SlideShare ist ein Scribd-Unternehmen logo

What Hackers Don't Want You To Know: How To Maximize Your API Security

Als PPTX, PDF herunterladen
A
AaronLieberman5

What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success. Ping Identity and MuleSoft have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect. This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with MuleSoft. We will look at some common monitoring capabilities on the MuleSoft API and what a security violation would look like. Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks. From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a MuleSoft API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.

Technologie
1 von 31
WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY API WORLD - OCTOBER 2019
Overview 1. API Lifecycle 2. API Management 3. Securing an API 4. API Landscape 5. The Power of PingIntelligence for APIs
Connect With Us • Big Compass ◦ Website - https://www.bigcompass.com ◦ LinkedIn - https://www.linkedin.com/company/big-compass/ ◦ Twitter - https://twitter.com/big_compass ◦ Facebook - https://www.facebook.com/bigcompass/ ◦ Aaron Lieberman ◦ LinkedIn - https://www.linkedin.com/in/aaron-lieberman-8a89bb46/
Attack!
API Lifecycle and Management
API Lifecycle • Design • Build • Test • Deploy • Manage
API Management Create API Connect the API Secure Manage/Monitor
API Security Measures • Basic authentication • IP whitelisting • Client ID enforcement • SLA based rate limiting and throttling • OAuth 2.0 • JWT • TLS
API Security + WAF • Protects against many common attacks - OWASP Top 10 attacks • SQL injection • Cross Site Scripting • Body scanning • DDoS • What are the vulnerabilities? • Advanced API attacks from authenticated hackers • Detecting authenticated attacks is difficult!
API Security + WAF
API Landscape
Current API Landscape
Current API Security Landscape
Current API Security Landscape • API Security Survey • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all API’s • Lesson learned: reactivity to proactivity
API Attack Detection Time to Detect First Breach
The Difficult Problem of Securing APIs High volume of traffic across many APIs High velocity connections across many APIs Variety of client types and activity Who is responsible for APIs?
How Vulnerable are APIs? API login and DDoS attacks Brute force login attacks Stolen identifiers API DDoS attacks Stolen account Account take over Data theft App control Hackers using Machine Learning Every attacks looks different Every blocked attack leads to a new attack Always getting smarter
Answer: Leverage AI • Behavioral learning • Continuously build security model Model • Look for deviations from the learned behavior Detect • Block compromised tokens/access • Notify/alert Block
PingIntelligence for APIs Deep API visibility Dynamically discover APIs across all environments Monitor APIs across all environments Automated threat detection and blocking Detect and block attacks on your APIs API honeypots to instantly detect probing hackers Self learning Use AI to build behavioral model No need to author and manage policies and update API security
PingIntelligence for APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs
Zero Trust • You can’t trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level • Client app, user, 3rd party identities GitHub leaking client secrets Phishing Stolen token User data <api>
API Security + PingIntelligence Scalable Multi-Cloud API Platform Content Injection JSON, XML, SQL, XSS Flow Control Throttling, metering, quota management Access Control AuthN, AuthZ, Tokens AI-Powered Threat Protection For APIs Automated Cyber- Attack Blocking Blocks stolen tokens/cookies, Bad IPs, and API keys API Deception and Honeypots Instant hacking detection and blocking Deep Visibility and Reporting Monitor and report on all API activity PingIntelligence for APIs
PingIntelligence Augments API Security • API management • Security policies API Gateways • OWASP top 10 protection Web Application Firewalls • Authenticated users • Advanced attacks PingIntelligence for APIs
Attack Landscape Summary API breaches go undetected for months or years Zero trust strategy for securing APIs is crucial Gartner: "by 2022, API abuses will be the most frequent attack vector that result in breaches" Many attacks can't be detected with traditional API security Help is here from PingIntelligence + API Gateways
API Security + WAF
API Security + WAF + PingIntelligence
Demo ATTACKING A MULESOFT SECURITY+ WAF + PINGINTELLIGENCE PROTECTED API
References and Documentation • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pingintel_32/page/ pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://support.pingidentity.com/s/pingintelligence-for-apis-help • PingIntelligence Integrations – https://www.pingidentity.com/en/resources/downloads/pingintelligence.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white-papers/2018/evolving-api-security-landscape.html
References and Documentation • AWS – API Gateway • https://aws.amazon.com/api-gateway/ • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
Connect With Us • Big Compass ◦ Website - https://www.bigcompass.com ◦ LinkedIn - https://www.linkedin.com/company/big-compass/ ◦ Twitter - https://twitter.com/big_compass ◦ Facebook - https://www.facebook.com/bigcompass/ ◦ Aaron Lieberman ◦ LinkedIn - https://www.linkedin.com/in/aaron-lieberman-8a89bb46/
Questions?

