SlideShare a Scribd company logo

API 101: How to secure APIs with automated testing

Download as PPTX, PDF
Outpost24
Outpost24

API 101 discusses how to secure web applications and APIs. APIs are used extensively in web and mobile applications to allow communication between services but this can introduce security weaknesses if not implemented properly. API attacks are a growing threat, with 90% of breaches targeting web applications and APIs projected to become the most common attack vector by 2022. The document outlines security best practices for securing APIs throughout the development lifecycle from design to testing to runtime, and how one company implemented API security testing to improve their compliance and privacy posture.

Technology
1 of 18
API 101 : How to secure your web applications Simon Roe and Dan Barahona 26th May 2021
Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Complete Application security for DevSecOps Crest certificated penetration testing.
What is an API? • Application programming interface • Essentially governs the communication between services • Used in almost all web applications today • Heavily used in mobile app development • You use them every day • By 2019 83% of web traffic passed through one or more API’s 3
How API’s work 4 However, these interactions with services can lead to security weaknesses and breaches
Interactions lead to security risk Source: APISec 5
How APIsec are tackling the API security challenge 6
APIs are everywhere APIs, microservices, CI/CD have transformed how apps are built and run 7 of all internet traffic is from APIs 83% of web app attack surface area are APIs 90% of breaches targeted web applications 90% APIs will become “most frequent attack vector” 2022
Why attackers target API layer APIs: •Direct access to sensitive data •Often “over-permissioned” •Vulnerable to logic flaws 8
API Breaches in the News API returned full transaction details. 200M transactions harvested. Allowed API access with no authentication. API allowed User A to access User B data. 60M accounts accessed. API required 6-digit code for account reset but did not prevent brute force. API allowed user to enable unrestricted premium features. API breaches exploiting logic flaws in the application 9
OWASP API Security #1 Broken Object Level Authorization Can User A access User B #2 Broken User Authentication Lack of authentication Weak password policies #3 Excessive Data Exposure Does the API return more data than necessary #4 Lack of Resources & Rate Limiting Is the API subject to DoS Does API limit requests #5 Broken Function Level Authorization Does the API allow unauthorized operations 10
Securing the API Lifecycle DesignTime TestTime RunTime Security Vulnerabilities Business Logic Flaws Static ApplicationTesting: CodeVulnerabilities Dynamic ApplicationTesting Common attacks: SQL Injection, XSS, DDoS Manual Testing Pen-Testing, RedTeams Burp Suite, ZAP Speed, coverage limitations Gateways & Firewalls Anomaly-based detection Bots, DDoS 11
Securing the API Lifecycle DesignTime TestTime RunTime Security Vulnerabilities Business Logic Flaws Automated API Test Platform • Security & Logic flaws • Continuous visibility • Complete test coverage • Speed of DevOps • Zero touch deployment 12
APIsec — How it works • No source code access • No agents • Nothing inline, no latency Zero Touch Deployment API Gateway AWS, Apigee, Mulesoft API Definition OpenAPI, Swagger, RAML, Postman User Credentials Register the API Create API attack playbooks Run attacks, find vulnerabilities Integrate with CI/CD API Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
APIs: Privacy & Compliance Privacy Compliance 14
Case Study Streamlined API pen testing. ROI of 3 months. About Seismic Seismic is a leader in sales and marketing enablement. They hold confidential data from their customers. Challenges ● Engineers adding extensive API support ● API could expose customer private data hosted on the Seismic application ● Wanted to respond to customer data privacy queries “Our customers ask us what we are doing to protect their sensitive data on Seismic, and once they see what we have done with APIsec, their confidence in us grows.” Tim Dzierzek, VP of Information Security Solution ● APIsec deployed into staging ● APIsec builds and executes new attack playbooks ● APIsec automatically identifies new vulnerabilities ● Now being integrated into the development toolchain 15
Demo
Thank you! Simon Roe sro@outpost24.com Dan Barahona dan@apisec.ai Free API Pen-Test • Live test against yourAPI • Full OWASPTop 10 coverage • Includes Pen-Test report apisec.ai/outpost24 17
Simon Roe, sro@outpost24.com Questions?

