SlideShare ist ein Scribd-Unternehmen logo

Adapt or Die Sydney - API Security

Apigee | Google Cloud
Apigee | Google Cloud

Learn about how to protect your digital assets from known external threats at the API layer. Secure your assets against threats like SQL injection, JSON threat protection and application DoS. Protect your apps from cyber threats and bad bots with data-driven enterprise grade API security and Adaptive Threat Protection.

Technologie
1 von 35
©2016 Apigee Corp. All Rights Reserved. API Security? No! APIs FOR Security! Greg Brail
©2016 Apigee Corp. All Rights Reserved. Agenda What Happens to Insecure APIs Fundamental API Security Using Apigee Edge to Enforce Security Advanced Security with Apigee Sense
©2016 Apigee Corp. All Rights Reserved. No API Security?
©2016 Apigee Corp. All Rights Reserved. I have an API!
©2016 Apigee Corp. All Rights Reserved. But I Don’t Have an API!
Are you sure you don’t have an API? 6 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16 Everything with a URI has an API
Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
©2016 Apigee Corp. All Rights Reserved. Nissan Leaf • http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html • No authentication on some APIs – Climate control, battery status – Only VIN number required • User ID leaked by some of those APIs
• No rate limit on request to get friends by phone number • Hard-coded encryption key • Weak cipher • http://gibsonsec.org/snapchat/ Snapchat
Mobile Banking Apps • Security researcher Ariel Sanchez examined 20 iOS banking apps from banks around the world • More than 30% used non-TLS- encrypted links for at least part of the app • Down from 90% two years ago • Demonstrated JavaScript interception of some apps’ “login” page to gather passwords 10 Ariel Sanchez, blog.ioactive.com
A South Asian Bank • Security researcher Sathya Prakash tested the security of the app he used for one of his bank accounts • Found many major flaws and one huge one • All validation of account numbers for funds transfers was performed in the mobile app only – not on the server 11
©2016 Apigee Corp. All Rights Reserved. Fundamental API Security
©2016 Apigee Corp. All Rights Reserved. You Have an API
©2016 Apigee Corp. All Rights Reserved. Simpler is Better API • Well-known URI pattern • Documented schemas • Well-known authentication model • Well-known authorization model • One way to secure all API calls Web App • Totally dynamic URI pattern is harder to test • Specified inputs and outputs can be tested • Haphazard authentication hard to test • Haphazard authorization hard to test • Multiple implementations hard to test
©2016 Apigee Corp. All Rights Reserved. Simpler Means More Secure • Don’t agree? Let’s look at web apps: – Cross-site scripting – Insecure URIs in links – Cross-site request forgery – Insecure redirects – Insecure third-party pages – Insecure and malicious JavaScript
©2016 Apigee Corp. All Rights Reserved. What Do Apigee Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
©2016 Apigee Corp. All Rights Reserved. What do Others Do? • A wide variety of solutions out there • 87% percent have “API management” • 83% are “concerned” about API security
©2016 Apigee Corp. All Rights Reserved. What You Need to Do • Prevent unauthorized applications • Prevent unauthorized users • Prevent excessive traffic • Prevent content attacks • Watch for trouble • React to trouble
©2016 Apigee Corp. All Rights Reserved. APIs for Controlled Access • APIs provide a controlled way for third parties to access a service • Not having an API means that third parties will find another way • For instance, JPMorgan Chase wrote in its annual report:
©2016 Apigee Corp. All Rights Reserved. Prevent Unauthorized Applications • Application Authorization is a fundamental part of API security – Best way to stop runaway applications – Only options for certain types of apps (anonymous API access) – Requirement for all forms of OAuth • Best practices – Use different credentials for each version of each app – Makes it easier to pull a bad version – Hide the app credentials as best you can • Realize that they still can be stolen – Have an approval process for apps
