LF_APIStrat, profile picture
Uploaded byLF_APIStrat
PDF, PPTX121 views

LF_APIStrat17_Practical DevSecOps for APIs

The document discusses the integration of security into the DevSecOps process for APIs, emphasizing the need for security measures to be implemented throughout the software development lifecycle. Key strategies include translating security requirements into code, utilizing threat modeling, and applying automated security profiles based on risk levels. It stresses the importance of collaboration among development, operations, and security teams to ensure comprehensive risk management and response.

Embed presentation

Download as PDF, PPTX
DevSecOps for APIs Isabelle Mauny, 42Crunch
TITLE TEXTFAST APP DELIVERY 2 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY
“Security experts are going to have to figure out how to deliver ‘security as code’. Essentially, they have to translate every security requirement, every coding guideline, every ‘best practice,’ every threat model, and every security architecture into code that can run during the development, build, test, and deployment process. Even in operations, it’s critical that attack detection and response is fully automated.” Jeff Williams OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10. https://sdtimes.com/owasp-adds-unprotected-apis-insufficient-attack-protection-top-ten-2017-release/ 3
4 RELIES ON STRONG COLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND BUSINESS TEAMS PROPER SECURITY
5 THE SOLUTION ? DEVOPS, BUT WITH SECURITY ON!
LET’S SHIFT SECURITY LEFT! 6 DeploymentTestingDevelopmentDesign
THREAT MODELLING 7 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
VULNERABILITY SCANS 8 Infrastructure TLS + Security Setup ✓ APIs Server, CDN, HTTP Server ✓ Security headers Code analysis (Static, Dynamic, Interactive) Third-party libs / frameworks Apps / APIs (e.g. OWASP ZAP) Authentication Authorization DevOps Scripts! Choose platforms/tools where 
 functionality is exposed as APIs/CLI. 2
IT’S ILLEGAL TO ATTACK SYSTEMS! UNLESS ALLOWED TO… 9
1. Use Threat Modelling to eval the APIs risk 2. Define security profiles by risk level 3. Apply security profiles automatically based on risk. 10 IMPLEMENT ‘POLICY AS CODE’ 3
1. Easy to deploy even on developer’s laptops 2. Can be deployed hundreds of times 3. Immutable
 
 Verify image integrity ! 11 USE A CONTAINERIZED PEP 4
1. Constant monitoring at all stages 2. Automated Response when possible. 3. Apply security profiles automatically based on risk. 12 MONITOR AND ANALYZE 5
1. Secure Code reviews 2.Pen Testing 3.Bug Bounty 13 BONUS POINTS 6
FULL DEV-SEC-OPS CYCLE FOR APIS 14 Develop Assess Secure Test Document Deploy API is developed on platform of choice Continuous API testing including security testing Deploy to containerized PEP Configure and apply security policy from assessed risk Assess API description and evaluate risk level Document and annotate API with OpenAPI/Swagger
15 EDUCATE YOURSELF AND OTHERS
IT’S NOT ABOUT IF, IT’S ABOUT WHEN. BE PREPARED. 16
LF_APIStrat17_Practical DevSecOps for APIs

More Related Content

PPTX
Product Security
bySteven Carlson
 
PDF
Owasp top 10-2017
bymalvvv
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
byWhiteSource
 
PDF
A detailed guide about dev secops.docx
byEnov8
 
PPTX
Threat Modeling with Threat Dragon
bySteven Carlson
 
PDF
Tackling the Risks of Open Source Security: 5 Things You Need to Know
byWhiteSource
 
PPTX
Practical DevSecOps Using Security Instrumentation
byVMware Tanzu
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
byDinis Cruz
 
Product Security
bySteven Carlson
 
Owasp top 10-2017
bymalvvv
 
Empowering Financial Institutions to Use Open Source With Confidence
byWhiteSource
 
A detailed guide about dev secops.docx
byEnov8
 
Threat Modeling with Threat Dragon
bySteven Carlson
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
byWhiteSource
 
Practical DevSecOps Using Security Instrumentation
byVMware Tanzu
 
Veracode Automation CLI (using Jenkins for SDL integration)
byDinis Cruz
 

What's hot

PPTX
DevSecOps
byJoel Divekar
 
PDF
Applying API Security at Scale
byNordic APIs
 
PDF
5 Challenges of Moving Applications to the Cloud
bytCell
 
PDF
529 owasp top 10 2013 - rc1[1]
bygeeksec80
 
PDF
Taking Open Source Security to the Next Level
byWhiteSource
 
PDF
Security champions v1.0
byDinis Cruz
 
PDF
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
byWhiteSource
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
byWhiteSource
 