Recommended

Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPloneFoundation
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applicationsFrancois Marier
 
Automating the API Product Lifecycle
Automating the API Product LifecycleAutomating the API Product Lifecycle
Automating the API Product LifecyclePronovix
 
Swagger in the API Lifecycle
Swagger in the API LifecycleSwagger in the API Lifecycle
Swagger in the API LifecycleOle Lensmar
 
apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...
apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...
apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...apidays
 
Implement Web API with Swagger
Implement Web API with SwaggerImplement Web API with Swagger
Implement Web API with SwaggerJiang Wu
 
Building APIs with Node.js and Swagger
Building APIs with Node.js and SwaggerBuilding APIs with Node.js and Swagger
Building APIs with Node.js and SwaggerJeremy Whitlock
 
API Developer Experience: Why it Matters, and How Documenting Your API with S...
API Developer Experience: Why it Matters, and How Documenting Your API with S...API Developer Experience: Why it Matters, and How Documenting Your API with S...
API Developer Experience: Why it Matters, and How Documenting Your API with S...SmartBear
 

Recommended

Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPloneFoundation
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applicationsFrancois Marier
 
Automating the API Product Lifecycle
Automating the API Product LifecycleAutomating the API Product Lifecycle
Automating the API Product LifecyclePronovix
 
Swagger in the API Lifecycle
Swagger in the API LifecycleSwagger in the API Lifecycle
Swagger in the API LifecycleOle Lensmar
 
apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...
apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...
apidays LIVE New York 2021 - API tool chain for low budget programs by Paul K...apidays
 
Implement Web API with Swagger
Implement Web API with SwaggerImplement Web API with Swagger
Implement Web API with SwaggerJiang Wu
 
Building APIs with Node.js and Swagger
Building APIs with Node.js and SwaggerBuilding APIs with Node.js and Swagger
Building APIs with Node.js and SwaggerJeremy Whitlock
 
API Developer Experience: Why it Matters, and How Documenting Your API with S...
API Developer Experience: Why it Matters, and How Documenting Your API with S...API Developer Experience: Why it Matters, and How Documenting Your API with S...
API Developer Experience: Why it Matters, and How Documenting Your API with S...SmartBear
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 
API Design first with Swagger
API Design first with SwaggerAPI Design first with Swagger
API Design first with SwaggerTony Tam
 
A Tour of Swagger for APIs
A Tour of Swagger for APIsA Tour of Swagger for APIs
A Tour of Swagger for APIsAllen Dean
 
Swagger - make your API accessible
Swagger - make your API accessibleSwagger - make your API accessible
Swagger - make your API accessibleVictor Trakhtenberg
 
Swagger for-your-api
Swagger for-your-apiSwagger for-your-api
Swagger for-your-apiTony Tam
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Consuming Restful APIs using Swagger v2.0
Consuming Restful APIs using Swagger v2.0Consuming Restful APIs using Swagger v2.0
Consuming Restful APIs using Swagger v2.0Pece Nikolovski
 
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...apidays
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing SwaggerTony Tam
 
Crystal clear service interfaces w/ Swagger/OpenAPI
Crystal clear service interfaces w/ Swagger/OpenAPICrystal clear service interfaces w/ Swagger/OpenAPI
Crystal clear service interfaces w/ Swagger/OpenAPIScott Triglia
 
Swagger 2.0 and Model-driven APIs
Swagger 2.0 and Model-driven APIsSwagger 2.0 and Model-driven APIs
Swagger 2.0 and Model-driven APIsApigee | Google Cloud
 
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...apidays
 
API documentation with Swagger UI(LT)
API documentation with Swagger UI(LT)API documentation with Swagger UI(LT)
API documentation with Swagger UI(LT)Jiang Wu
 
Streamlining API with Swagger.io
Streamlining API with Swagger.ioStreamlining API with Swagger.io
Streamlining API with Swagger.ioVictor Augusteo
 
Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Nordic APIs
 
The Swagger Format becomes the Open API Specification: Standardizing descript...
The Swagger Format becomes the Open API Specification: Standardizing descript...The Swagger Format becomes the Open API Specification: Standardizing descript...
The Swagger Format becomes the Open API Specification: Standardizing descript...3scale
 
Understanding how to use Swagger and its tools
Understanding how to use Swagger and its toolsUnderstanding how to use Swagger and its tools
Understanding how to use Swagger and its toolsSwagger API
 
Introducing swagger
Introducing swaggerIntroducing swagger
Introducing swaggerAmr Ali
 
Design Driven API Development
Design Driven API DevelopmentDesign Driven API Development
Design Driven API DevelopmentSokichi Fujita
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24
 