©2016 Apigee Corp. All Rights Reserved. Follow OAuth Best Practices • Use “Authorization Code” for native apps • Follow all rules about CSRF, etc. • Keep up with the the IETF work here: – https://tools.ietf.org/wg/oauth/
©2016 Apigee Corp. All Rights Reserved. Prevent Unauthorized Users • Authenticate all end users for critical apps – Only way to keep security credentials outside the app • Only as good as identity management – For instance, dodgy password reset practices – Can you get identity a service?
©2016 Apigee Corp. All Rights Reserved. Prevent Excessive Traffic • Protect APIs that are vulnerable to brute force – Validating password – Validating anything – Anything where the only ID is in a small space • Protect from runaway applications – Denial of service is also an attack – Excessive usage may mean data is being harvested – Not always an attack – developers make mistakes
©2016 Apigee Corp. All Rights Reserved. Prevent Content Attacks • Accepting JSON over the Internet? – Excessive identifier length – Excessive nesting – Large arrays and elements • Accepting XML over the Internet? – All that and more • Are you sure there can’t be SQL injection? – Regular expression checks
©2016 Apigee Corp. All Rights Reserved. Watch for Trouble • Monitor the API – Usage patterns – Usage patterns by application – Latency – Error rate • Monitor the world too – Unusual tweets? – Other social media?
©2016 Apigee Corp. All Rights Reserved. React to Trouble • Do you have application-level authentication? – Revoke app credentials – Change rate limit – Redirect app to another URL • No application-level authentication? – Insert additional logic – Worst case: shut down the API until it’s fixed
©2016 Apigee Corp. All Rights Reserved. Enforcing Security with Apigee Edge 27©2016 Apigee Corp. All rights reserved.
©2016 Apigee Corp. All Rights Reserved. Security is embedded into Apigee API Management 28 Back-end RBAC management IDM Integration Global Policies User Provisioning AD / LDAP Groups Quota/Spike Arrest SQL threat protection JSON bomb protection IP based restrictions Bot Detection Data Privacy Two way TLS API key OAuth2 Threat Protection Identity Mgmt & Governance Manageme nt Server Portal Analytics API MANAGEMENT Data Privacy Two-way TLS Southbound VPN IP Access Control Logging & Auditing Data Privacy Org Boundaries Encryption SOC 2, PCI-DSS, HIPAA Access Control OAuth2 API Key Verification IP Access Control Logging & Auditing Apps
©2016 Apigee Corp. All Rights Reserved. Security by configuration 29
©2016 Apigee Corp. All Rights Reserved. Advanced Security with Apigee Sense 30
©2016 Apigee Corp. All Rights Reserved. API threats faced by customers today • Threats are Adaptive – Blend with human behavior • Bots can probe for API security weakness • Competitors can scrape your price data • Bots can be programmed for Bruteforce attacks (DDoS) • Bots can abuse guest accounts • Bot traffic skews analytics and KPIs • Bots create performance overhead on Web Operations • Bots can use your API keys to access private APIs 31
©2016 Apigee Corp. All Rights Reserved. What is Apigee Sense? • A new adaptive API security product to prevent sophisticated bot attacks • Detects threat patterns at the API layer, including bot attacks • Enables you to take actions on bots you find 32
©2016 Apigee Corp. All Rights Reserved. Closed Loop Protection – Analyze, Detect, Protect 34 API clients Target Services API Dashboard Machine Learning Models and Rules Action (Block/Throttle/Alert) Blacklist Your Traffic System-wide Purchased
©2016 Apigee Corp. All Rights Reserved. Conclusion • We saw lots of places where APIs were compromised – Many of these had nothing to do with an “API” • Biggest vulnerability is having an API and not realizing it – Everything with a URL has an API • Well-defined APIs can be secured – Lots of widely-known techniques and technology • A properly-secured API is verifiable • Use it!
Thank you 36

