Weitere ähnliche Inhalte Ähnlich wie The Inconvenient Truth About API Security (20) Mehr von Distil Networks (14) Kürzlich hochgeladen (20) The Inconvenient Truth About API Security1. © Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
The Inconvenient Truth
About API Security
Presented by
2. © Information Security Media Group · www.ismgcorp.com
About Information Security Media Group
• Focused on providing information
security content, specifically for
unique vertical industries
• Publish articles, interviews, blogs,
regulation & guidance alerts, and
whitepapers
• Educational webinars offered daily
Global network of
25 SITES
Subscribers from over
175 COUNTRIES
3. © Information Security Media Group · www.ismgcorp.com
Technical Support
(609) 356-1499 x115
Copyrighted Material
Used for individual study purposes only. If your institution is interested in
using this, or any of Information Security Media Group’s presentations, as
part of an overall information security program, please contact us at (800)
944-0401.
4. © Information Security Media Group · www.ismgcorp.com
About Our Sponsor
Distil Networks is the first easy and accurate way to defend your
web applications against bad bots, API abuse and fraud.
To learn more, visit us at www.distilnetworks.com
5. © Information Security Media Group · www.ismgcorp.com
Rami Essaid
CEO and Co-Founder, Distil Networks
Distil Networks is the first easy and accurate way to identify and
police malicious website traffic, blocking 99.9% of bad bots
without impacting legitimate users. With over 12 years in
telecommunications, network security, and cloud infrastructure
management experience, Essaid continues to advise enterprise
companies around the world, helping them embrace the cloud
to improve their scalability and reliability while maintaining a
high level of security.
6. © Information Security Media Group · www.ismgcorp.com
Rik Turner
IT Security Analyst, Ovum Research
Rik is a senior analyst on the Infrastructure Solutions team,
focusing primarily IT Security. Rik joined Ovum in January 2005
as European Bureau Chief of its ComputerWire daily IT news
service. He covered fixed, wireless, and mobile networking and
security. In February 2007 he moved across to become an
analyst on the Financial Services Technology team, initially
covering retail banking and writing reports on online and branch
banking. He subsequently developed a specialization in capital
markets infrastructure. In mid-2008 his team was grouped
under the Ovum brand as part of its IT analyst arm. At the
beginning of 2014 Rik moved across to the Infrastructure
Solutions team, focusing on IT Security.
7. © Information Security Media Group · www.ismgcorp.com
Shane Ward
Senior Director of Technology, GuideStar
As a nonprofit, GuideStar is committed to advancing
transparency and driving innovation in the social sector. Ward
leads a team that is responsible for data acquisition and
distribution as well as architecture and technology strategy.
8. © Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
The Inconvenient Truth
About API Security
Presented by
9. © Information Security Media Group · www.ismgcorp.com
Agenda
API Security Primer
Ovum Survey Results and Analysis
GuideStar’s Field Guide to API Security
Q & A
11. © Information Security Media Group · www.ismgcorp.com
APIs are fundamentally hard to protect
APIs are built to give developers a uniform
interface to applications
This allows for easy access to data
Returned in a standardized format
Generally self-documenting
Built to run at scale
12. © Information Security Media Group · www.ismgcorp.com
This provides multiple vectors for abuse
API Malicious Usage
Third parties aggressively using the API to pull data
beyond their contracted limits
API Developer Errors
API endpoints get hammered by runaway scripts or
poorly designed interfaces
Web & Mobile API Hijacking
Hackers dissect how web and mobile apps interact with
their APIs
Automated API Scraping
Malicious bots pull down online content and data within
minutes directly from the API
13. © Information Security Media Group · www.ismgcorp.com
Attackers distribute their attacks across multiple IP addresses
Bots which dynamically rotate IP addresses, or distribute attacks are
significantly harder to detect and mitigate
14. © Information Security Media Group · www.ismgcorp.com
Unfortunately, most API security solutions track usage by IP
This makes them blind to a couple of key
use cases
Server sourced API clients are hosted by cloud
providers that can cycle IP’s at will
Mobile application sourced clients are behind
Wireless provider proxy networks (many
devices share an IP)
Web browser sourced clients can be behind a
consumer ISP NAT - shared IP for many
browsers
15. © Information Security Media Group · www.ismgcorp.com
Modern API governance should include...
Country and organization fencing
Token spamming prevention
Token distribution prevention
Dynamic access control lists
Advanced rate limiting
17. © Information Security Media Group · www.ismgcorp.com
API Security: A Disjointed Affair
Ovum surveyed 100 midsize to
large companies across NA, EMEA
and APAC, and in a wide range of
verticals, about their use of APIs.
19. © Information Security Media Group · www.ismgcorp.com
The majority were running public APIs
51% said they were running APIs
to enable an external developer
community or ecosystem
67% said their APIs were
designed to enable partner
connectivity
20. © Information Security Media Group · www.ismgcorp.com
The majority are using an API management system
...and almost two thirds of those
with an API management platform
developed it in-house
Are you running an API management system?
Yes
87%
No
13%
22. © Information Security Media Group · www.ismgcorp.com
Those with rate limiting were spending a lot of time on it
23. © Information Security Media Group · www.ismgcorp.com
Now we asked what other API security features, namely protection from...
API malicious usage
API developer error
Automated API scraping
Web and mobile API hijacking
26. © Information Security Media Group · www.ismgcorp.com
...and the stage at which IT security gets involved is frequently too late
27. © Information Security Media Group · www.ismgcorp.com
So the final, troubling statistic is...
21% of APIs go live without any
input from security professionals
regarding the potential risks to the
organization that is publishing them
30. © Information Security Media Group · www.ismgcorp.com
About GuideStar’s APIs
GuideStar is the world’s largest source of
information on nonprofit organizations
We collect, aggregate, and distribute data about
nonprofit results, financials, operations, and
more
Our data is made available through APIs that
power: workplace giving, donation disbursement,
grants management, and charity validation
applications
31. © Information Security Media Group · www.ismgcorp.com
Why do we care so much about API security?
Integrated into payment processing
systems
Misuse can have serious consequences
Validation and verification services
Investment in curation and dissemination
of data
Ensure our data is being used in a manner
that is consistent with our values
32. © Information Security Media Group · www.ismgcorp.com
GuideStar technology stack
APIs hosted in GuideStar’s private cloud
Traditional data warehouse and datamart
NoSQL data repositories
APIs built on REST principles
Built our own middleware using open source
XML and JSON returns
Load balancers
WAF
Distil Networks for Bot Mitigation and API Security
33. © Information Security Media Group · www.ismgcorp.com
API security challenges
Only as secure as your least secure customer
“Node hopping” off load balancers
Round-robin vs. sticky session load balancing
Developer errors and runaway scripts
Data protection and security
API key mismanagement
34. © Information Security Media Group · www.ismgcorp.com
Lessons learned
Understand the technical capabilities of your API
consumers
“Lightweight” approach vs. “heavy” API
management suites
Map your business strategy to your API controls
and segmentation strategy
Leverage machine learning and automation
Token-based over IP-based rate limiting
35. © Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
Questions
Please use the following form for any questions or comments:
http://www.bankinfosecurity.com/webinar-feedback.php
Or contact us at: (800) 944-0401
36. © Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
Thank You for Participating!
Please use the following form for any questions or comments:
http://www.bankinfosecurity.com/webinar-feedback.php
Or contact us at: (800) 944-0401