SlideShare a Scribd company logo

Checkmarx meetup API Security - Solving security at scale - Ante Gulam

A
Adar Weidman

Slides for a lecture from a meetup on API Security held up in Checkmarx in Nov-6-2019.

Software
1 of 28
Download to read offline
SOLVING API SECURITY AT SCALE.
• WORLD’S TRAVEL SEARCH ENGINE • FOUNDED 2003 • ACQUIRED BY CTRIP 2016 • OVER 1200 EMPLOYEES WORLDWIDE • 10+ GLOBAL OFFICES • OVER 90M ACTIVE MONTHLY USERS • OVER 1200 GLOBAL PARTNERS
• ENGINEERING (700+) SQUADIFICATION • 10 000+ CHANGES TO PRODUCTION DAILY • 1000+ DISTINCT SERVICES • 500+ A/B TESTS DAILY • 16 000+ PODS ACROSS K8S CLUSTERS • FAIL FAST / FAIL FORWARD • YOU BUILD IT, YOU RUN IT • BOYD’S LAW OF ITERATION
• SECURITY TRIBE • ENGINEERING DISCIPLINE • FOUR (4) SECURITY SQUADS • 20+ SECURITY ENGINEERS • 40+ SECURITY CHAMPIONS • WE TRUST BUT VERIFY AND EDUCATE • AUTOMATE OR DIE TRYING
“The time when a single person or team can be responsible for an organization's security is long over ...” Laura Bell, CEO SafeStack
REUSABLE COMPONENTS, CD AND ORCHESTRATION
• CONTINUOUS VISIBILITY • STANDARDISATION • SDFS • OPENAPI, SWAGGER, PROTOBUF … • OPEN • PIPELINE SECURITY DATA CONSOLIDATION • ATTACK SURFACE MONITORING • REMEDIATION ASSURANCE • FRICTIONLESS KEY DISCIPLINE CHALLENGES
• BUSINESS LOGIC • BAD BOTS • LOW HANGING FRUIT • SDFS • DoS, CREDENTIAL STUFFING, BRUTE FORCE ATTACKS … • OPEN • BROKEN ACCESS CONTROL • AUTHENTICATION • SENSITIVE DATA EXPOSURE • INJECTIONS • PARAMETER TAMPERING TOP API THREATS
K8s and Istio • mTLS for all API traffic • Kubelet to API server and everything etcd • Node – Master – User • API authentication & authorization • Restrict R/W access to the etcd backend • static Bearer token, RBAC • x509 auto-generated certificates • Separate namespaces with limited roles • Network and Pod security policies • Pod authorization • Network policy to the cluster
BOTS & RATE LIMITING • Web and mobile are easy • Sensors through JS and SDK’s • API Gateways FTW • Caching, quotas and throttling • Authenticity of the device • Device behaviours + network activity • Profiling API requests • Relies on behavioral analysis
INJECTIONS • Inline protection (WAF) • Runtime Protection (RASP) • Rules based on business logic • Filter Input Escape Output (FIEO) • Dependency security assurance automation • Method filtering • 405 Method Not Allowed • Content-type validation • Content negotiation + data acceptance • SAST + dependencies • Analyse the data flows • DAST pipeline support • Fuzzing API endpoints (integration)
BROKEN ACCESS CONTROL • Authorization frameworks • OAuth, OIDC specification • Randomize ID’s (UUID) • Store them in the session object • Deny all access by default • RBAC model usually works • Shift it left and assess offensively • Design reviews & threat modelling
AUTHENTICATION • Internal vs. External API endpoints • Always assume worst case scenario • Zero-trust networks • Standardise and shift it left • Avoid re-inventing the wheel • Short-lived access tokens • Standard auth and token generation • Avoid basic auth (JWT, OAuth) • Additional Auth controls • Stricter rate-limiting • Lockout policies
SENSITIVE DATA EXPOSURE • Maintenance of API inventory • Especially externally exposed ones • Minimization of API responses • MVR (Minimum Viable Response) • Clearly defined schemas (+ errors) • Removal/tokenization of sensitive data • HSTS policy enforcement • Prevent SSL stripping • Enforced response checks • Prevent accidental leaks • Data management top-down • Identify all the sensitive data • Data classification • PII/PD justification
PARAMETER TAMPERING • Validation of parameters received • XSS, FI, Path Disclosure • API signing • Hash-based MAC • Avoiding dependence on client-side • Fuzzing helps (a lot!)
BUSINESS LOGIC • Legitimate work-flows gone wrong • Unintended behaviors • Solely depends on the nature of the workflow • Left vs. lefter • Trust but verify • Initial stage engagement (design/model) • No automation can help • Pipeline tooling • Reactive scanning • External offensive assessments
• PROTECT THE API ENDPOINTS FROM THREATS • GAMIFICATION • ENSURE LONG-TERM IMPROVEMENTS • REAL-TIME FEEDBACK LOOP • TARGETED APPROACH CAPABILITIES • SHIFT SDLC SECURITY TO THE LEFT • MAKE IT EXPENSIVE FOR AN ATTACKER • OPEN KEY OBJECTIVES “95% of all successful cyber-attacks are caused by human error”
Design Code Dependencies Containers Amazon Web Services SECURE DEVELOPMENT LIFECYCLE Skyscannerservice
HERMES Real-time feedback loop capabilities
AUTOMATING THE SECURITY LIFECYCLE Closing real-time feedback loop
• Nail the basics of API security • and of your tech stack • Automate the boring stuff • Real time visibility and feedback loop • It becomes a competition • Enable value-stream mapping • ‘Why’ behind it • Targeted continuous improvement • Who needs what and when • Move into Action • Team effectiveness integration (EngHealth) • Pipeline control “Culture eats strategy for breakfast” Peter Drucker JOURNEY SUMMARY
THANK YOU.

