The document outlines key trends and security risks in API management, emphasizing the growing importance of APIs in the digital economy and Industry 4.0. Key topics include the types of APIs, management platforms, top security risks, and good practices for API design and security governance. It also highlights recent API security incidents and offers a framework for securing the API lifecycle.

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
The Power of APIs
API Economy Trends & Market Drivers , Top 10 Security Risks and Mitigation Strategies
Suhas Desai
Infosys
Industry Principal – Cyber Security
@desai_suhas

2. SACON 2020
• Trends in APIs , API Management Platform Technologies
• Overview on APIs , API Management Platform & API Economy
• Wide acceptance of APIs in Industry 4.0
• Top 10 security risks in APIs, API Management Platforms
• API Security Governance Framework
• API Security Good Practices
What we will discuss today

3. SACON 2020
Recent News – API Security & Hacks
Source: https://www.zdnet.com/article/twitter-says-an-attacker-used-its-api-to-match-usernames-to-phone-numbers/

4. SACON 2020
Source: https://latesthackingnews.com/2020/01/04/starbucks-exposed-an-api-key-in-github-public-repository/
Recent News – API Security & Hacks

5. SACON 2020
The
APIs
ofPower
APIs
AI/MLAPI
Economy
Open
Banking
Blockchain
Cloud
APIs
The Power of APIs – Trends in Emerging Technologies

6. SACON 2020
Hype Cycle – API Security & API Threat Protection

7. SACON 2020
main()
{
int i=7;
printf(“%d”,i++*i++);
}
Quiz

8. SACON 2020
• Application Programming Interface
• Interface that provides programmatic access to service functionality
and data within an application or a database (Gartner)
• Interface or Set of definitions or communication protocols used to
build/integrate software's
• It can used for web based applications, OS, DB, Devices and Libraries
APIs - Overview

9. SACON 2020
• Private/Internal APIs – Enterprises for their own consumption.
• Partner – Specific rights/access is required. Third party/paid API consumption.
• Public/External/Open APIs – Publically available. Oauth.
Types of APIs

10. SACON 2020
• Database APIs
• Devices APIs
• Operating Systems APIs
• Remote APIs
• Web APIs
APIs - Examples

11. SACON 2020
APIs
REST
JSON
XML
SOAP
RPC
Web Services APIs

12. SACON 2020
API Management Platform are used to manage API life cycle.
• Design
• Publish (Provisioning / De Provisioning)
• Security (through API Gateways)
• Analytics
• Documentation
• API Monetization
API Management Platforms for API Life Cycle

13. SACON 2020
1. Broadcom (CA) API Management Platform
2. Google Apigee API Management Platform
3. IBM API Connect
4. Mulesoft Anypoint Platform
5. TIBCO Cloud Mashery
6. Microsoft Azure API Management (Microsoft)
7. Red Hat 3scale API Management
8. Axway AMPLIFY API Management
Top 8 API Management Platforms

14. SACON 2020
API Economy
“The API economy is an enabler for turning a business or organization into a
platform.” Kristin R. Moyer, vice president and distinguished analyst at Gartner

15. SACON 2020
API Monetization
Revenue per API call Revenue Sharing Licensing Platforms API Calls

16. SACON 2020
API Architecture
API Management
Platforms
API Middleware
API Gateway
Data Processing &
Analytics
API Connectors
Database
Operating
Systems
Web
Mobile
Devices
Enterprise
Application
Security
Compliance
Efficiency
Analytics
APIs at
Application or
Service Layer
Features
ChannelsChannels
API Initiation/ Requestor/Backend Services
Middleware/Platforms

17. SACON 2020
Top 10 Security Risks
API Security
Risks
Crypto
Services
Authentication
&
Authorization
APIs
Communication
Channels
Data Security
Business Logic
Implementation
Input
Validation
API Security
Governance
API Management
Platform
Misconfigurations
API Gateway and
Runtime Risks
Security Risks
in API
Monetization
Governance APIs & API Technology Platforms Monetization