Empfohlen

London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotApigee | Google Cloud
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Kai Wähner
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
London Adapt or Die: Five Things Enterprises Should Know About Serverless
London Adapt or Die: Five Things Enterprises Should Know About ServerlessLondon Adapt or Die: Five Things Enterprises Should Know About Serverless
London Adapt or Die: Five Things Enterprises Should Know About ServerlessApigee | Google Cloud
 

Empfohlen

London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotApigee | Google Cloud
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Kai Wähner
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
London Adapt or Die: Five Things Enterprises Should Know About Serverless
London Adapt or Die: Five Things Enterprises Should Know About ServerlessLondon Adapt or Die: Five Things Enterprises Should Know About Serverless
London Adapt or Die: Five Things Enterprises Should Know About ServerlessApigee | Google Cloud
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee | Google Cloud
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product DemoApigee | Google Cloud
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API SecurityApigee | Google Cloud
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products OverviewApigee | Google Cloud
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIsApigee | Google Cloud
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)3scale
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays
 
Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Alexandre Roman
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformApigee | Google Cloud
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsApigee | Google Cloud
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryApigee | Google Cloud
 

Weitere ähnliche Inhalte

Was ist angesagt?

Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)3scale
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays
 
Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Alexandre Roman
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformApigee | Google Cloud
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsApigee | Google Cloud
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 

Was ist angesagt? (20)

Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices World
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
 
Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)Pivotal + Apigee Workshop (June 4th, 2019)
Pivotal + Apigee Workshop (June 4th, 2019)
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber Threats
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 

Andere mochten auch

Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About ServerlessAdapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About ServerlessApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynotePlatforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynoteApigee | Google Cloud
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
L.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightL.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightApigee | Google Cloud
 
Adapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleAdapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleApigee | Google Cloud
 
Becoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyBecoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyApigee | Google Cloud
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyApigee | Google Cloud
 
Mindbody: A Digital Transformation Story
Mindbody: A Digital Transformation StoryMindbody: A Digital Transformation Story
Mindbody: A Digital Transformation StoryApigee | Google Cloud
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Apigee | Google Cloud
 

Andere mochten auch (18)

Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About ServerlessAdapt or Die Sydney - 5 Things Developers Should Know About Serverless
Adapt or Die Sydney - 5 Things Developers Should Know About Serverless
 
API Management and Kubernetes
API Management and KubernetesAPI Management and Kubernetes
API Management and Kubernetes
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynotePlatforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
L.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightL.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done Right
 
Adapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleAdapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at Google
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
Becoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyBecoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital Journey
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are Key
 
Mindbody: A Digital Transformation Story
Mindbody: A Digital Transformation StoryMindbody: A Digital Transformation Story
Mindbody: A Digital Transformation Story
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?
 

Ähnlich wie Adapt or Die Sydney - API Security

What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid CredentialsAPIsecure_ Official
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyRogue Wave Software
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption PatternsAkana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption PatternsAkana
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsApigee | Google Cloud
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...apidays
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsAPIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsapidays
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityAkana
 
apidays New York 2023 - Make API Governance work in your unified API Strategy...
apidays New York 2023 - Make API Governance work in your unified API Strategy...apidays New York 2023 - Make API Governance work in your unified API Strategy...
apidays New York 2023 - Make API Governance work in your unified API Strategy...apidays
 
Will you survive the API avalanche?
Will you survive the API avalanche?Will you survive the API avalanche?
Will you survive the API avalanche?Rogue Wave Software
 
APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned Apigee | Google Cloud
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationApigee | Google Cloud
 

Ähnlich wie Adapt or Die Sydney - API Security (20)

What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered Backends
 
Monitoring Solutions for APIs
Monitoring Solutions for APIsMonitoring Solutions for APIs
Monitoring Solutions for APIs
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft Azure
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsAPIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
 
apidays New York 2023 - Make API Governance work in your unified API Strategy...
apidays New York 2023 - Make API Governance work in your unified API Strategy...apidays New York 2023 - Make API Governance work in your unified API Strategy...
apidays New York 2023 - Make API Governance work in your unified API Strategy...
 
Will you survive the API avalanche?
Will you survive the API avalanche?Will you survive the API avalanche?
Will you survive the API avalanche?
 
APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
 

Mehr von Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 
Adapt or Die: Serverless Microservices
Adapt or Die: Serverless MicroservicesAdapt or Die: Serverless Microservices
Adapt or Die: Serverless MicroservicesApigee | Google Cloud
 

Mehr von Apigee | Google Cloud (11)

Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
Adapt or Die: Serverless Microservices
Adapt or Die: Serverless MicroservicesAdapt or Die: Serverless Microservices
Adapt or Die: Serverless Microservices
 

Kürzlich hochgeladen

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Kürzlich hochgeladen (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Adapt or Die Sydney - API Security