Recommended

Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceMatthew R. Barrett
 
Monitor all the cloud things - security monitoring for everyone
Monitor all the cloud things - security monitoring for everyoneMonitor all the cloud things - security monitoring for everyone
Monitor all the cloud things - security monitoring for everyoneDuncan Godfrey
 
How to Keep Your Databases Secure in Just Minutes a Day
How to Keep Your Databases Secure in Just Minutes a DayHow to Keep Your Databases Secure in Just Minutes a Day
How to Keep Your Databases Secure in Just Minutes a DayEd Leighton-Dick
 
Logsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign
 
Logsign Focus Overview
Logsign Focus OverviewLogsign Focus Overview
Logsign Focus OverviewLogsign
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 

Recommended

Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceMatthew R. Barrett
 
Monitor all the cloud things - security monitoring for everyone
Monitor all the cloud things - security monitoring for everyoneMonitor all the cloud things - security monitoring for everyone
Monitor all the cloud things - security monitoring for everyoneDuncan Godfrey
 
How to Keep Your Databases Secure in Just Minutes a Day
How to Keep Your Databases Secure in Just Minutes a DayHow to Keep Your Databases Secure in Just Minutes a Day
How to Keep Your Databases Secure in Just Minutes a DayEd Leighton-Dick
 
Logsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign
 
Logsign Focus Overview
Logsign Focus OverviewLogsign Focus Overview
Logsign Focus OverviewLogsign
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Logsign Windows Auditing
Logsign Windows AuditingLogsign Windows Auditing
Logsign Windows AuditingLogsign
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016Gaurav "GP" Pal
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection featuresMariaDB plc
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vaultHenrik Høegh
 
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultOSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultNETWAYS
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudNextel S.A.
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itHentsū
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
So I DevSecOpsed Office 365
So I DevSecOpsed Office 365So I DevSecOpsed Office 365
So I DevSecOpsed Office 365Alex Mags
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuckAndy Thompson
 
ZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkMorgan Davidson
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
AWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWSAWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWSCloudHesive
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureBuild and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureCloudHesive
 
CCSP Official Review Notes - 2019 version by Ben.pptx
CCSP Official Review Notes - 2019 version by Ben.pptxCCSP Official Review Notes - 2019 version by Ben.pptx
CCSP Official Review Notes - 2019 version by Ben.pptxnoob95
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...apidays
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Ortus Solutions, Corp
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudAmazon Web Services
 

