2. • WORLD’S TRAVEL SEARCH ENGINE
• FOUNDED 2003
• ACQUIRED BY CTRIP 2016
• OVER 1200 EMPLOYEES WORLDWIDE
• 10+ GLOBAL OFFICES
• OVER 90M ACTIVE MONTHLY USERS
• OVER 1200 GLOBAL PARTNERS
3. • ENGINEERING (700+) SQUADIFICATION
• 10 000+ CHANGES TO PRODUCTION DAILY
• 1000+ DISTINCT SERVICES
• 500+ A/B TESTS DAILY
• 16 000+ PODS ACROSS K8S CLUSTERS
• FAIL FAST / FAIL FORWARD
• YOU BUILD IT, YOU RUN IT
• BOYD’S LAW OF ITERATION
4. • SECURITY TRIBE
• ENGINEERING DISCIPLINE
• FOUR (4) SECURITY SQUADS
• 20+ SECURITY ENGINEERS
• 40+ SECURITY CHAMPIONS
• WE TRUST BUT VERIFY AND EDUCATE
• AUTOMATE OR DIE TRYING
5. “The time when a single person or team can be responsible for an organization's security is long over ...”
Laura Bell, CEO SafeStack
9. • BUSINESS LOGIC
• BAD BOTS
• LOW HANGING FRUIT
• SDFS
• DoS, CREDENTIAL STUFFING, BRUTE FORCE ATTACKS …
• OPEN
• BROKEN ACCESS CONTROL
• AUTHENTICATION
• SENSITIVE DATA EXPOSURE
• INJECTIONS
• PARAMETER TAMPERING
TOP API THREATS
10. K8s and Istio
• mTLS for all API traffic
• Kubelet to API server and everything etcd
• Node – Master – User
• API authentication & authorization
• Restrict R/W access to the etcd backend
• static Bearer token, RBAC
• x509 auto-generated certificates
• Separate namespaces with limited roles
• Network and Pod security policies
• Pod authorization
• Network policy to the cluster
11. BOTS & RATE LIMITING
• Web and mobile are easy
• Sensors through JS and SDK’s
• API Gateways FTW
• Caching, quotas and throttling
• Authenticity of the device
• Device behaviours + network activity
• Profiling API requests
• Relies on behavioral analysis
12. INJECTIONS
• Inline protection (WAF)
• Runtime Protection (RASP)
• Rules based on business logic
• Filter Input Escape Output (FIEO)
• Dependency security assurance automation
• Method filtering
• 405 Method Not Allowed
• Content-type validation
• Content negotiation + data acceptance
• SAST + dependencies
• Analyse the data flows
• DAST pipeline support
• Fuzzing API endpoints (integration)
13. BROKEN ACCESS CONTROL
• Authorization frameworks
• OAuth, OIDC specification
• Randomize ID’s (UUID)
• Store them in the session object
• Deny all access by default
• RBAC model usually works
• Shift it left and assess offensively
• Design reviews & threat modelling
14. AUTHENTICATION
• Internal vs. External API endpoints
• Always assume worst case scenario
• Zero-trust networks
• Standardise and shift it left
• Avoid re-inventing the wheel
• Short-lived access tokens
• Standard auth and token generation
• Avoid basic auth (JWT, OAuth)
• Additional Auth controls
• Stricter rate-limiting
• Lockout policies
15. SENSITIVE DATA EXPOSURE
• Maintenance of API inventory
• Especially externally exposed ones
• Minimization of API responses
• MVR (Minimum Viable Response)
• Clearly defined schemas (+ errors)
• Removal/tokenization of sensitive data
• HSTS policy enforcement
• Prevent SSL stripping
• Enforced response checks
• Prevent accidental leaks
• Data management top-down
• Identify all the sensitive data
• Data classification
• PII/PD justification
16. PARAMETER TAMPERING
• Validation of parameters received
• XSS, FI, Path Disclosure
• API signing
• Hash-based MAC
• Avoiding dependence on client-side
• Fuzzing helps (a lot!)
17. BUSINESS LOGIC
• Legitimate work-flows gone wrong
• Unintended behaviors
• Solely depends on the nature of the workflow
• Left vs. lefter
• Trust but verify
• Initial stage engagement (design/model)
• No automation can help
• Pipeline tooling
• Reactive scanning
• External offensive assessments
18. • PROTECT THE API ENDPOINTS FROM THREATS
• GAMIFICATION
• ENSURE LONG-TERM IMPROVEMENTS
• REAL-TIME FEEDBACK LOOP
• TARGETED APPROACH CAPABILITIES
• SHIFT SDLC SECURITY TO THE LEFT
• MAKE IT EXPENSIVE FOR AN ATTACKER
• OPEN
KEY OBJECTIVES
“95% of all successful cyber-attacks are caused by human error”
27. • Nail the basics of API security
• and of your tech stack
• Automate the boring stuff
• Real time visibility and feedback loop
• It becomes a competition
• Enable value-stream mapping
• ‘Why’ behind it
• Targeted continuous improvement
• Who needs what and when
• Move into Action
• Team effectiveness integration (EngHealth)
• Pipeline control
“Culture eats strategy for breakfast”
Peter Drucker
JOURNEY SUMMARY