LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure

•

0 likes•18 views

This document discusses the need for a holistic approach to API security as APIs have become more widely used. It notes that API security needs to evolve from established perimeter security models to new models to account for blurred perimeters from APIs. The document advocates considering all aspects of API security including authentication, authorization, integrity, confidentiality, availability, auditability and more. It also stresses that the right infrastructure is needed and that a one-size-fits-all approach does not work given differences in APIs. The document promotes securing APIs through the entire development lifecycle from design to deployment using a Sec-Dev-Ops model with collaboration between teams.

AN HOLISTIC APPROACH TO API SECURITY
ISABELLE MAUNY - CTO
The API Security Platform
for the Enterprise

TITLE TEXT
Complex deployments
3
FROM ESTABLISHED PERIMETER…

TITLE TEXT
5
App icon made by https://www.flaticon.com/authors/pixel-buddha
Internal
Partner Public
VIRTUAL APPLICATION NETWORKS

TITLE TEXTFAST APP DELIVERY
6
APPLICATION 
DEVELOPMENT
APPLICATION 
SECURITY

8
EXPOSING ENTERPRISE DATA
AND PROCESSES.
WHAT ARE APIS FOR ?

9
Internal
External
80
55
57
69
Now
Expect in the next
18 months
Source: @The State of Cybersecurity and Digital Trust 2016” Accenture
and HIS Research - Sample: 208 Enterprise Security Professionals
Have you experienced the theft
or corruption of internal
corporate or user/consumer
information by Internal or
External threat actors?

“I think that a lot of people think that because there is no GUI on an
API that no one can ﬁnd it and it is invisible. But we can ﬁnd
them in about ﬁve seconds with a proxy…
…Almost every threat that applies to a web app, can
happen to an API, but a lot of people for some reason are not
protecting them as much as their web applications.”
Tanya Janca
Application Security Evangelist - AppSec Podcast
11
“

12
YOU NEED AN HOLISTIC APPROACH  
TO API SECURITY2

13
Authentication
Integrity
(transport &
message)
Audit
Confidentiality
(transport &
message)
Availability
(Rate Limiting)
Authorization
Non
Repudiation
Data Validity
(attacks
protection)

14
YES. You need to
consider all of this…
… AND you need to
configure all aspects
in the right way

16
AND you need the
right infrastructure…

“Security is a risk control measure…In
the security sphere, one size does not ﬁt
all. We have to take ‘appropriate
measures’.
Nat SakimuraFixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/ﬁxing-oauth/
18
“

19
Financial APIS Security Auth Grant Types
OpenID Connect Flows
TLS Settings
Message Confidentiality
Non-Repudiation
Message Integrity
Financial APIs Working Group: http://openid.net/wg/fapi/

LET’S SHIFT LEFT!
21
DeploymentTestingDevelopmentDesign

TITLE TEXTSEC-DEV-OPS IN ACTION
22
Develop
Assess
Secure
TestDocument
Deploy
Continuous API
testing, including
security testing
Deploy to API Security
Platform
Configure and apply
security policy from
assessed risk
Assess API description
and evaluate risk level
Document and annotate
API with OpenAPI/Swagger

24
RELIES ON STRONG COLLABORATION
ACROSS OPERATIONS, DEVELOPMENT,
SECURITY AND BUSINESS TEAMS
PROPER SECURITY

CONTACT: INFO@42CRUNCH.COM
WWW.42CRUNCH.COM
The API Security Platform for the Enterprise

Standard API security approaches and best practices that harden your API security can ensure safe and secure operations. However, these approaches may not be enough to protect your backend from sophisticated data extrusion through API key attacks, low and slow data scrapping that blend with your legitimate traffic. Enter data driven security. This session at I Love APIs 2014 covered how your API data can help you gain insights to traffic anomalies and security/privacy abuse. And how you can mitigate risks using data driven API security controls.

(SACON) Wayne Tufek - chapter four - industry reports

Priyanka Aash

5 must-have security testing tools for your pentesting tasks

Pentest-Tools.com

COVID-19 free penetration tests by Pentest-Tools.com

Pentest-Tools.com

Security as an Enabler for the Digital World - CISO Perspective

Apigee | Google Cloud

A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity. Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services. Join to learn about: - The role of the security officer in helping IT and business meet objectives - How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs. - Best practices that work for an API centric enterprise Download podcast: http://bit.ly/1B6h3TR

API Security and OAuth for the Enterprise

CA API Management

I this presentation enterprises will get a practical overview of what they need to know when approaching APIs and technologies like OAuth. Mobile and Cloud initiatives are driving enterprises to expose data and applications to the outside world. Whether SOAP, REST or JSON, these APIs give enterprises an efficient way to open up information to services running in the Cloud and apps running on mobile devices like the iPad. However, securing and governing the lifecycle and operation of these APIs is not straightforward. It requires new approaches to access, protection and management. This invariably requires adoption of new technologies such as OAuth, which are not yet well understood.