18. SACON 2020
#define merge(a, b)
int main(void)
{
printf("%d ", merge(20, 40));
return 0;
}
Quiz

19. SACON 2020
Approach - Secure API Life Cycle
1. API Design & Architecture,
Specification Document Review
2. Black/Grey Box Risk Assessment of
APIs/Web Services/Micro Services
(e.g. REST-JSON, SOAP-XML), API
Management Platforms/Gateways,
ESB/SOA.
3. Data Security & Cryptographic
Controls Review
4. Configuration & Audit Logs Review
5. Calculating Severity Score based on
threat & impact of the vulnerability.
6. Risk Mitigation
1. Design API
Management Platform
Architecture
2. Implement Security
Controls API
Management
Platforms
3. Implement Security
Configurations of API
Management
Platforms
1. API provisioning & de-
provisioning
2. Security Governance
through Platform
3. Monitor Security Incidence
4. Incidence Management
API Platform Management
& Sustenance Programme
API Platform
Implementation
API Security Assessment
Secured API
Management Platform
Provisioning &
De-provisioning
Incident Monitoring &
Management
1. Review of Current
Security Processes &
Policies.
2. Documents & Evidence
Validation against
Compliance Audit Points
3. Data Security &
Cryptographic Controls
Review
4. Calculating Risk Score
based on threat &
impact against non-
compliance point.
API Security Audit
Compliant API
Ecosystem
Policies &
Procedures
Advisory on
Roadmap &
Strategy
Secured API
Ecosystem
Security Assurance in APIs, Digital Channels & Platform Implementation Managed Services

20. SACON 2020
API Security Governance Framework
Security Governance Risk Compliance Policy Management Assurance BCP & DR Awareness
Monitoring &
Logging
SIEM Threat Intelligence Analytics Traffic Monitoring
API Metering and
Billing
API Management API Provisioning
Entity/Resource
Onboarding
API Governance, Risk &
Compliance
Traffic Mediation Versioning
API Security PKI, OAuth2, OpenID Connect Digital Signature Threat Protection
Input/Schema
Validation
Traffic Shaping
Data Security Data Encryption Data Masking Data Classification DRM Data Loss Prevention
Network Security WAF IDS/IPS
Advanced Persistent
Threats
Gateway
Security
DoS Prevention
Unified Threat
Management

21. SACON 2020
OWASP – API Security
Broken Object
Level
Authorization
Excessive Data
Exposure
Mass AssignmentBroken Function
Level
Authorization
Broken User
Authentication
Security
Misconfiguration
Improper Assets Management
API Security Top 10 2019
Lack of Resources
& Rate Limiting
Insufficient Logging & Monitoring
Injection

22. SACON 2020
• Fiddler
• Wireshark
• Metasploit Framework
• SoapUI Pro
• Katalon
• Apigee
• Postman
• Parasoft Soatest
• Jmeter
API Security Assessment Tools

23. SACON 2020
Good Practices to secure APIs
1 Enforce Strong SSL/TLS encryption over a Communication Channel
Digitally Sign the API Request Data with Current Timestamp in Request Headers to Prevent against from Request
Tampering & Replay Attacks.
Encrypt Sensitive Request Payloads while Requesting an API. Never expose API Sessions Tokens or Keys, Passwords in URL,
instead pass it through API Request Headers.
Validate & Sanitize Users Untrusted Input before processing at the Backend.
Authenticate API Resources and Requesting Entities mutually using PKI certificates. Make use of OAuth/OpenID Connect for
Authorization based on Users Control Access to the API Resources.
2
3
4
5
6 Set Quota Limit on Usage of Bandwidth, API Requests processing per unit time to avoid Denial of Service Attacks.
7 Implement and Make Use of Audit Logging & Monitoring Features to Uncover API Transaction Processing Disputes that may
have happened in the Past.
Setting up SLAs, Performance Benchmarks, Ensure Regulatory Governance, Risk & Compliance (GRC) Policy & Procedures are
being properly followed, according to below standards.
For e.g. Sarbanes Oxley (SOX), PCI DSS, GDPR, HIPAA, COBIT etc.
8

24. SACON 2020
• Secure Design of API, API Management Platform
• Security Governance and Security Assurance
• Good Practices in API Life Cycle
Summary

25. SACON 2020Source:: Linux Journal : Author – Suhas Desai
Crypto + Steganography with Python
Need community contribution to embed more cryptography & steganography libraries and APIs!

26. SACON 2020
For more details please contact:
Suhas Desai, Industry Principal – Infosys
E: suhasanandrao.desai@Infosys.com
Thank You!