: None
API Security
Focused on all API traffic.
B2C & B2B l North-South l East-West
Detection: Behavioral Analytics
API ACTIVITY DATA LAKE
DDOS
BOT
WAF
API
FIREWALL
BAD
GOOD
Partner traffic on authentication APIs
Any API traffic that bypasses API gateway - (Whitelisted)
Shadow API
Shadow API
East-West
East-West

11. 12