apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilities first by Sella Rafaeli, WIB
•
0 likes•110 views
apidays LIVE Paris 2021 - APIs and the Future of Software December 7, 8 & 9, 2021 API Attack Simulator - Find your API vulnerabilities first Sella Rafaeli, Full-Stack Web Developer at WIB
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilities first by Sella Rafaeli, WIB
Similar to apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilities first by Sella Rafaeli, WIB (20)
More from apidays
More from apidays (20)
Recently uploaded
Recently uploaded (20)
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilities first by Sella Rafaeli, WIB
- 1. API At t a c k Si mul a t or - Fi nd Your Vul ne r a bi l i t i e s Now Sella Rafaeli, Group Manager, wib.com, sellarafaeli.com
- 2. A FULL API LI FECYCLE PLATFORM DEFENDI NG AGAI NST API SECURI TY THREATS CYBERSECURI TY LEADERS Founded by former CTO of Israel's National Cyber Directorate, we have the top Israeli Cybersecurity talent. FULL API LI FECYCLE From development to production - our products secure APIs and defend against APISecurity threats. PROPRI ETARY AI TECHNOLOGY Patent- pending AI& ML technology created by leading academics with PhDs in CS and Machine Learning. ABOUT W I B
- 3. 91% OF ORGANI ZATI ONS SUFFERED SOM E SORT OF API SECURI TY I NCI DENT I N 2020 THE FOCUS I S NOW API SECURI TY 05
- 4. OUR PRODUCTS API COM PLI ANCE DEFENDER ™ Discovery and Inspection of API traffic, using AIand ML proprietary algorithms (patent- pending). The inspector measures the amount of new information to identify attacks and vulnerabilities in real- time. Designed to defend APIs so they are compliant with major compliances e.g. HIPAA,Open Banking, PCI etc. Solving compliance APIsecurity issues for regulated industries like Finance, Healthcare, Insurance etc. API M ESSAGE I NSPECTI ON ™ A development environment product enabling security teams to simulate APIattacked with a single click. Detect and remediate potential vulnerabilities in your APIs before they go live. API ATTACK SI M ULATOR ™ API CODE ANALYSI S ™ Analyze APIcode and client code to discover API threats & vulnerabilities, and remediate them in development. Make sure your API code doesn't lead to excessive data exposure and improper asset management.
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6. OUR PRODUCTS A dev/prod environment product enabling security teams to simulate APIattacks with a single click. Detect and remediate potentialvulnerabilities in your APIs before/after they go live. API ATTACK SI M ULATOR ™
- 7. 02 Find the same vulnerabilities attackers will find, before they do. W HY YOU SHOULD SI M ULATE ATTACKS ON YOUR API S Automate penetration tests to test known attack vectors against your APIs. Throw the ”kitchen sink” of API attacks at your APIs - your attackers certainly will. 1 2 3
- 8. OUR PRODUCTS A dev/prod environment product enabling security teams to simulate APIattacks with a single click. Detect and remediate potentialvulnerabilities in your APIs before/after they go live. API ATTACK SI M ULATOR ™
- 9. 12 API ATTACK SI M ULATOR ™
- 10. 1. I nput : Pos t ma n API s e s s i on
- 11. 1. I nput : Pos t ma n API s e s s i on
- 12. 2. Ge ne r a t e Va r i a nt s - At t a c ks
- 13. 2. Ge ne r a t e Va r i a nt s - At t a c ks
- 14. 2. Ge ne r a t e Va r i a nt s - At t a c ks
- 15. 3. Run At t a c ks
- 16. 4. Ana l yz e Re s ul t s of e a c h At t a c k Si mul a t i on
- 17. 4. Ana l yz e Re s ul t s of e a c h At t a c k Si mul a t i on
- 18. 4. Ana l yz e Re s ul t s of e a c h At t a c k Si mul a t i on
- 19. 5. Summa r i z e
- 20. 5. De t a i l s a nd Re me di a t i on
- 21. 5. De t a i l s a nd Re me di a t i on
- 22. 5. De t a i l s a nd Re me di a t i on
- 23. Fi nd Your Vul ne r a bi l i t i e s I n t he Fi e l d. Br i dge Se c ur i t y a nd De v Te a ms Toge t he r . THE FOCUS I S NOW API SECURI TY 05
- 24. Hi r i ng & Ope n- Sour c e API Se c ur i t y i s a TEAM a nd COM M UNI TY Ef f or t THE FOCUS I S NOW API SECURI TY 05 s e l l a . r a f a e l i @ wi b. c om
- 25. 12 M e : Se l l a Ra f a e l i , API Se c ur i t y Expe r t : s e l l a r a f a e l i . c om