More Related Content

What's hot

apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJSLuigi Saetta
 
API Design first with Swagger
API Design first with SwaggerAPI Design first with Swagger
API Design first with SwaggerTony Tam
 
A Tour of Swagger for APIs
A Tour of Swagger for APIsA Tour of Swagger for APIs
A Tour of Swagger for APIsAllen Dean
 
Swagger - make your API accessible
Swagger - make your API accessibleSwagger - make your API accessible
Swagger - make your API accessibleVictor Trakhtenberg
 
Swagger for-your-api
Swagger for-your-apiSwagger for-your-api
Swagger for-your-apiTony Tam
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Consuming Restful APIs using Swagger v2.0
Consuming Restful APIs using Swagger v2.0Consuming Restful APIs using Swagger v2.0
Consuming Restful APIs using Swagger v2.0Pece Nikolovski
 
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...apidays
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing SwaggerTony Tam
 
Crystal clear service interfaces w/ Swagger/OpenAPI
Crystal clear service interfaces w/ Swagger/OpenAPICrystal clear service interfaces w/ Swagger/OpenAPI
Crystal clear service interfaces w/ Swagger/OpenAPIScott Triglia
 
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...apidays
 
API documentation with Swagger UI(LT)
API documentation with Swagger UI(LT)API documentation with Swagger UI(LT)
API documentation with Swagger UI(LT)Jiang Wu
 
Streamlining API with Swagger.io
Streamlining API with Swagger.ioStreamlining API with Swagger.io
Streamlining API with Swagger.ioVictor Augusteo
 
Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Nordic APIs
 
The Swagger Format becomes the Open API Specification: Standardizing descript...
The Swagger Format becomes the Open API Specification: Standardizing descript...The Swagger Format becomes the Open API Specification: Standardizing descript...
The Swagger Format becomes the Open API Specification: Standardizing descript...3scale
 
Understanding how to use Swagger and its tools
Understanding how to use Swagger and its toolsUnderstanding how to use Swagger and its tools
Understanding how to use Swagger and its toolsSwagger API
 
Introducing swagger
Introducing swaggerIntroducing swagger
Introducing swaggerAmr Ali
 
Design Driven API Development
Design Driven API DevelopmentDesign Driven API Development
Design Driven API DevelopmentSokichi Fujita
 

What's hot (20)

apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
 
Rest API with Swagger and NodeJS
Rest API with Swagger and NodeJSRest API with Swagger and NodeJS
Rest API with Swagger and NodeJS
 
API Design first with Swagger
API Design first with SwaggerAPI Design first with Swagger
API Design first with Swagger
 
A Tour of Swagger for APIs
A Tour of Swagger for APIsA Tour of Swagger for APIs
A Tour of Swagger for APIs
 
Swagger - make your API accessible
Swagger - make your API accessibleSwagger - make your API accessible
Swagger - make your API accessible
 
Swagger for-your-api
Swagger for-your-apiSwagger for-your-api
Swagger for-your-api
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
 
Consuming Restful APIs using Swagger v2.0
Consuming Restful APIs using Swagger v2.0Consuming Restful APIs using Swagger v2.0
Consuming Restful APIs using Swagger v2.0
 
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
apidays LIVE New York 2021 - Designing API's: Less Data is More! by Damir Svr...
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing Swagger
 
Crystal clear service interfaces w/ Swagger/OpenAPI
Crystal clear service interfaces w/ Swagger/OpenAPICrystal clear service interfaces w/ Swagger/OpenAPI
Crystal clear service interfaces w/ Swagger/OpenAPI
 
Swagger 2.0 and Model-driven APIs
Swagger 2.0 and Model-driven APIsSwagger 2.0 and Model-driven APIs
Swagger 2.0 and Model-driven APIs
 
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
apidays LIVE Hong Kong 2021 - GraphQL : Beyond APIs, graph your enterprise by...
 
API documentation with Swagger UI(LT)
API documentation with Swagger UI(LT)API documentation with Swagger UI(LT)
API documentation with Swagger UI(LT)
 
Streamlining API with Swagger.io
Streamlining API with Swagger.ioStreamlining API with Swagger.io
Streamlining API with Swagger.io
 
Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)
 
The Swagger Format becomes the Open API Specification: Standardizing descript...
The Swagger Format becomes the Open API Specification: Standardizing descript...The Swagger Format becomes the Open API Specification: Standardizing descript...
The Swagger Format becomes the Open API Specification: Standardizing descript...
 