Empfohlen

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B ConnectivityAaronLieberman5
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceAaronLieberman5
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and BoomiAaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesAaronLieberman5
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherAaronLieberman5
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentAaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesAaronLieberman5
 

Empfohlen

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B ConnectivityAaronLieberman5
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceAaronLieberman5
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and BoomiAaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesAaronLieberman5
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherAaronLieberman5
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentAaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesAaronLieberman5
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshAaronLieberman5
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardAaronLieberman5
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAaronLieberman5
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardAaronLieberman5
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftAaronLieberman5
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerAaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricAaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricAaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsAaronLieberman5
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsAaronLieberman5
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Weitere ähnliche Inhalte

Mehr von AaronLieberman5

Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshAaronLieberman5
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardAaronLieberman5
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAaronLieberman5
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardAaronLieberman5
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftAaronLieberman5
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerAaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricAaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricAaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsAaronLieberman5
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsAaronLieberman5
 

Mehr von AaronLieberman5 (14)

Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom Connectors
 

Kürzlich hochgeladen

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Kürzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

What Hackers Don't Want You To Know: How To Maximize Your API Security

  • 1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY API WORLD - OCTOBER 2019
  • 2. Overview 1. API Lifecycle 2. API Management 3. Securing an API 4. API Landscape 5. The Power of PingIntelligence for APIs
  • 3. Connect With Us • Big Compass ◦ Website - https://www.bigcompass.com ◦ LinkedIn - https://www.linkedin.com/company/big-compass/ ◦ Twitter - https://twitter.com/big_compass ◦ Facebook - https://www.facebook.com/bigcompass/ ◦ Aaron Lieberman ◦ LinkedIn - https://www.linkedin.com/in/aaron-lieberman-8a89bb46/
  • 6. API Lifecycle • Design • Build • Test • Deploy • Manage
  • 7. API Management Create API Connect the API Secure Manage/Monitor
  • 8. API Security Measures • Basic authentication • IP whitelisting • Client ID enforcement • SLA based rate limiting and throttling • OAuth 2.0 • JWT • TLS
  • 9. API Security + WAF • Protects against many common attacks - OWASP Top 10 attacks • SQL injection • Cross Site Scripting • Body scanning • DDoS • What are the vulnerabilities? • Advanced API attacks from authenticated hackers • Detecting authenticated attacks is difficult!
  • 13. Current API Security Landscape
  • 14. Current API Security Landscape • API Security Survey • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all API’s • Lesson learned: reactivity to proactivity
  • 15. API Attack Detection Time to Detect First Breach
  • 16. The Difficult Problem of Securing APIs High volume of traffic across many APIs High velocity connections across many APIs Variety of client types and activity Who is responsible for APIs?
  • 17. How Vulnerable are APIs? API login and DDoS attacks Brute force login attacks Stolen identifiers API DDoS attacks Stolen account Account take over Data theft App control Hackers using Machine Learning Every attacks looks different Every blocked attack leads to a new attack Always getting smarter
  • 18. Answer: Leverage AI • Behavioral learning • Continuously build security model Model • Look for deviations from the learned behavior Detect • Block compromised tokens/access • Notify/alert Block
  • 19. PingIntelligence for APIs Deep API visibility Dynamically discover APIs across all environments Monitor APIs across all environments Automated threat detection and blocking Detect and block attacks on your APIs API honeypots to instantly detect probing hackers Self learning Use AI to build behavioral model No need to author and manage policies and update API security
  • 20. PingIntelligence for APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs
  • 21. Zero Trust • You can’t trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level • Client app, user, 3rd party identities GitHub leaking client secrets Phishing Stolen token User data <api>
  • 22. API Security + PingIntelligence Scalable Multi-Cloud API Platform Content Injection JSON, XML, SQL, XSS Flow Control Throttling, metering, quota management Access Control AuthN, AuthZ, Tokens AI-Powered Threat Protection For APIs Automated Cyber- Attack Blocking Blocks stolen tokens/cookies, Bad IPs, and API keys API Deception and Honeypots Instant hacking detection and blocking Deep Visibility and Reporting Monitor and report on all API activity PingIntelligence for APIs
  • 23. PingIntelligence Augments API Security • API management • Security policies API Gateways • OWASP top 10 protection Web Application Firewalls • Authenticated users • Advanced attacks PingIntelligence for APIs
  • 24. Attack Landscape Summary API breaches go undetected for months or years Zero trust strategy for securing APIs is crucial Gartner: "by 2022, API abuses will be the most frequent attack vector that result in breaches" Many attacks can't be detected with traditional API security Help is here from PingIntelligence + API Gateways
  • 26. API Security + WAF + PingIntelligence
  • 27. Demo ATTACKING A MULESOFT SECURITY+ WAF + PINGINTELLIGENCE PROTECTED API
  • 28. References and Documentation • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pingintel_32/page/ pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://support.pingidentity.com/s/pingintelligence-for-apis-help • PingIntelligence Integrations – https://www.pingidentity.com/en/resources/downloads/pingintelligence.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white-papers/2018/evolving-api-security-landscape.html
  • 29. References and Documentation • AWS – API Gateway • https://aws.amazon.com/api-gateway/ • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
  • 30. Connect With Us • Big Compass ◦ Website - https://www.bigcompass.com ◦ LinkedIn - https://www.linkedin.com/company/big-compass/ ◦ Twitter - https://twitter.com/big_compass ◦ Facebook - https://www.facebook.com/bigcompass/ ◦ Aaron Lieberman ◦ LinkedIn - https://www.linkedin.com/in/aaron-lieberman-8a89bb46/