PPTX
Dev{sec}ops
bySteven Carlson
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
byWhiteSource
 
PDF
PIACERE - DevSecOps Automated
byPIACERE
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
PDF
Owasp top 10 2017 (en)
byPrashantDhakol
 
PDF
Sonatype storybook go fast_be secure
byDebbie Rosen
 
PPTX
DevSecOps outline
byNickleus Jimenez
 
DevSecOps
byJoel Divekar
 
Applying API Security at Scale
byNordic APIs
 
5 Challenges of Moving Applications to the Cloud
bytCell
 
529 owasp top 10 2013 - rc1[1]
bygeeksec80
 
Taking Open Source Security to the Next Level
byWhiteSource
 
Security champions v1.0
byDinis Cruz
 
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
The State of Open Source Vulnerabilities Management
byWhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
byWhiteSource
 
Dev{sec}ops
bySteven Carlson
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Tackling the Container Iceberg:How to approach security when most of your sof...
byWhiteSource
 
PIACERE - DevSecOps Automated
byPIACERE
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
Owasp top 10 2017 (en)
byPrashantDhakol
 
Sonatype storybook go fast_be secure
byDebbie Rosen
 
DevSecOps outline
byNickleus Jimenez
 

Similar to LF_APIStrat17_Practical DevSecOps for APIs

PDF
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
PDF
Why you need API Security Automation
by42Crunch
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PDF
Applying API Security at Scale
by42Crunch
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PDF
SecDevOps for API Security
by42Crunch
 
PPTX
INTERFACE, by apidays - Driving the business via APIs.pptx
byapidays
 
PDF
OWASP API Security TOP 10 - 2019
byMiguel Angel Falcón Muñoz
 
PDF
Five Principles to API Security
byIsabelle Mauny
 
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
byAPIsecure_ Official
 
PDF
Better API Security with Automation
by42Crunch
 
PDF
Better API Security With A SecDevOps Approach
byNordic APIs
 
PDF
DevSecOps: The Open Source Way
byBlack Duck by Synopsys
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PDF
REST API Security by Design with Azure Pipelines
by42Crunch
 
PPTX
Speed with Confidence
byShannon Lietz
 
PPTX
Speed with confidence
byDevSecOps
 
PDF
API Security Guidelines: Beyond SSL and OAuth.
byIsabelle Mauny
 
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
Why you need API Security Automation
by42Crunch
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
Applying API Security at Scale
by42Crunch
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
SecDevOps for API Security
by42Crunch
 
INTERFACE, by apidays - Driving the business via APIs.pptx
byapidays
 
OWASP API Security TOP 10 - 2019
byMiguel Angel Falcón Muñoz
 
Five Principles to API Security
byIsabelle Mauny
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
byAPIsecure_ Official
 
Better API Security with Automation
by42Crunch
 
Better API Security With A SecDevOps Approach
byNordic APIs
 
DevSecOps: The Open Source Way
byBlack Duck by Synopsys
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
REST API Security by Design with Azure Pipelines
by42Crunch
 
Speed with Confidence
byShannon Lietz
 
Speed with confidence
byDevSecOps
 
API Security Guidelines: Beyond SSL and OAuth.
byIsabelle Mauny
 

More from LF_APIStrat

PDF
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
byLF_APIStrat
 
PDF
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
byLF_APIStrat
 
PDF
LF_APIStrat17_Super-Powered REST API Testing
byLF_APIStrat
 
PDF
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
byLF_APIStrat
 
PDF
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
byLF_APIStrat
 
PDF
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
byLF_APIStrat
 
PDF
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
byLF_APIStrat
 
PDF
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
byLF_APIStrat
 
PDF
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
byLF_APIStrat
 
PDF
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
byLF_APIStrat
 
PDF
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
byLF_APIStrat
 
PDF
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
byLF_APIStrat
 
PDF
LF_APIStrat17_REST API Microversions
byLF_APIStrat
 
PDF
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
byLF_APIStrat
 
PDF
LF_APIStrat17_Case Study: Cold Decision Trees
byLF_APIStrat
 
PDF
LF_APIStrat17_Getting Your API House In Order
byLF_APIStrat
 
PDF
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
byLF_APIStrat
 
PDF
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
byLF_APIStrat
 
PDF
LF_APIStrat17_Open Data vs. the World
byLF_APIStrat
 
PDF
LF_APIStrat17_Bulletproofing Your API's
byLF_APIStrat
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
byLF_APIStrat
 
LF_APIStrat17_Creating Communication Applications using the Asterisk RESTFul ...
byLF_APIStrat
 