Understanding how to use Swagger and its tools
Understanding how to use Swagger and its toolsUnderstanding how to use Swagger and its tools
Understanding how to use Swagger and its tools
 
Introducing swagger
Introducing swaggerIntroducing swagger
Introducing swagger
 
Design Driven API Development
Design Driven API DevelopmentDesign Driven API Development
Design Driven API Development
 

Similar to API 101: How to secure APIs with automated testing

apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 

Similar to API 101: How to secure APIs with automated testing (20)

apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 

More from Outpost24

Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24
 

More from Outpost24 (20)

Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theft
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictions
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technology
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

API 101: How to secure APIs with automated testing

  • 1. API 101 : How to secure your web applications Simon Roe and Dan Barahona 26th May 2021
  • 2. Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Complete Application security for DevSecOps Crest certificated penetration testing.
  • 3. What is an API? • Application programming interface • Essentially governs the communication between services • Used in almost all web applications today • Heavily used in mobile app development • You use them every day • By 2019 83% of web traffic passed through one or more API’s 3
  • 4. How API’s work 4 However, these interactions with services can lead to security weaknesses and breaches
  • 5. Interactions lead to security risk Source: APISec 5
  • 6. How APIsec are tackling the API security challenge 6
  • 7. APIs are everywhere APIs, microservices, CI/CD have transformed how apps are built and run 7 of all internet traffic is from APIs 83% of web app attack surface area are APIs 90% of breaches targeted web applications 90% APIs will become “most frequent attack vector” 2022
  • 8. Why attackers target API layer APIs: •Direct access to sensitive data •Often “over-permissioned” •Vulnerable to logic flaws 8
  • 9. API Breaches in the News API returned full transaction details. 200M transactions harvested. Allowed API access with no authentication. API allowed User A to access User B data. 60M accounts accessed. API required 6-digit code for account reset but did not prevent brute force. API allowed user to enable unrestricted premium features. API breaches exploiting logic flaws in the application 9
  • 10. OWASP API Security #1 Broken Object Level Authorization Can User A access User B #2 Broken User Authentication Lack of authentication Weak password policies #3 Excessive Data Exposure Does the API return more data than necessary #4 Lack of Resources & Rate Limiting Is the API subject to DoS Does API limit requests #5 Broken Function Level Authorization Does the API allow unauthorized operations 10
  • 11. Securing the API Lifecycle DesignTime TestTime RunTime Security Vulnerabilities Business Logic Flaws Static ApplicationTesting: CodeVulnerabilities Dynamic ApplicationTesting Common attacks: SQL Injection, XSS, DDoS Manual Testing Pen-Testing, RedTeams Burp Suite, ZAP Speed, coverage limitations Gateways & Firewalls Anomaly-based detection Bots, DDoS 11
  • 12. Securing the API Lifecycle DesignTime TestTime RunTime Security Vulnerabilities Business Logic Flaws Automated API Test Platform • Security & Logic flaws • Continuous visibility • Complete test coverage • Speed of DevOps • Zero touch deployment 12
  • 13. APIsec — How it works • No source code access • No agents • Nothing inline, no latency Zero Touch Deployment API Gateway AWS, Apigee, Mulesoft API Definition OpenAPI, Swagger, RAML, Postman User Credentials Register the API Create API attack playbooks Run attacks, find vulnerabilities Integrate with CI/CD API Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
  • 14. APIs: Privacy & Compliance Privacy Compliance 14
  • 15. Case Study Streamlined API pen testing. ROI of 3 months. About Seismic Seismic is a leader in sales and marketing enablement. They hold confidential data from their customers. Challenges ● Engineers adding extensive API support ● API could expose customer private data hosted on the Seismic application ● Wanted to respond to customer data privacy queries “Our customers ask us what we are doing to protect their sensitive data on Seismic, and once they see what we have done with APIsec, their confidence in us grows.” Tim Dzierzek, VP of Information Security Solution ● APIsec deployed into staging ● APIsec builds and executes new attack playbooks ● APIsec automatically identifies new vulnerabilities ● Now being integrated into the development toolchain 15
  • 16. Demo
  • 17. Thank you! Simon Roe sro@outpost24.com Dan Barahona dan@apisec.ai Free API Pen-Test • Live test against yourAPI • Full OWASPTop 10 coverage • Includes Pen-Test report apisec.ai/outpost24 17