Nordic APIs, profile picture
Uploaded byNordic APIs
664 views

Applying API Security at Scale

Isabelle Mauny, the Chief Product Officer and co-founder of 42Crunch, addresses concerns about recent API breaches and emphasizes the importance of integrating security early in application development. She advocates for adopting a 'shift left' approach, teaching API security across teams, and automating security measures. The document also provides resources and best practices for effective API security management.

Embed presentation

Downloaded 10 times
ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM APPLYING API SECURITY AT SCALE
2 API BREACHES REPORTED THIS JUNE ON APISECURITY.IO
WHY IS THIS HAPPENING ? 3
WE ARE HUMANS! 4
TITLE TEXTDIGITAL TRANSFORMATION MADNESS…. 5 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY
HOW DO WE ADDRESS THE ISSUE? 6
CONSIDER SECURITY EARLY: SHIFT LEFT ! 7 DeploymentTestingDevelopmentRequirements Design 1 10 100 1000 Vulnerability Fixing Cost:
SHIFT LEFT GUIDELINES 8
9 Development Security Operations Business
ONE SIZE DOES NOT FIT ALL KNOW YOUR APIS AND THE RISKS THEY BRING 10See: https://www.owasp.org/index.php/Application_Threat_Modeling
IMPLEMENTATION PRINCIPLES 11 ZERO TRUST DON’T RE-INVENT THE WHEEL PROTECT SENSITIVE DATA SECURE ERROR HANDLING SECURE LOGGING 2
The one thing that you should always remember when coding defensively is that you need to assume that users will do something that you did not plan on. 12
IMPLEMENT SELF-HACKING 13 Automatic analysis first! Code/Libraries/Docker images/ Transport settings Test the Hacky path ! Then manual Bug bounty, Pen testing 3
14 DEPLOYMENT PRINCIPLES 4 Front Process Data DEFENSE IN DEPTH - SECURITY ZONES - LEAST PRIVILEGE PRINCIPLES
•Vulnerabilities are bugs: use development ticketing system to track issues •Analyse runtime behaviour and raise alerts automatically 15 YOU CAN’T FIX WHAT YOU DON’T KNOW 5
➤ INTRODUCE API SECURITY EARLY ON ➤ TEACH API SECURITY ACROSS DEV/SEC/OPS TEAMS ➤ AUTOMATE API SECURITY ➤ MONITOR AND LEARN 16 CALL TO ACTION
NEWS AND TOOLS FOR BETTER API SECURITY
RESOURCES OWASP Top 10 for applications ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 18
RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 19

More Related Content

PDF
Hacker vs AI
byNordic APIs
 
PDF
CIS13: APIs, Identity, and Securing the Enterprise
byCloudIDSummit
 
PPTX
Data-driven API Security
byApigee | Google Cloud
 
PPTX
Security as an Enabler for the Digital World - CISO Perspective
byApigee | Google Cloud
 
PPTX
Data-driven Security: Protect APIs from Adaptive Threats
byApigee | Google Cloud
 
PPTX
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
PPTX
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
byapidays
 
PDF
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
Hacker vs AI
byNordic APIs
 
CIS13: APIs, Identity, and Securing the Enterprise
byCloudIDSummit
 
Data-driven API Security
byApigee | Google Cloud
 
Security as an Enabler for the Digital World - CISO Perspective
byApigee | Google Cloud
 
Data-driven Security: Protect APIs from Adaptive Threats
byApigee | Google Cloud
 
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
byapidays
 
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 

What's hot

PDF
WEBINAR: Positive Security for APIs: What it is and why you need it!
by42Crunch
 
PDF
API Security and OAuth for the Enterprise
byCA API Management
 
PPTX
Managing Identities in the World of APIs
byApigee | Google Cloud
 
PPTX
Layered API Security: What Hackers Don't Want You To Know
byAaronLieberman5
 
PDF
Is Your API Being Abused – And Would You Even Notice If It Was?
byNordic APIs
 
PPTX
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
byapidays
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
PDF
Are You Properly Using JWTs?
by42Crunch
 
PPTX
API Security Survey
byImperva
 
PPTX
Web application security
byAkash Mahajan
 
PDF
Mobile App Hacking In A Nutshell
byPrathan Phongthiproek
 
PDF
Web application security
byAkash Mahajan
 
PPTX
Test and Protect Your API
bySmartBear
 
PDF
OWASP Mobile Security: Top 10 Risks for 2017
byTecsyntSolutions
 
PPT
You Can't Spell Enterprise Security without MFA
byPing Identity
 
PDF
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
by5h1vang
 
PDF
How Secure Are Your APIs?
byApigee | Google Cloud
 
PDF
Protecting Against Vulnerabilities in SharePoint Add-ons
byImperva
 
PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
PDF
Jump-Start The MASVS
byPrathan Phongthiproek
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
by42Crunch
 
API Security and OAuth for the Enterprise
byCA API Management
 
Managing Identities in the World of APIs
byApigee | Google Cloud
 
Layered API Security: What Hackers Don't Want You To Know
byAaronLieberman5
 
Is Your API Being Abused – And Would You Even Notice If It Was?
byNordic APIs
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
byapidays
 
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
Are You Properly Using JWTs?
by42Crunch
 
API Security Survey
byImperva
 
Web application security
byAkash Mahajan
 
Mobile App Hacking In A Nutshell
byPrathan Phongthiproek
 
Web application security
byAkash Mahajan
 
Test and Protect Your API
bySmartBear
 
OWASP Mobile Security: Top 10 Risks for 2017
byTecsyntSolutions
 
You Can't Spell Enterprise Security without MFA
byPing Identity
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
by5h1vang
 
