Nordic APIs, profile picture
Uploaded byNordic APIs
PPTX, PDF46 views

Combatting API Vulnerabilities with the 3 Pillars of API Security

The document discusses the increasing importance of API security, highlighting that current testing is inadequate, with only 4% focused on security despite APIs being a major attack vector. It emphasizes the three pillars of API security: governance, testing, and monitoring, alongside best practices for securing APIs. Key recommendations include developing comprehensive governance policies, ensuring thorough API documentation, and training developers to prioritize security.

Technology
Related topics:
Platform Summit

Embed presentation

Download to read offline
Combatting API Vulnerabilities with the 3 Pillars of API Security Dan Barahona Co-founder, APIsec University dan@apisecuniversity.com
4% of API testing is Security 2022 “API attacks will become the most frequent attack vector” 83% of all Internet traffic is API traffic API Explosion APIs Under Attack APIs Under-Secured Source: stateofapis.com Unit, Function, Performance, other Security
Web Scan Attacker API Web/ Mobile App Back-end Data/App
The 3 Pillars of API Security Governance Testing Monitoring Developing secure APIs Ensuring APIs are free of flaws Detecting threats in production
Awareness • Know your APIs • Know your data • Know your risks Governance Policy & Process • API Dev process • API documentation • Style guides
APIs Seriously Under-Tested Source: www.stateofapis.com
Logic • Object ID manipulation • Cross-account access • API function abuse • Role-based access control • Authorization gaps Data • Access control • Excessive data exposure • Sensitive data exposure • Personal, health, bank data • File, directory exposure • Encryption at rest • Data exfiltration Security • Unsecured Endpoints • Authentication exploits • Incremental IDs • App DOS, rate limiting • Missing TLS, SSL issues • Injection, XSS • Fuzzing, input validation • Server-side request forgery • Server properties leaks Testing Categories
Control Validation • Verify API controls • Uncover anomalies Threat Detection • Fraudulent traffic • Distributed attacks • Incident response Runtime Protection • Policy enforcement • Authentication • Traffic filtering Monitoring
API Security Best Practices – Top 10 1. Start with Governance 2. Know Your APIs Ecosystem 3. Get Sec & Dev talking 4. API Docs Non-Negotiable 5. Train API Devs/Owners 6. Centralize API Management 7. Don’t Trust Anything 8. Don’t rely on UIs for Security 9. Understand Monitoring Limits 10. Automate Pre-Prod Testing
Thank you! Dan Barahona dan@apisecuniversity.com

More Related Content

PDF
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
PDF
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PDF
Better API Security With A SecDevOps Approach
byNordic APIs
 
PDF
Better API Security with Automation
by42Crunch
 
PPTX
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
eb-The-State-of-API-Security.pdf
bySajid Ali
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
Better API Security With A SecDevOps Approach
byNordic APIs
 
Better API Security with Automation
by42Crunch
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
eb-The-State-of-API-Security.pdf
bySajid Ali
 

Similar to Combatting API Vulnerabilities with the 3 Pillars of API Security

PPTX
Outpost24 webinar - Api security
byOutpost24
 
PDF
F5-API-Security-Best-Practices.pdf
byFahmiDzikrullah
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PDF
How To Fix The Most Critical API Security Risks.pdf
byNiloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
PDF
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
PPTX
apidays Munich 2025 - Effectively incorporating API Security into the overall...
byapidays
 
PPTX
Safeguarding Digital Assets_ Uncovering Security Risks in APIs - Automation G...
byPricilla Bilavendran
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
PDF
Understanding and Mitigating Common Security Risks in API Testing.pdf
byAmeliaJonas2
 
PDF
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
byapidays
 
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
byAPIsecure_ Official
 
PDF
5 step plan to securing your APIs
by💻 Javier Garza
 
PDF
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
PDF
7 Best Practices for Secure API Development .pdf
bychrisbrown798789
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
byapidays
 
DOCX
7 Best Practices for Secure API Development .docx
bychrisbrown798789
 
PDF
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PPTX
API Security Survey
byImperva
 
PPTX
2022 APIsecure_Hackers with Valid Credentials
byAPIsecure_ Official
 
Outpost24 webinar - Api security
byOutpost24
 
F5-API-Security-Best-Practices.pdf
byFahmiDzikrullah
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
How To Fix The Most Critical API Security Risks.pdf
byNiloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
apidays Munich 2025 - Effectively incorporating API Security into the overall...
byapidays
 
Safeguarding Digital Assets_ Uncovering Security Risks in APIs - Automation G...
byPricilla Bilavendran
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
Understanding and Mitigating Common Security Risks in API Testing.pdf
byAmeliaJonas2
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
byapidays
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
byAPIsecure_ Official
 
5 step plan to securing your APIs
by💻 Javier Garza
 
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
7 Best Practices for Secure API Development .pdf
bychrisbrown798789
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
byapidays
 
7 Best Practices for Secure API Development .docx
bychrisbrown798789
 
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
API Security Survey
byImperva
 
2022 APIsecure_Hackers with Valid Credentials
byAPIsecure_ Official
 

More from Nordic APIs

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
byNordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
byNordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
byNordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
byNordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
byNordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
byNordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
byNordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
byNordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
byNordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
byNordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
byNordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
byNordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
byNordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
byNordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
byNordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
byNordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
byNordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
byNordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
byNordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
byNordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
byNordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
byNordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
byNordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
byNordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
byNordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
byNordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
byNordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
byNordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
byNordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
byNordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
byNordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
byNordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
byNordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
byNordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
byNordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
byNordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
byNordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
byNordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
byNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
byNordic APIs
 

Recently uploaded

PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 

Combatting API Vulnerabilities with the 3 Pillars of API Security

  • 1.
    Combatting API Vulnerabilitieswith the 3 Pillars of API Security Dan Barahona Co-founder, APIsec University dan@apisecuniversity.com
  • 3.
    4% of API testingis Security 2022 “API attacks will become the most frequent attack vector” 83% of all Internet traffic is API traffic API Explosion APIs Under Attack APIs Under-Secured Source: stateofapis.com Unit, Function, Performance, other Security
  • 4.
  • 8.
    The 3 Pillarsof API Security Governance Testing Monitoring Developing secure APIs Ensuring APIs are free of flaws Detecting threats in production
  • 9.
    Awareness • Know yourAPIs • Know your data • Know your risks Governance Policy & Process • API Dev process • API documentation • Style guides
  • 10.
  • 11.
    Logic • Object IDmanipulation • Cross-account access • API function abuse • Role-based access control • Authorization gaps Data • Access control • Excessive data exposure • Sensitive data exposure • Personal, health, bank data • File, directory exposure • Encryption at rest • Data exfiltration Security • Unsecured Endpoints • Authentication exploits • Incremental IDs • App DOS, rate limiting • Missing TLS, SSL issues • Injection, XSS • Fuzzing, input validation • Server-side request forgery • Server properties leaks Testing Categories
  • 12.
    Control Validation • VerifyAPI controls • Uncover anomalies Threat Detection • Fraudulent traffic • Distributed attacks • Incident response Runtime Protection • Policy enforcement • Authentication • Traffic filtering Monitoring
  • 13.
    API Security BestPractices – Top 10 1. Start with Governance 2. Know Your APIs Ecosystem 3. Get Sec & Dev talking 4. API Docs Non-Negotiable 5. Train API Devs/Owners 6. Centralize API Management 7. Don’t Trust Anything 8. Don’t rely on UIs for Security 9. Understand Monitoring Limits 10. Automate Pre-Prod Testing
  • 15.