- 26. 03 API SECURI TY THREATS THE CHALLENGES OUR CUSTOM ERS FACE W I TH THEI R API S Companies and security organizations are not aware of all of their APIs Data. VI SI BI LI TY PII leakage through APIharms compliance with regulations e.g. HIPAA,GDPR etc. DATA LEAKS & COM PLI ANCE Companies don't know who is using their APIs and whether usage is authorised and reasonable HACKI NG & ABUSE
- 27. 04 EXPOSED API S LEAD TO SEVERE REPERCUSSI ONS LEAKED DATA & TAKEOVERS STEEP LOSSES & STOCK PRI CE DROPS HUGE FI NES & REGULATORY SCRUTI NY
- 28. 06 API SECURI TY BEST PRACTI CE 50% of mature API organizations planto focus on increased API security and governance during 20 21/20 22 - AI- powered APISecurity solutions are gaining widespread adoption. Gartner recommends: Discover your APIs before attackers,add specialist APISecurity products and design API Security into the full cycle from development to delivery. API SECURI TY ON ROADM APS "APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers” API ATTACKS ON THE RI SE THE FOCUS I S NOW API SECURI TY
- 29. 07 GENERAL PURPOSE SOLUTI ONS ARE I NEFFECTI VE Protecting web APIs with general purpose application security solutions alone continues to be ineffective. Each new API represents an additional and potentially unique attack vector into your systems.” API SECURI TY: W HAT YOU NEED TO DO TO PROTECT YOUR API S
- 30. 08 OW ASP API SECURI TY TOP 10 THREATS ACCORDI NG TO GARTNER, API W I LL BE THE #1 ATTACK VECTOR BY 2O22. API 1: 2019 Broken Object Level Authorization API 2: 2019 Broken Authentication API 3: 2019 Excessive Data Exposure API 4: 2019 Lack of Resources & RateLimiting API 5: 2019 Broken Function Level Authorization API 1: 2019 Mass Assignment API 1: 2019 Security Misconfiguration API 1: 2019 Injection API 1: 2019 Improper Assets Management API 1: 2019 Insufficient Logging & Monitoring
- 31. 09 W AFS AND API GATEW AYS CAN' T PROTECT YOU OW ASP API Se c ur i t y Top 10 Thr e a t s W AFs API Ga t e wa ys Broken Object Level Authorization Broken Authentication Excessive Data Exposure Lack of Resources & RateLimiting Broken Function Level Authorization Mass Assignment Security Misconfiguration Injection Improper Assets Management Insufficient Logging & Monitoring
- 32. 10 OUR SOLUTI ON AN API SECURI TY SUI TE OF PRODUCTS, FOR COM PREHENSI VE 360° PROTECTI ON.
- 33. 11 Full lifecycle protection - from API integrity in test environment, to detecting attacks in real time. OUR SOLUTI ON We provide visibility of existing APIs, analyze their integrity and detect attacks in real time. Measure the amount of new information and identify anomalies using ML models. 1 2 3 PATENT- PENDI NG M L TECHNOLOGY DI SCOVER, ANALYZE AND DETECT FROM DEVELOPM ENT TO PRODUCTI ON
- 34. 13 FULL API LI FECYCLE Full protection across the entire API lifecycle. From Development,through testing to production. DEVELOPM ENT PRODUCTI ON TESTI NG API CODE ANALYSI S ™ API COM PLI ANCE DEFENDER ™ API M ESSAGE I NSPECTI ON ™ API ATTACK SI M ULATOR ™
- 35. TRAFFI C M I RRORI NG Tap traffic from load balancers or VPC. SI DECAR Integrate with any service mesh such as Istio. REVERSE PROXY / API GATEW AY Integration to all major products e.g. NGINX, Envoy etc. 14 DEPLOYM ENT OPTI ONS wib supports On- Premises, Private Cloud and Cloud environments. An agentless deployment to your environment means zero performance deterioration. 2 1 3
- 36. 15 I NSTANT AND AGENTLESS DECRYPTOR wi b SERVERS TRAFFI C M I RRORI NG TAP wi b SERVERS LOAD BALANCER & SSL TERM I NATOR CLI ENTS CLOUD ON- PREM I SES
- 37. 16 REAL- TI M E API SECURI TY DASHBOARD
- 38. 17 NEXT STEP - POC THE POC W I LL DEM ONSTRATE W I B CAPABI LI TI ES I N REAL- TI M E ON YOUR ENVI RONM ENT KI CKOFF M EETI NG 1 DEPLOYM ENT POC I N PROGRESS POC REVI EW 2 3 4 2 we e ks Define PoC scope, timeline and success criteria. Discuss deployment options with technical team. Dep loy Syber.ai on client's environment. Grant d ashboard access for full visib ility. Track progress and analyze results over 2 weeks. Remediate APISecurity threats in real- time. Review PoC results based on p re- defined success criteria. Discuss next steps.
- 39. CONTACT DETAI LS +972 ( 0) 54- 794- 7114 RAN@ SYBER. AI W W W . SYBER. AI
- 40. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here