apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
API Attack Simulator - Find your API vulnerabilities first
Sella Rafaeli, Full-Stack Web Developer at WIB
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilities first by Sella Rafaeli, WIB
1. API At t a c k Si mul a t or -
Fi nd Your Vul ne r a bi l i t i e s Now
Sella Rafaeli, Group Manager, wib.com, sellarafaeli.com
2. A FULL API
LI FECYCLE PLATFORM
DEFENDI NG AGAI NST
API SECURI TY
THREATS
CYBERSECURI TY LEADERS
Founded by former CTO of Israel's National
Cyber Directorate, we have the top Israeli
Cybersecurity talent.
FULL API LI FECYCLE
From development to production - our
products secure APIs and defend against
APISecurity threats.
PROPRI ETARY AI TECHNOLOGY
Patent- pending AI& ML technology created
by leading academics with PhDs in CS and
Machine Learning.
ABOUT W
I B
3. 91% OF ORGANI ZATI ONS
SUFFERED SOM
E SORT OF API
SECURI TY I NCI DENT I N 2020
THE FOCUS I S NOW API
SECURI TY
05
4. OUR PRODUCTS
API COM
PLI ANCE
DEFENDER ™
Discovery and
Inspection of API
traffic, using AIand ML
proprietary algorithms
(patent- pending). The
inspector measures
the amount of new
information to identify
attacks and
vulnerabilities in real-
time.
Designed to defend APIs
so they are compliant
with major compliances
e.g. HIPAA,Open
Banking, PCI etc. Solving
compliance APIsecurity
issues for regulated
industries like Finance,
Healthcare, Insurance
etc.
API M
ESSAGE
I NSPECTI ON ™
A development
environment product
enabling security teams
to simulate APIattacked
with a single click.
Detect and remediate
potential vulnerabilities
in your APIs before they
go live.
API ATTACK
SI M
ULATOR ™
API CODE
ANALYSI S ™
Analyze APIcode and
client code to
discover API threats &
vulnerabilities,
and remediate them in
development.
Make sure your API code
doesn't lead to excessive
data exposure and
improper asset
management.
5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here
6. OUR PRODUCTS
A dev/prod environment product enabling security teams
to simulate APIattacks with a single click.
Detect and remediate potentialvulnerabilities in your APIs
before/after they go live.
API ATTACK SI M
ULATOR ™
7. 02
Find the same
vulnerabilities
attackers will find,
before they do.
W
HY YOU SHOULD SI M
ULATE ATTACKS ON YOUR API S
Automate penetration
tests to test known
attack vectors against
your APIs.
Throw the ”kitchen
sink” of API attacks at
your APIs - your
attackers certainly
will.
1 2 3
8. OUR PRODUCTS
A dev/prod environment product enabling security teams
to simulate APIattacks with a single click.
Detect and remediate potentialvulnerabilities in your APIs
before/after they go live.
API ATTACK SI M
ULATOR ™
23. Fi nd Your Vul ne r a bi l i t i e s
I n t he Fi e l d.
Br i dge Se c ur i t y a nd De v
Te a ms Toge t he r .
THE FOCUS I S NOW API
SECURI TY
05
24. Hi r i ng & Ope n- Sour c e
API Se c ur i t y i s a TEAM
a nd COM
M
UNI TY Ef f or t
THE FOCUS I S NOW API
SECURI TY
05
s e l l a . r a f a e l i @
wi b. c om
25. 12
M
e : Se l l a Ra f a e l i , API Se c ur i t y Expe r t : s e l l a r a f a e l i . c om
26. 03
API SECURI TY THREATS
THE CHALLENGES OUR CUSTOM
ERS FACE
W
I TH THEI R API S
Companies and security
organizations are not aware of
all of their APIs Data.
VI SI BI LI TY
PII leakage through APIharms
compliance with regulations
e.g. HIPAA,GDPR etc.
DATA LEAKS &
COM
PLI ANCE
Companies don't know who is
using their APIs and whether
usage is authorised and
reasonable
HACKI NG & ABUSE
27. 04
EXPOSED API S LEAD TO SEVERE REPERCUSSI ONS
LEAKED DATA & TAKEOVERS
STEEP LOSSES & STOCK
PRI CE DROPS
HUGE FI NES & REGULATORY
SCRUTI NY
28. 06
API SECURI TY
BEST PRACTI CE
50% of mature API
organizations planto focus
on increased API security
and governance during
20 21/20 22 - AI- powered
APISecurity solutions are
gaining widespread adoption.
