SlideShare une entreprise Scribd logo

Building Secure and Resilient APIs

M
Manah Khalil

Building usable API layer requires balancing between security and usability. Operating API endpoints includes addressing fraud and delivering privacy-by-design. Modern management frameworks and gateways guarantee stateful operations whether the APIs themselves are stateful or not.

Technologie
1  sur  9
Télécharger pour lire hors ligne
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 1 Building Secure and Resilient APIs Manah Khalil ExecutiveDirector Identity,Fraud& EmergingTechnologies
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 2 Security Identity of Caller Fraud Privacy Defining API Security
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 3 ● New OWASP Top 10 (A10) highlights importance of API security ● Bot attacks and relay attacks (through trusted parties) ● CAPTCHA mainly designed for UI, not suitablefor API ● IP blacklisting, velocity attacks ● Certificate pinning is costly and not scalable ● TOR network and other anonymizers weaken traditional controls ● 4th generation 1 bots becoming smarter, emulating humans ● Trusted parties expose bigger risk when channeling attacks (e.g. retailers) 1 https://blog.radware.com/security/2019/09/meet-the-four-generations-of-bots/ Fraudsters and hackers focus on openAPIs
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 4 ● Code vulnerabilities ● OSS vulnerabilities ● Input validation ● Session hijacking ● Data leak(unintendedexposure of data) ● Data handling (masking,redaction,tokenization,encryption...) ● Unauthorized callers, misconfigured access control ● Data consistency (cache-poisoning,latent/lazypersistence) ● Thread management and parallel execution ● Denial of service, throttling,resource pooling API inherits and extends the app surface of attack
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 5 ● Business logic ● Insiders attack ● Attack from within the network Emerging types of attack
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 6 Complexity for securing APIs ● Limited device fingerprinting ● IP-based metadata ● Custom data submitted by caller and not device ● Certificate management ● Authentication and authorization ● Session management (state, caching, synchronization) ● Chaining/relaying through trusted 3rd parties
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 7 Designing for security and privacy by design ● Layering and defense-in-depth ● Centralized choking point, but also more control ● WAF ● Identity gateway for AuthN/AuthZ ● API gateway ● Centralized risk scoring and policy ● API inventory (allow <api>, deny *) ● Assume everything WILL fail ● Focus on the asset not the caller (external or internal users) ● Privacy-by-design ● Authentication AND Authorization ● Session Management ● Multi-factor Authentication (MFA) at API level CHOKE POINT LAYERED DEFENSE
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 8 Audit and Traceability Usable Logging Actionable Monitoring Other related capabilities
Verizon confidentialand proprietary. Unauthorizeddisclosure, reproduction or otheruse prohibited. 9

Recommandé

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
FIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO Alliance
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 

Recommandé

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
FIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO Alliance
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBMFIDO Alliance
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana Arnaudova
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO Alliance
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationFIDO Alliance
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 

Contenu connexe

Tendances

NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBMFIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO Alliance
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationFIDO Alliance
 

Tendances (20)

NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern World
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBM
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - English
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without Boundaries
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric Authentication
 

Similaire à Building Secure and Resilient APIs

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...WSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTForgeRock
 
Firewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesFirewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesCYLK IT Solutions
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Vijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachVijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachDevOpsDays DFW
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...AirTight Networks
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016Verimatrix
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilForgeRock
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
2011 Sales Presentation V6
2011 Sales Presentation V62011 Sales Presentation V6
2011 Sales Presentation V6tina_williams
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 

Similaire à Building Secure and Resilient APIs (20)

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
Firewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesFirewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicações
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Vijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachVijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway Approach
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah Khalil
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
2011 Sales Presentation V6
2011 Sales Presentation V62011 Sales Presentation V6
2011 Sales Presentation V6
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 

Building Secure and Resilient APIs

  • 1. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 1 Building Secure and Resilient APIs Manah Khalil ExecutiveDirector Identity,Fraud& EmergingTechnologies
  • 2. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 2 Security Identity of Caller Fraud Privacy Defining API Security
  • 3. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 3 ● New OWASP Top 10 (A10) highlights importance of API security ● Bot attacks and relay attacks (through trusted parties) ● CAPTCHA mainly designed for UI, not suitablefor API ● IP blacklisting, velocity attacks ● Certificate pinning is costly and not scalable ● TOR network and other anonymizers weaken traditional controls ● 4th generation 1 bots becoming smarter, emulating humans ● Trusted parties expose bigger risk when channeling attacks (e.g. retailers) 1 https://blog.radware.com/security/2019/09/meet-the-four-generations-of-bots/ Fraudsters and hackers focus on openAPIs
  • 4. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 4 ● Code vulnerabilities ● OSS vulnerabilities ● Input validation ● Session hijacking ● Data leak(unintendedexposure of data) ● Data handling (masking,redaction,tokenization,encryption...) ● Unauthorized callers, misconfigured access control ● Data consistency (cache-poisoning,latent/lazypersistence) ● Thread management and parallel execution ● Denial of service, throttling,resource pooling API inherits and extends the app surface of attack
  • 5. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 5 ● Business logic ● Insiders attack ● Attack from within the network Emerging types of attack
  • 6. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 6 Complexity for securing APIs ● Limited device fingerprinting ● IP-based metadata ● Custom data submitted by caller and not device ● Certificate management ● Authentication and authorization ● Session management (state, caching, synchronization) ● Chaining/relaying through trusted 3rd parties
  • 7. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 7 Designing for security and privacy by design ● Layering and defense-in-depth ● Centralized choking point, but also more control ● WAF ● Identity gateway for AuthN/AuthZ ● API gateway ● Centralized risk scoring and policy ● API inventory (allow <api>, deny *) ● Assume everything WILL fail ● Focus on the asset not the caller (external or internal users) ● Privacy-by-design ● Authentication AND Authorization ● Session Management ● Multi-factor Authentication (MFA) at API level CHOKE POINT LAYERED DEFENSE
  • 8. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 8 Audit and Traceability Usable Logging Actionable Monitoring Other related capabilities
  • 9. Verizon confidentialand proprietary. Unauthorizeddisclosure, reproduction or otheruse prohibited. 9