apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 API First Paradigms That Help Secure Your APIs Raj Umadas, Sr Platform Security Manager at ActBlue ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. API First Paradigms That Help
Secure Y
our A
PIs
Take Solace in the Interface

3. Intro
Agenda
● Intro
○ Agenda
○ Who am I
○ Who are you? (I think)
● The Goods
○ What I mean by “API-First”
○ Where is the opportunity?
○ What questions could we be asking?
● Q&A

4. Intro
Who Am I
● Pentester with a heavy focused on mobile and embedded systems
○ Intrepidus Group 4 Lyfe :)
● Security Engineer with heavy focus on hyperscale DevSecOps orgs
○ Etsy, Spotify, SquareSpace…
● Security Architect in some pretty cool niche areas
○ Canary (hardware security camera), Beyond Identity (Passwordless… the future(™))
● Security Leader at some ‘interesting places’ 🚀🚀
○ WeWork, Compass
● Currently running the security team at Actblue and advising some awesome security startups!

5. Intro
Who are you? (I think)
● From the website CIOs, CTO, CDOs, SVPs, VPs, Heads of Innovation, Heads of API, API
Architects, Developers, Software Engineers, Infrastructure & Cloud Managers, IT Managers,
Product Managers, Consultants & Analysts
● No security titles :(
● Historically my stakeholders, not my typical conference audience/teams
● ***I want to try to share with you ways that YOU can help your security team vs how your
security team can help you***

6. The
Good
What I mean by “API-First”
● A set of agreed upon approaches and technology to solidify the concept that APIs are the
main building block for your backend…
● Why these agreements?
○ codify and standardize development and implementation decisions to, hopefully,
○ Speed up development
○ Allow strongly decoupled systems
○ Improve maintainability
● Help a security teams job be more efficient, more accurate?
○ Possibly

7. The
Good
What I mean by “API-First”
● Non-exhaustive but illustrative example…
● API Specification layer
○ Swagger
○ Thrift, Proto
● Restful resource naming conventions
○ GET|PUT|DELETE http://www.example.com/products/66432
○ GET http://www.example.com/customers/33245/orders/8769/lineitems/1
● Data Encapsulation/Serialization Layer 7
○ Protobuf
○ JSON
● Golden Path Frameworks and Middleware
○ Rails
○ Devise

8. The
Good
Where is the Opportunity?
● Non-exhaustive list but illustrative example…
● API Specification layer
○ Feed tooling with better base cases (fuzzer, scanning, IDS/IPS)
○ Surface deltas kicking off async verification flows
● Restful resource naming conventions
○ Tuning edge protections using URI/URL
○ Routers that can have some powerful middleware/decorators
● Data Encapsulation/Serialization Layer 7
○ Deeper/efficient inspection (not just grep) of real time production traffic
○ Input sanitization libraries
● Frameworks and Middleware
○ Integrate APMs for security specific investigations
○ Unit and integration testing tailored for important middleware (ie auth)

9. The
Good
What questions could we be asking?
● What are your orgs API first tactics?
○ API Specification layer
○ Restful resource naming conventions
○ Data Encapsulation/Serialization Layer 7
○ Frameworks and Middleware
● What are your orgs methods to encourage/enforce your tactics?
○ Peer reviews
○ Code Generation
○ Design/Arch reviews
○ Heavily supported Golden Paths
● How does ANY of your existing security tooling take advantage of your orgs tactics or are
guarded by your orgs methods of encouragement/adoption of API first tactics?
○ How was the last vulnerability reported to you team discovered?
○ How was the last comment in a PR programmatically generated?
○ How did the last “security incident” rely on API conventions and configs to make triaging and
investigations easier?

10. The
Good
What questions could we be asking?
● How was the last vulnerability reported to you team discovered?
○ A security scanner that consumes your routes definition to scan only route, verbs and params
you know the API matches was used to find an unauth POST when the endpoint historically only had
unauth GETs.
● How was the last comment in a PR programmatically generated?
○ Security code scanning tool has a number of detections written that are able to detect if an API based
on its inheritance structure generates HTML vs JSON output and did not have the correct output
encoding library calls before a return.
● How did the last “security incident” rely on API conventions and configs to make triaging and
investigations easier?
○ The security team, in partnership with the search team, was able to add a number of traffic shaping
rules to the edge api gateway to block highly likely malicious requests that triggered long running
transactions in the backend that would cause a denial of service for all users.

11. The
Good
What questions could we be asking?
● Does the existing security team have the capability to leverage the developer productivity
tooling your API first tactics provide?
● Does the existing security team know what they are?
● Do your dev teams understand the philosophy used by your security team to protect your org,
or APIs?
● Has someone explicitly tried to ensure the two worlds are intermixing?
● I really believe if you ask and explore these questions with API and security focused
engineers, a lot of synergies will be identified for some fun and impactful collaborations.

12. QA
Questions
● ???