Hinweis der Redaktion

  1. All of these phases are equally important Only once you get to the management phase can you begin to properly secure and monitor your API, but security must be at the forefront of each phase – not an afterthought
  2. Once in the management phase this is a typical process So you can see that the management phase itself is not trivial! Managing and monitoring an API should be ongoing, but that does not mean you always need a human’s eyes on glass
  3. It’s important to note that most people who are developing APIs are familiar with these security measures, BUT it’s too often that common API security mistakes occur: Leaving an API open to the world aka no security Not protecting data in transit Security as an afterthought Not assigning ownership No plan/documentation for the API We can fix those common mistakes by planning for security upfront and keeping it as a primary focus through each development phase These API security measures are the basics, and at minimum should be implemented
  4. This is the next step in API security beyond just securing your API directly This is securing for known vulnerabilities! The unknowns remain unknown Google took 2.5 years to detect a breach
  5. This is a typical “best practice” architecture. Is great for blocking many common attacks.
  6. The API train has left All future value to customers will be routed through APIs in some way or another Almost 50% of people purchased an API for security and that is changing rapidly => getting value out of it, exposing data, connecting systems, etc Digital transformation --- > guess who is equally excited about this open API world we like to paint a picture of?? Hackers are!
  7. What is happening is a direct correlation between API growth and attacks As APIs are created, the attack surface of systems/applications is increased Fingers get pointed at API practitioners
  8. 2018 was not a great year, and 2019 has not been a great year either, for folks tasked with protecting API infrastructures. We saw that many major companies have gotten breached – companies most consider to be on the forefront of the tech industry, including Facebook and Google First off, it is very common that organizations and people don’t feel confident in actually securing the API’s they are developing. This is an interesting point because the confusion between security groups (infosec) and development groups in IT is blurry. Who owns APIs? Who is tasked with securing them? Who is in charge of documenting them? Who is in charge of sustaininment and maintenance? Security teams argue they are not aware of all API’s, but developers argue they are not in charge of securing API’s Over the last few years we have seen a formidable increase in both the velocity and sophistication of cyber attacks on APIs When you do a post-mortem on many of the recent attacks you find a few things in common. majority of attacks are coming from authenticated users and hackers who have reverse engineered the API Reactive -> Proactive We need to being thinking from this perspective
  9. Average time to detection is flabbergasting (for facebook 18 months – Google 2 years) In the case of Location Smart who is a 3rd party API that was being misused to actually identify the location of users from all the major telcos. It is hard to detect attacks, and many fly under the radar for long periods of time. API management is crucial here Hackers are getting smarter Flying under the radar of many detection systems Very advanced attacks where no two attacks are the same Again, must go from reactivity to proactivity
  10. API Security is not trivial --- it is tough and nuanced And when you think about it is almost a perfect dichotomy. As infosec professionals we wake up every day pursuing the task of protecting our organizations Data, Systems, and applications. Digital transformation initiatives around APIs are doing the exact opposite – they are rapidly opening up access to our data and applications to a wealth of new partners and customers Once you digest that fact do you begin to understand why API security is so challenging and complex. True big data problem -> seeking to find that needle in the haystack Many connections - many things happening – credential theft on the rise Not to mention most malicious traffic and abuse coming from authenticated users