It’s our second all-Equifax “Open Source Insight,” as the Equifax breach unfortunately still leads the cybersecurity and open source security news cycle this week. As the Equifax breach has shown, open source security risks are a daunting reality. But that breach should never have happened — a known, fixable open source vulnerability not being remediated. Open source software — such as Apache Struts — comprises 80 to 90 percent of the code in modern applications, yet most organizations lack any visibility into the open source they are using. In response, Black Duck, the global leader in automated solutions for securing and managing open source software, announced this week the availability of a free-use tool that enables organizations to determine if they are at risk from the Apache Struts vulnerability that was exploited in the recent, high-profile Equifax breach.

Balancing Mobile UX & Security: An API Management Perspective Presentation fr...

CA API Management

Chief Architect Francois Lascelles gave this presentation at Gartner Catalyst 2013. The user experience associated with mobile applications is a critical determinant of the adoption of the APIs that powers them. Mobile platforms and their public app stores create challenges when it comes to securing APIs consumed by mobile applications in such a way that does not require constant user prompts. This presentation will describe the challenge of providing positive UX patterns such as single sign-on on mobile platforms and explore API provider-side architectures enabling them.

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

apidays

Mobile App Hacking In A Nutshell

Prathan Phongthiproek

Building better security for your API platform using Azure API Management

Eldert Grootenboer

Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

Black Duck by Synopsys

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805. As always, the byword of the week is “patch and update.” Also looming large in this week’s news is the massive cyber-break-in at Equifax, where highly sensitive personal and financial information for around 143 million U.S. consumers (the editor apparently being among those affected) was compromised.

Jump-Start The MASVS

Prathan Phongthiproek

Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

Black Duck by Synopsys

8 must dos for a perfect privileged account management strategy

ManageEngine

AWS Summit Singapore - The Age of Security Automation for Modern Application ...

Amazon Web Services

Paul Hidalgo, AMEA Cloud Business Manager, Trend Micro. Achieve successful cloud transformation. Learn how organisations are streamlining security practices across EC2 instances and containers using automation and controls to reduce the number of security dependencies and meet compliance regulations such as PCI-DSS. We'll discuss how the cloud is changing the way organisations secure their data, and how you can improve the gap between IT Security and DevOps.

Protecting APIs from Mobile Threats- Beyond Oauth

Apigee | Google Cloud

API Security with Postman and Qualys

Postman

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...

Priyanka Aash

The session will focus on delivering the key trends in APIs, API Management Platform technologies and how it is driving the API economy. We will also discuss the key drivers for digital transformation initiatives which include wide acceptance of APIs in Industry 4.0, Connected Devices, Cloud and Payments industry. Next, we will talk about the top 10 security risks in APIs, API Management Platforms, APIs integrations with cloud platforms, IoT/OT devices integrations with third-party applications. Lastly, we will uncover the need for implementing the API security governance framework and how to measure the API security programme’ s success through this governance framework.

GitStack 0day . Remote code execution - Adam Nurudini

Adam Nurudini

Preparing for the inevitable: The mobile incident response playbook

NowSecure

NowSecure CEO Andrew Hoog offers an encore session of his highly anticipated talk at RSA Conference 2016, “The incident response playbook for Android and iOS." This presentation covers the challenges in mobile as they pertain to incident response, how and why mobile differs from traditional incident response, and building blocks you can use to craft your own mobile incident response plan. To learn more about mobile incident response, bookmark Andrew's free book "Incident Response Playbook for Android and iOS" here: https://www.nowsecure.com/resources/mobile-incident-response/en/

Managing Identities in the World of APIs

Apigee | Google Cloud

Applying API Security at Scale

Nordic APIs

By Isabelle Mauny, Chief Product Officer & Co-Founder at 42Crunch With the crazy rate at which APIs are developed, enterprises face a delicate situation to secure them. Data validation, input sanitization, security testing are tasks that require a lot of attention and time. When done very late in the API lifecycle, results are usually disastrous. API Security must be fully part of the API lifecycle, as transparent as possible, preventing developers from introducing vulnerabilities early on. A bug discovered in production can cost up to 30 times more effort to solve. Security vulnerabilities are no different.

API Security Needs AI Now More Than Ever

Ping Identity

Protecting Against Vulnerabilities in SharePoint Add-ons

Imperva

As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix. This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.

Optimize Your Zero Trust Infrastructure

Ping Identity

Five Principles to API Security

Isabelle Mauny

API Security Guidelines: Beyond SSL and OAuth.

Isabelle Mauny

What's hot

Threat Check for Struts Released, Equifax Breach Dominates News

Black Duck by Synopsys

Balancing Mobile UX & Security: An API Management Perspective Presentation fr...

CA API Management

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

apidays

Mobile App Hacking In A Nutshell

Prathan Phongthiproek

Building better security for your API platform using Azure API Management

Eldert Grootenboer

Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

Black Duck by Synopsys

Jump-Start The MASVS

Prathan Phongthiproek

Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

Black Duck by Synopsys

8 must dos for a perfect privileged account management strategy

ManageEngine

AWS Summit Singapore - The Age of Security Automation for Modern Application ...