More Related Content

What's hot

Logsign Windows Auditing
Logsign Windows AuditingLogsign Windows Auditing
Logsign Windows AuditingLogsign
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016Gaurav "GP" Pal
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection featuresMariaDB plc
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vaultHenrik Høegh
 
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultOSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultNETWAYS
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudNextel S.A.
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itHentsū
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
So I DevSecOpsed Office 365
So I DevSecOpsed Office 365So I DevSecOpsed Office 365
So I DevSecOpsed Office 365Alex Mags
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuckAndy Thompson
 
ZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkMorgan Davidson
 

What's hot (13)

Logsign Windows Auditing
Logsign Windows AuditingLogsign Windows Auditing
Logsign Windows Auditing
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
 
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultOSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloud
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)
 
So I DevSecOpsed Office 365
So I DevSecOpsed Office 365So I DevSecOpsed Office 365
So I DevSecOpsed Office 365
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuck
 
ZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign Network
 

Similar to Checkmarx meetup API Security - Solving security at scale - Ante Gulam

Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
AWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWSAWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWSCloudHesive
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureBuild and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureCloudHesive
 
CCSP Official Review Notes - 2019 version by Ben.pptx
CCSP Official Review Notes - 2019 version by Ben.pptxCCSP Official Review Notes - 2019 version by Ben.pptx
CCSP Official Review Notes - 2019 version by Ben.pptxnoob95
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...apidays
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudAmazon Web Services
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on securityCloudHesive
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Sandeep Jayashankar
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 

Similar to Checkmarx meetup API Security - Solving security at scale - Ante Gulam (20)

Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. Control
 
AWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWSAWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWS
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureBuild and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
 
CCSP Official Review Notes - 2019 version by Ben.pptx
CCSP Official Review Notes - 2019 version by Ben.pptxCCSP Official Review Notes - 2019 version by Ben.pptx
CCSP Official Review Notes - 2019 version by Ben.pptx
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS Cloud
 
SIEM.pdf
SIEM.pdfSIEM.pdf
SIEM.pdf
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewall
 
API IN(SECURITY)
API IN(SECURITY)API IN(SECURITY)
API IN(SECURITY)
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 

Recently uploaded

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 

Recently uploaded (20)