  11. We can talk about API login and DDoS attacks and stolen accounts, but this is what we know. What we don’t know is the scary part! Since hackers are getting smarter, APIs (even with the best practices of API security + WAF) are vulnerable What we’re really worried about here is that no two attacks are the same! API Login and API DDoS Attacks •Brute force login attacks •Stolen identifiers: cookies and tokens •API specific DoS and API DDoS attacks Compromised Account / Insider Attacks •Account take over •Data theft •Application control Hackers using Machine Learning •Every attack looks different •Every blocked attack leads to a new attack …
  12. Can Machine Learning Help? Yes. I imagine most everyone in the audience is familiar with UBA – User behavior analytics in context to threat detection? UBA is great but will perpetually fall short because human begins are innately unpredictable creatures. What is starkly different than an human being is an API – purpose built to do narrow tasks around pushing and pulling data and providing access to systems. So if you can leverage ML and AI to model and understand what is normal behavior on each of your APIs it gives you the unique vantage point to be able to to identify all sorts of misbehavior and outright attacks that are coming from authenticated users. You are already collecting all of this data with your API gateway so you might as well use it and mine. More-so ML can identify a multitude of client identifiers and be used to be able to automatically block
  13. What is PingIntelligence for APIs Provides 3 core benefits to Infosec professionals and API practioniars. Visibility is key and visibility from two perspectives Firstly: You can’t protect what you don’t know about – so we built a way to plug into your existing systems to autodiscover all APIs Secondly, visibility is important to understand what is happening on your APIs after authentication has occurred and understand changes in behavior over time Attack detection and blocking And finally – self learning Gone are the days of having to rely on and build static rules and policies for each API
  14. PingIntelligence sits in front of or side car to your APIs It can integrate with many different API Gateways – not just MuleSoft Once connected to your API, you get the 3 pillars of: API discovery in your environment Deep visibility and reporting Attack blocking Self learning and modeling behavior
  15. Zero trust – we don’t trust anything – it eliminates the concept of trust – “never trust, always verify” Taking a stance that nothing is trustworthy and using a check and verify process With proper zero trust architecture you set up a tight perimeter around your protection surface and validate who, what, when, where, why, and how The zero trust policy determines who can cross the perimeter at any one time 80% of today’s data breaches are caused by misuse of privileged credentials
  16. PingIntelligence is supplemental to API Gateways such as MuleSoft PI is the last line of defense against advanced attacks Has anyone heard of the martial art technique of Judo? You use the strengths of your opponent against them. That’s exactly what PingIntelligence does with hacker deception and honeypots. Can sprinkle honeypots throughout your API infrastructure and instantly detect and block threats across your environments
  17. These 3 together is the best, most potent combination. You want to sleep well? Need all 3 components It used to be that just the first two were needed, but now with the sophistication of attacks becoming more advanced, the security must advance with it
  18. Recap/summary slide
  19. Compare API security + WAF to adding PingIntelligence on the next slide. You will see how lightweight and non-intrusive adding PingIntelligence is
  20. PingIntelligence hooks into the API to monitor and model its behavior. The rest of the security set up is still recommended