Amazon Web Services

Protecting APIs from Mobile Threats- Beyond Oauth

Apigee | Google Cloud

API Security with Postman and Qualys

Postman

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...

Priyanka Aash

GitStack 0day . Remote code execution - Adam Nurudini

Adam Nurudini

Preparing for the inevitable: The mobile incident response playbook

NowSecure

Managing Identities in the World of APIs

Apigee | Google Cloud

Applying API Security at Scale

Nordic APIs

API Security Needs AI Now More Than Ever

Ping Identity

Protecting Against Vulnerabilities in SharePoint Add-ons

Imperva

Optimize Your Zero Trust Infrastructure

Ping Identity

What's hot (20)

Threat Check for Struts Released, Equifax Breach Dominates News

Balancing Mobile UX & Security: An API Management Perspective Presentation fr...

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...

Mobile App Hacking In A Nutshell

Building better security for your API platform using Azure API Management

Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

Jump-Start The MASVS

Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

8 must dos for a perfect privileged account management strategy

AWS Summit Singapore - The Age of Security Automation for Modern Application ...

Protecting APIs from Mobile Threats- Beyond Oauth

API Security with Postman and Qualys

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...

GitStack 0day . Remote code execution - Adam Nurudini

Preparing for the inevitable: The mobile incident response playbook

Managing Identities in the World of APIs

Applying API Security at Scale

API Security Needs AI Now More Than Ever

Protecting Against Vulnerabilities in SharePoint Add-ons

Optimize Your Zero Trust Infrastructure

Similar to LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure

Five Principles to API Security

Isabelle Mauny

API Security Guidelines: Beyond SSL and OAuth.

Isabelle Mauny

apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart

apidays

apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...

apidays

apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...

apidays

Traceable.ai Debuts Platform for Building API Knowledge that Detects And Thwa...

Dana Gardner

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.

ITCamp

Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...). But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing, Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign

When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...

Dana Gardner

42crunch-API-security-workshop

42Crunch

If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as: - Transport and message encryption. - Digital Signatures - Auditing and non-repudiation - SecDevOps and security as code - Coding best practices and how to enforce them - Infrastructure Best Practices

OWASP API Security TOP 10 - 2019

Miguel Angel Falcón Muñoz

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Cyber Risk Management in 2017 - Challenges & Recommendations

Ulf Mattsson

With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk. Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines. Viewers will learn: - The latest cybercrime trends and targets - Trends in board involvement in cybersecurity - How to effectively manage the full range of enterprise risks - How to protect against ransomware - Visibility into third party risk - Data security metrics

API SECURITY by krishna murari and vikas mauryaKrishna Murari

Security in the age of open source - Myths and misperceptions

Tim Mackey

As delivered at Interop ITX 2017. The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.

apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...

apidays

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...

Kevin Fealey

This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015. Abstract: Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.

How to minimise API risks during development - Bahaa Al Zubaidi.pdf

Bahaa Al Zubaidi

As the use of APIs continues to grow, many organisations are looking for ways to mitigate any security risks associated with the development phase. APIs, or application programming interfaces, allow different systems to communicate with each other and are a powerful tool for organisations looking to integrate different systems and create new services. However, they can also open the door to malicious attackers who can easily exploit the vulnerabilities of an API if it’s not properly secured.

Open Source Insight:2017 Top 10 IT Security Stories, Breaches, and Predictio...

Black Duck by Synopsys

We’re winding up 2017 with the leading security stories of the year, as well as what 2018 might bring in terms of open source and cybersecurity. Several Black Duck and Synopsys’ bloggers weigh in with articles ranging from the need of SCA (software composition analysis), through how developers can navigate the sometimes stormy seas of software security, to addressing the issues of open source in tech contracts. From Black Duck Software and Synopsys, we wish you a happy holiday season and will see you again in 2018!

Why you need API Security Automation

42Crunch

Similar to LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure (20)

Five Principles to API Security

API Security Guidelines: Beyond SSL and OAuth.

apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart

apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...

apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...

Traceable.ai Debuts Platform for Building API Knowledge that Detects And Thwa...

Open Source Insight: Happy Birthday Open Source and Application Security for ...

ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.

When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...

42crunch-API-security-workshop

OWASP API Security TOP 10 - 2019

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Cyber Risk Management in 2017 - Challenges & Recommendations

API SECURITY by krishna murari and vikas maurya

Security in the age of open source - Myths and misperceptions

apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...

How to minimise API risks during development - Bahaa Al Zubaidi.pdf

Open Source Insight:2017 Top 10 IT Security Stories, Breaches, and Predictio...

Why you need API Security Automation

More from LF_APIStrat

LF_APIStrat17_OWASP’s Latest Category: API Underprotection

LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure

Similar to LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure (20)

More from LF_APIStrat

More from LF_APIStrat (20)

Recently uploaded

Recently uploaded (20)

LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and Your Infrastructure