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 

Checkmarx meetup API Security - Solving security at scale - Ante Gulam

  • 2. • WORLD’S TRAVEL SEARCH ENGINE • FOUNDED 2003 • ACQUIRED BY CTRIP 2016 • OVER 1200 EMPLOYEES WORLDWIDE • 10+ GLOBAL OFFICES • OVER 90M ACTIVE MONTHLY USERS • OVER 1200 GLOBAL PARTNERS
  • 3. • ENGINEERING (700+) SQUADIFICATION • 10 000+ CHANGES TO PRODUCTION DAILY • 1000+ DISTINCT SERVICES • 500+ A/B TESTS DAILY • 16 000+ PODS ACROSS K8S CLUSTERS • FAIL FAST / FAIL FORWARD • YOU BUILD IT, YOU RUN IT • BOYD’S LAW OF ITERATION
  • 4. • SECURITY TRIBE • ENGINEERING DISCIPLINE • FOUR (4) SECURITY SQUADS • 20+ SECURITY ENGINEERS • 40+ SECURITY CHAMPIONS • WE TRUST BUT VERIFY AND EDUCATE • AUTOMATE OR DIE TRYING
  • 5. “The time when a single person or team can be responsible for an organization's security is long over ...” Laura Bell, CEO SafeStack
  • 6.
  • 7. REUSABLE COMPONENTS, CD AND ORCHESTRATION
  • 8. • CONTINUOUS VISIBILITY • STANDARDISATION • SDFS • OPENAPI, SWAGGER, PROTOBUF … • OPEN • PIPELINE SECURITY DATA CONSOLIDATION • ATTACK SURFACE MONITORING • REMEDIATION ASSURANCE • FRICTIONLESS KEY DISCIPLINE CHALLENGES
  • 9. • BUSINESS LOGIC • BAD BOTS • LOW HANGING FRUIT • SDFS • DoS, CREDENTIAL STUFFING, BRUTE FORCE ATTACKS … • OPEN • BROKEN ACCESS CONTROL • AUTHENTICATION • SENSITIVE DATA EXPOSURE • INJECTIONS • PARAMETER TAMPERING TOP API THREATS
  • 10. K8s and Istio • mTLS for all API traffic • Kubelet to API server and everything etcd • Node – Master – User • API authentication & authorization • Restrict R/W access to the etcd backend • static Bearer token, RBAC • x509 auto-generated certificates • Separate namespaces with limited roles • Network and Pod security policies • Pod authorization • Network policy to the cluster
  • 11. BOTS & RATE LIMITING • Web and mobile are easy • Sensors through JS and SDK’s • API Gateways FTW • Caching, quotas and throttling • Authenticity of the device • Device behaviours + network activity • Profiling API requests • Relies on behavioral analysis
  • 12. INJECTIONS • Inline protection (WAF) • Runtime Protection (RASP) • Rules based on business logic • Filter Input Escape Output (FIEO) • Dependency security assurance automation • Method filtering • 405 Method Not Allowed • Content-type validation • Content negotiation + data acceptance • SAST + dependencies • Analyse the data flows • DAST pipeline support • Fuzzing API endpoints (integration)
  • 13. BROKEN ACCESS CONTROL • Authorization frameworks • OAuth, OIDC specification • Randomize ID’s (UUID) • Store them in the session object • Deny all access by default • RBAC model usually works • Shift it left and assess offensively • Design reviews & threat modelling
  • 14. AUTHENTICATION • Internal vs. External API endpoints • Always assume worst case scenario • Zero-trust networks • Standardise and shift it left • Avoid re-inventing the wheel • Short-lived access tokens • Standard auth and token generation • Avoid basic auth (JWT, OAuth) • Additional Auth controls • Stricter rate-limiting • Lockout policies
  • 15. SENSITIVE DATA EXPOSURE • Maintenance of API inventory • Especially externally exposed ones • Minimization of API responses • MVR (Minimum Viable Response) • Clearly defined schemas (+ errors) • Removal/tokenization of sensitive data • HSTS policy enforcement • Prevent SSL stripping • Enforced response checks • Prevent accidental leaks • Data management top-down • Identify all the sensitive data • Data classification • PII/PD justification
  • 16. PARAMETER TAMPERING • Validation of parameters received • XSS, FI, Path Disclosure • API signing • Hash-based MAC • Avoiding dependence on client-side • Fuzzing helps (a lot!)
  • 17. BUSINESS LOGIC • Legitimate work-flows gone wrong • Unintended behaviors • Solely depends on the nature of the workflow • Left vs. lefter • Trust but verify • Initial stage engagement (design/model) • No automation can help • Pipeline tooling • Reactive scanning • External offensive assessments
  • 18. • PROTECT THE API ENDPOINTS FROM THREATS • GAMIFICATION • ENSURE LONG-TERM IMPROVEMENTS • REAL-TIME FEEDBACK LOOP • TARGETED APPROACH CAPABILITIES • SHIFT SDLC SECURITY TO THE LEFT • MAKE IT EXPENSIVE FOR AN ATTACKER • OPEN KEY OBJECTIVES “95% of all successful cyber-attacks are caused by human error”
  • 19. Design Code Dependencies Containers Amazon Web Services SECURE DEVELOPMENT LIFECYCLE Skyscannerservice
  • 20.
  • 21.
  • 22.
  • 23.
  • 25. AUTOMATING THE SECURITY LIFECYCLE Closing real-time feedback loop
  • 26.
  • 27. • Nail the basics of API security • and of your tech stack • Automate the boring stuff • Real time visibility and feedback loop • It becomes a competition • Enable value-stream mapping • ‘Why’ behind it • Targeted continuous improvement • Who needs what and when • Move into Action • Team effectiveness integration (EngHealth) • Pipeline control “Culture eats strategy for breakfast” Peter Drucker JOURNEY SUMMARY