Gartner recommends: Discover
your APIs before attackers,add
specialist APISecurity products
and design API Security into the
full cycle from development to
delivery.
API SECURI TY
ON ROADM
APS
"APIs expose application logic
and sensitive data such as
Personally Identifiable
Information (PII) and because
of this have increasingly
become a target for attackers”
API ATTACKS
ON THE RI SE
THE FOCUS I S NOW API
SECURI TY
29. 07
GENERAL PURPOSE SOLUTI ONS ARE I NEFFECTI VE
Protecting web APIs with general
purpose application security solutions
alone continues to be ineffective.
Each new API represents an additional
and potentially unique attack vector
into your systems.”
API SECURI TY: W
HAT YOU NEED TO DO TO PROTECT YOUR API S
30. 08
OW
ASP API SECURI TY TOP 10 THREATS
ACCORDI NG TO GARTNER, API W
I LL BE
THE #1 ATTACK VECTOR BY 2O22.
API 1: 2019
Broken Object Level
Authorization
API 2: 2019
Broken Authentication
API 3: 2019
Excessive Data
Exposure
API 4: 2019
Lack of Resources
& RateLimiting
API 5: 2019
Broken Function
Level Authorization
API 1: 2019
Mass Assignment
API 1: 2019
Security
Misconfiguration
API 1: 2019
Injection
API 1: 2019
Improper Assets
Management
API 1: 2019
Insufficient Logging
& Monitoring
31. 09
W
AFS AND API GATEW
AYS CAN' T PROTECT YOU
OW
ASP API Se c ur i t y Top 10 Thr e a t s W
AFs API Ga t e wa ys
Broken Object Level Authorization
Broken Authentication
Excessive Data Exposure
Lack of Resources & RateLimiting
Broken Function Level Authorization
Mass Assignment
Security Misconfiguration
Injection
Improper Assets Management
Insufficient Logging & Monitoring
32. 10
OUR SOLUTI ON
AN API SECURI TY SUI TE OF
PRODUCTS, FOR COM
PREHENSI VE
360° PROTECTI ON.
33. 11
Full lifecycle protection -
from API integrity in test
environment, to detecting
attacks in real time.
OUR SOLUTI ON
We provide visibility of
existing APIs, analyze their
integrity and detect
attacks in real time.
Measure the amount of
new information and
identify anomalies using
ML models.
1 2 3
PATENT- PENDI NG
M
L TECHNOLOGY
DI SCOVER, ANALYZE
AND DETECT
FROM DEVELOPM
ENT
TO PRODUCTI ON
34. 13
FULL API LI FECYCLE
Full protection across the entire API lifecycle.
From Development,through testing to production.
DEVELOPM
ENT
PRODUCTI ON
TESTI NG
API CODE ANALYSI S ™
API COM
PLI ANCE DEFENDER ™
API M
ESSAGE I NSPECTI ON ™
API ATTACK SI M
ULATOR ™
35. TRAFFI C M
I RRORI NG
Tap traffic from load balancers or VPC.
SI DECAR
Integrate with any service mesh
such as Istio.
REVERSE PROXY / API GATEW
AY
Integration to all major products e.g.
NGINX, Envoy etc.
14
DEPLOYM
ENT OPTI ONS
wib supports On- Premises,
Private Cloud and Cloud
environments. An agentless
deployment to your environment
means zero performance
deterioration.
2
1
3
36. 15
I NSTANT AND AGENTLESS
DECRYPTOR
wi b
SERVERS
TRAFFI C M
I RRORI NG
TAP
wi b
SERVERS
LOAD BALANCER &
SSL TERM
I NATOR
CLI ENTS
CLOUD
ON- PREM
I SES
38. 17
NEXT STEP - POC
THE POC W
I LL DEM
ONSTRATE W
I B
CAPABI LI TI ES I N REAL- TI M
E ON YOUR
ENVI RONM
ENT
KI CKOFF M
EETI NG
1
DEPLOYM
ENT POC I N
PROGRESS
POC REVI EW
2 3 4
2 we e ks
Define PoC scope, timeline
and success criteria.
Discuss deployment options
with technical team.
Dep loy Syber.ai on client's
environment.
Grant d ashboard access for
full visib ility.
Track progress and analyze
results over 2 weeks.
Remediate APISecurity
threats in real- time.
Review PoC results based on
p re- defined success criteria.
Discuss next steps.
40. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here