SlideShare una empresa de Scribd logo

Building Secure and Resilient APIs

M
Manah Khalil

Building usable API layer requires balancing between security and usability. Operating API endpoints includes addressing fraud and delivering privacy-by-design. Modern management frameworks and gateways guarantee stateful operations whether the APIs themselves are stateful or not.

Tecnología
1 de 9
Descargar para leer sin conexión
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 1 Building Secure and Resilient APIs Manah Khalil ExecutiveDirector Identity,Fraud& EmergingTechnologies
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 2 Security Identity of Caller Fraud Privacy Defining API Security
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 3 ● New OWASP Top 10 (A10) highlights importance of API security ● Bot attacks and relay attacks (through trusted parties) ● CAPTCHA mainly designed for UI, not suitablefor API ● IP blacklisting, velocity attacks ● Certificate pinning is costly and not scalable ● TOR network and other anonymizers weaken traditional controls ● 4th generation 1 bots becoming smarter, emulating humans ● Trusted parties expose bigger risk when channeling attacks (e.g. retailers) 1 https://blog.radware.com/security/2019/09/meet-the-four-generations-of-bots/ Fraudsters and hackers focus on openAPIs
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 4 ● Code vulnerabilities ● OSS vulnerabilities ● Input validation ● Session hijacking ● Data leak(unintendedexposure of data) ● Data handling (masking,redaction,tokenization,encryption...) ● Unauthorized callers, misconfigured access control ● Data consistency (cache-poisoning,latent/lazypersistence) ● Thread management and parallel execution ● Denial of service, throttling,resource pooling API inherits and extends the app surface of attack
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 5 ● Business logic ● Insiders attack ● Attack from within the network Emerging types of attack
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 6 Complexity for securing APIs ● Limited device fingerprinting ● IP-based metadata ● Custom data submitted by caller and not device ● Certificate management ● Authentication and authorization ● Session management (state, caching, synchronization) ● Chaining/relaying through trusted 3rd parties
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 7 Designing for security and privacy by design ● Layering and defense-in-depth ● Centralized choking point, but also more control ● WAF ● Identity gateway for AuthN/AuthZ ● API gateway ● Centralized risk scoring and policy ● API inventory (allow <api>, deny *) ● Assume everything WILL fail ● Focus on the asset not the caller (external or internal users) ● Privacy-by-design ● Authentication AND Authorization ● Session Management ● Multi-factor Authentication (MFA) at API level CHOKE POINT LAYERED DEFENSE
© Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 8 Audit and Traceability Usable Logging Actionable Monitoring Other related capabilities
Verizon confidentialand proprietary. Unauthorizeddisclosure, reproduction or otheruse prohibited. 9

Recomendados

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
FIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO Alliance
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 

Recomendados

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
Strong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesStrong Authentication and US Federal Digital Services
Strong Authentication and US Federal Digital ServicesFIDO Alliance
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
FIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO and Strong Authentication in US Federal Government
FIDO and Strong Authentication in US Federal GovernmentFIDO Alliance
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBMFIDO Alliance
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana Arnaudova
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO Alliance
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationFIDO Alliance
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 

Más contenido relacionado

La actualidad más candente

NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBMFIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO Alliance
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Ping Identity
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationFIDO Alliance
 

La actualidad más candente (20)

NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern World
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBM
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - English
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without Boundaries
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric Authentication
 

Similar a Building Secure and Resilient APIs

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...WSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTForgeRock
 
Firewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesFirewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesCYLK IT Solutions
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Vijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachVijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachDevOpsDays DFW
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...AirTight Networks
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016Verimatrix
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilForgeRock
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
2011 Sales Presentation V6
2011 Sales Presentation V62011 Sales Presentation V6
2011 Sales Presentation V6tina_williams
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 

Similar a Building Secure and Resilient APIs (20)

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
Firewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicaçõesFirewall seguro, proteção para aplicações
Firewall seguro, proteção para aplicações
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Vijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway ApproachVijay Challa - SSO on Cloud - Gateway Approach
Vijay Challa - SSO on Cloud - Gateway Approach
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
 
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016
 
Customer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah KhalilCustomer Safeguarding, Fraud and GDPR: Manah Khalil
Customer Safeguarding, Fraud and GDPR: Manah Khalil
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
2011 Sales Presentation V6
2011 Sales Presentation V62011 Sales Presentation V6
2011 Sales Presentation V6
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 

Último

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Último (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Building Secure and Resilient APIs

  • 1. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 1 Building Secure and Resilient APIs Manah Khalil ExecutiveDirector Identity,Fraud& EmergingTechnologies
  • 2. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 2 Security Identity of Caller Fraud Privacy Defining API Security
  • 3. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 3 ● New OWASP Top 10 (A10) highlights importance of API security ● Bot attacks and relay attacks (through trusted parties) ● CAPTCHA mainly designed for UI, not suitablefor API ● IP blacklisting, velocity attacks ● Certificate pinning is costly and not scalable ● TOR network and other anonymizers weaken traditional controls ● 4th generation 1 bots becoming smarter, emulating humans ● Trusted parties expose bigger risk when channeling attacks (e.g. retailers) 1 https://blog.radware.com/security/2019/09/meet-the-four-generations-of-bots/ Fraudsters and hackers focus on openAPIs
  • 4. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 4 ● Code vulnerabilities ● OSS vulnerabilities ● Input validation ● Session hijacking ● Data leak(unintendedexposure of data) ● Data handling (masking,redaction,tokenization,encryption...) ● Unauthorized callers, misconfigured access control ● Data consistency (cache-poisoning,latent/lazypersistence) ● Thread management and parallel execution ● Denial of service, throttling,resource pooling API inherits and extends the app surface of attack
  • 5. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 5 ● Business logic ● Insiders attack ● Attack from within the network Emerging types of attack
  • 6. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 6 Complexity for securing APIs ● Limited device fingerprinting ● IP-based metadata ● Custom data submitted by caller and not device ● Certificate management ● Authentication and authorization ● Session management (state, caching, synchronization) ● Chaining/relaying through trusted 3rd parties
  • 7. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 7 Designing for security and privacy by design ● Layering and defense-in-depth ● Centralized choking point, but also more control ● WAF ● Identity gateway for AuthN/AuthZ ● API gateway ● Centralized risk scoring and policy ● API inventory (allow <api>, deny *) ● Assume everything WILL fail ● Focus on the asset not the caller (external or internal users) ● Privacy-by-design ● Authentication AND Authorization ● Session Management ● Multi-factor Authentication (MFA) at API level CHOKE POINT LAYERED DEFENSE
  • 8. © Verizon2019, AllRights Reserved. Informationcontainedhereinis providedAS IS andsubject to changewithout notice. All trademarksused herein arepropertyoftheir respectiveowners. 8 Audit and Traceability Usable Logging Actionable Monitoring Other related capabilities
  • 9. Verizon confidentialand proprietary. Unauthorizeddisclosure, reproduction or otheruse prohibited. 9