LF_APIStrat17_Super-Powered REST API Testing
byLF_APIStrat
 
LF_APIStrat17_How Mature are You? A Developer Experience Maturity Model
byLF_APIStrat
 
LF_APIStrat17_Connect Your RESTful API to Hundreds of Others in Minutes (Zapi...
byLF_APIStrat
 
LF_APIStrat17_Things I Wish People Told Me About Writing Docs
byLF_APIStrat
 
LF_APIStrat17_Lifting Legacy to the Cloud on API Boosters
byLF_APIStrat
 
LF_APIStrat17_Contract-first API Development: A Case Study in Parallel API Pu...
byLF_APIStrat
 
LF_APIStrat17_Don't Repeat Yourself - Your API is Your Documentation
byLF_APIStrat
 
LF_APIStrat17_How We Doubled the Velocity of Our Developer Experience Team
byLF_APIStrat
 
LF_APIStrat17_API Marketing: First Comes Usability, then Discoverability
byLF_APIStrat
 
LF_APIStrat17_Standing Taller with Technology: APIs, IoT, and the Digital Wor...
byLF_APIStrat
 
LF_APIStrat17_REST API Microversions
byLF_APIStrat
 
LF_APIStrat17_I Believe You But My Enterprise Don't: Adopting Open Standards ...
byLF_APIStrat
 
LF_APIStrat17_Case Study: Cold Decision Trees
byLF_APIStrat
 
LF_APIStrat17_Getting Your API House In Order
byLF_APIStrat
 
LF_APIStrat17_Diving Deep into the API Ocean with Open Source Deep Learning T...
byLF_APIStrat
 
LF_APIStrat17_Supporting SDKs in 7 Different Programming Languages While Main...
byLF_APIStrat
 
LF_APIStrat17_Open Data vs. the World
byLF_APIStrat
 
LF_APIStrat17_Bulletproofing Your API's
byLF_APIStrat
 

Recently uploaded

PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
How to Evaluate a High Performance Database
byScyllaDB
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 

LF_APIStrat17_Practical DevSecOps for APIs

  • 1.
  • 2.
    TITLE TEXTFAST APPDELIVERY 2 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY
  • 3.
    “Security experts aregoing to have to figure out how to deliver ‘security as code’. Essentially, they have to translate every security requirement, every coding guideline, every ‘best practice,’ every threat model, and every security architecture into code that can run during the development, build, test, and deployment process. Even in operations, it’s critical that attack detection and response is fully automated.” Jeff Williams OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10. https://sdtimes.com/owasp-adds-unprotected-apis-insufficient-attack-protection-top-ten-2017-release/ 3
  • 4.
    4 RELIES ON STRONGCOLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND BUSINESS TEAMS PROPER SECURITY
  • 5.
    5 THE SOLUTION ? DEVOPS,BUT WITH SECURITY ON!
  • 6.
    LET’S SHIFT SECURITYLEFT! 6 DeploymentTestingDevelopmentDesign
  • 7.
  • 8.
    VULNERABILITY SCANS 8 Infrastructure TLS + SecuritySetup ✓ APIs Server, CDN, HTTP Server ✓ Security headers Code analysis (Static, Dynamic, Interactive) Third-party libs / frameworks Apps / APIs (e.g. OWASP ZAP) Authentication Authorization DevOps Scripts! Choose platforms/tools where 
 functionality is exposed as APIs/CLI. 2
  • 9.
    IT’S ILLEGAL TO ATTACKSYSTEMS! UNLESS ALLOWED TO… 9
  • 10.
    1. Use ThreatModelling to eval the APIs risk 2. Define security profiles by risk level 3. Apply security profiles automatically based on risk. 10 IMPLEMENT ‘POLICY AS CODE’ 3
  • 11.
    1. Easy todeploy even on developer’s laptops 2. Can be deployed hundreds of times 3. Immutable
 
 Verify image integrity ! 11 USE A CONTAINERIZED PEP 4
  • 12.
    1. Constant monitoringat all stages 2. Automated Response when possible. 3. Apply security profiles automatically based on risk. 12 MONITOR AND ANALYZE 5
  • 13.
    1. Secure Codereviews 2.Pen Testing 3.Bug Bounty 13 BONUS POINTS 6
  • 14.
    FULL DEV-SEC-OPS CYCLEFOR APIS 14 Develop Assess Secure Test Document Deploy API is developed on platform of choice Continuous API testing including security testing Deploy to containerized PEP Configure and apply security policy from assessed risk Assess API description and evaluate risk level Document and annotate API with OpenAPI/Swagger
  • 15.
  • 16.
    IT’S NOT ABOUTIF, IT’S ABOUT WHEN. BE PREPARED. 16