How Secure Are Your APIs?
byApigee | Google Cloud
 
Protecting Against Vulnerabilities in SharePoint Add-ons
byImperva
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
Jump-Start The MASVS
byPrathan Phongthiproek
 

Similar to Applying API Security at Scale

PDF
Why you need API Security Automation
by42Crunch
 
PDF
API Security Guidelines: Beyond SSL and OAuth.
byIsabelle Mauny
 
PDF
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
byapidays
 
PDF
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PPTX
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
byapidays
 
PDF
Five Principles to API Security
byIsabelle Mauny
 
PDF
SecDevOps for API Security
by42Crunch
 
PDF
Better API Security With A SecDevOps Approach
byNordic APIs
 
PDF
Better API Security with Automation
by42Crunch
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
PDF
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
byLF_APIStrat
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PDF
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PPTX
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
PDF
APIDays Paris Security Workshop
by42Crunch
 
PDF
LF_APIStrat17_Practical DevSecOps for APIs
byLF_APIStrat
 
Why you need API Security Automation
by42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
byIsabelle Mauny
 
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
byapidays
 
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
byapidays
 
Five Principles to API Security
byIsabelle Mauny
 
SecDevOps for API Security
by42Crunch
 
Better API Security With A SecDevOps Approach
byNordic APIs
 
Better API Security with Automation
by42Crunch
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
byLF_APIStrat
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
APIDays Paris Security Workshop
by42Crunch
 
LF_APIStrat17_Practical DevSecOps for APIs
byLF_APIStrat
 

More from Nordic APIs

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
byNordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
byNordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
byNordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
byNordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
byNordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
byNordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
byNordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
byNordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
byNordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
byNordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
byNordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
byNordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
byNordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
byNordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
byNordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
byNordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
byNordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
byNordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
byNordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
byNordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
byNordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
byNordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
byNordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
byNordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
byNordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
byNordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
byNordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
byNordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
byNordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
byNordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
byNordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
byNordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
byNordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
byNordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
byNordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
byNordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
byNordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
byNordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
byNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
byNordic APIs
 

Recently uploaded

PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PDF
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
PDF
Phone Tracker App for Family (2026)_ The Safe, Legit Way to Protect Loved One...
byMia Taylor
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
PDF
SLIDE PROPARTNER SUMMIT 2025 - ITALY.pdf
bygiuo
 
PDF
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
PDF
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
DOCX
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
PPTX
Applicius Technologies: Full Service Overview for Branding, SEO, Web & App De...
byappliciustech
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PDF
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
PDF
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
PDF
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
PDF
LogiNext Media Kit & Company Overview 2025
bysmritipatil055
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
Phone Tracker App for Family (2026)_ The Safe, Legit Way to Protect Loved One...
byMia Taylor
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
SLIDE PROPARTNER SUMMIT 2025 - ITALY.pdf
bygiuo
 
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
Applicius Technologies: Full Service Overview for Branding, SEO, Web & App De...
byappliciustech
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
LogiNext Media Kit & Company Overview 2025
bysmritipatil055
 

Applying API Security at Scale

  • 1.
    ISABELLE MAUNY -CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM APPLYING API SECURITY AT SCALE
  • 2.
    2 API BREACHES REPORTED THISJUNE ON APISECURITY.IO
  • 3.
  • 4.
  • 5.
    TITLE TEXTDIGITAL TRANSFORMATIONMADNESS…. 5 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY
  • 6.
    HOW DO WE ADDRESSTHE ISSUE? 6
  • 7.
    CONSIDER SECURITY EARLY:SHIFT LEFT ! 7 DeploymentTestingDevelopmentRequirements Design 1 10 100 1000 Vulnerability Fixing Cost:
  • 8.
  • 9.
  • 10.
    ONE SIZE DOESNOT FIT ALL KNOW YOUR APIS AND THE RISKS THEY BRING 10See: https://www.owasp.org/index.php/Application_Threat_Modeling
  • 11.
    IMPLEMENTATION PRINCIPLES 11 ZERO TRUST DON’T RE-INVENTTHE WHEEL PROTECT SENSITIVE DATA SECURE ERROR HANDLING SECURE LOGGING 2
  • 12.
    The one thingthat you should always remember when coding defensively is that you need to assume that users will do something that you did not plan on. 12
  • 13.
    IMPLEMENT SELF-HACKING 13 Automatic analysis first! Code/Libraries/Dockerimages/ Transport settings Test the Hacky path ! Then manual Bug bounty, Pen testing 3
  • 14.
    14 DEPLOYMENT PRINCIPLES 4 Front Process Data DEFENSEIN DEPTH - SECURITY ZONES - LEAST PRIVILEGE PRINCIPLES
  • 15.
    •Vulnerabilities are bugs:use development ticketing system to track issues •Analyse runtime behaviour and raise alerts automatically 15 YOU CAN’T FIX WHAT YOU DON’T KNOW 5
  • 16.
    ➤ INTRODUCE APISECURITY EARLY ON ➤ TEACH API SECURITY ACROSS DEV/SEC/OPS TEAMS ➤ AUTOMATE API SECURITY ➤ MONITOR AND LEARN 16 CALL TO ACTION
  • 17.
    NEWS AND TOOLSFOR BETTER API SECURITY
  • 18.
    RESOURCES OWASP Top 10for applications ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 18
  • 19.
    RESOURCES SSL Setup Scan ✓https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 19