  • 1. ©2016 Apigee Corp. All Rights Reserved. API Security? No! APIs FOR Security! Greg Brail
  • 2. ©2016 Apigee Corp. All Rights Reserved. Agenda What Happens to Insecure APIs Fundamental API Security Using Apigee Edge to Enforce Security Advanced Security with Apigee Sense
  • 3. ©2016 Apigee Corp. All Rights Reserved. No API Security?
  • 4. ©2016 Apigee Corp. All Rights Reserved. I have an API!
  • 5. ©2016 Apigee Corp. All Rights Reserved. But I Don’t Have an API!
  • 6. Are you sure you don’t have an API? 6 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16 Everything with a URI has an API
  • 7. Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
  • 8. ©2016 Apigee Corp. All Rights Reserved. Nissan Leaf • http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html • No authentication on some APIs – Climate control, battery status – Only VIN number required • User ID leaked by some of those APIs
  • 9. • No rate limit on request to get friends by phone number • Hard-coded encryption key • Weak cipher • http://gibsonsec.org/snapchat/ Snapchat
  • 10. Mobile Banking Apps • Security researcher Ariel Sanchez examined 20 iOS banking apps from banks around the world • More than 30% used non-TLS- encrypted links for at least part of the app • Down from 90% two years ago • Demonstrated JavaScript interception of some apps’ “login” page to gather passwords 10 Ariel Sanchez, blog.ioactive.com
  • 11. A South Asian Bank • Security researcher Sathya Prakash tested the security of the app he used for one of his bank accounts • Found many major flaws and one huge one • All validation of account numbers for funds transfers was performed in the mobile app only – not on the server 11
  • 12. ©2016 Apigee Corp. All Rights Reserved. Fundamental API Security
  • 13. ©2016 Apigee Corp. All Rights Reserved. You Have an API
  • 14. ©2016 Apigee Corp. All Rights Reserved. Simpler is Better API • Well-known URI pattern • Documented schemas • Well-known authentication model • Well-known authorization model • One way to secure all API calls Web App • Totally dynamic URI pattern is harder to test • Specified inputs and outputs can be tested • Haphazard authentication hard to test • Haphazard authorization hard to test • Multiple implementations hard to test
  • 15. ©2016 Apigee Corp. All Rights Reserved. Simpler Means More Secure • Don’t agree? Let’s look at web apps: – Cross-site scripting – Insecure URIs in links – Cross-site request forgery – Insecure redirects – Insecure third-party pages – Insecure and malicious JavaScript
  • 16. ©2016 Apigee Corp. All Rights Reserved. What Do Apigee Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
  • 17. ©2016 Apigee Corp. All Rights Reserved. What do Others Do? • A wide variety of solutions out there • 87% percent have “API management” • 83% are “concerned” about API security
  • 18. ©2016 Apigee Corp. All Rights Reserved. What You Need to Do • Prevent unauthorized applications • Prevent unauthorized users • Prevent excessive traffic • Prevent content attacks • Watch for trouble • React to trouble
  • 19. ©2016 Apigee Corp. All Rights Reserved. APIs for Controlled Access • APIs provide a controlled way for third parties to access a service • Not having an API means that third parties will find another way • For instance, JPMorgan Chase wrote in its annual report:
  • 20. ©2016 Apigee Corp. All Rights Reserved. Prevent Unauthorized Applications • Application Authorization is a fundamental part of API security – Best way to stop runaway applications – Only options for certain types of apps (anonymous API access) – Requirement for all forms of OAuth • Best practices – Use different credentials for each version of each app – Makes it easier to pull a bad version – Hide the app credentials as best you can • Realize that they still can be stolen – Have an approval process for apps
  • 21. ©2016 Apigee Corp. All Rights Reserved. Follow OAuth Best Practices • Use “Authorization Code” for native apps • Follow all rules about CSRF, etc. • Keep up with the the IETF work here: – https://tools.ietf.org/wg/oauth/
  • 22. ©2016 Apigee Corp. All Rights Reserved. Prevent Unauthorized Users • Authenticate all end users for critical apps – Only way to keep security credentials outside the app • Only as good as identity management – For instance, dodgy password reset practices – Can you get identity a service?
  • 23. ©2016 Apigee Corp. All Rights Reserved. Prevent Excessive Traffic • Protect APIs that are vulnerable to brute force – Validating password – Validating anything – Anything where the only ID is in a small space • Protect from runaway applications – Denial of service is also an attack – Excessive usage may mean data is being harvested – Not always an attack – developers make mistakes
  • 24. ©2016 Apigee Corp. All Rights Reserved. Prevent Content Attacks • Accepting JSON over the Internet? – Excessive identifier length – Excessive nesting – Large arrays and elements • Accepting XML over the Internet? – All that and more • Are you sure there can’t be SQL injection? – Regular expression checks
  • 25. ©2016 Apigee Corp. All Rights Reserved. Watch for Trouble • Monitor the API – Usage patterns – Usage patterns by application – Latency – Error rate • Monitor the world too – Unusual tweets? – Other social media?
  • 26. ©2016 Apigee Corp. All Rights Reserved. React to Trouble • Do you have application-level authentication? – Revoke app credentials – Change rate limit – Redirect app to another URL • No application-level authentication? – Insert additional logic – Worst case: shut down the API until it’s fixed
  • 27. ©2016 Apigee Corp. All Rights Reserved. Enforcing Security with Apigee Edge 27©2016 Apigee Corp. All rights reserved.
  • 28. ©2016 Apigee Corp. All Rights Reserved. Security is embedded into Apigee API Management 28 Back-end RBAC management IDM Integration Global Policies User Provisioning AD / LDAP Groups Quota/Spike Arrest SQL threat protection JSON bomb protection IP based restrictions Bot Detection Data Privacy Two way TLS API key OAuth2 Threat Protection Identity Mgmt & Governance Manageme nt Server Portal Analytics API MANAGEMENT Data Privacy Two-way TLS Southbound VPN IP Access Control Logging & Auditing Data Privacy Org Boundaries Encryption SOC 2, PCI-DSS, HIPAA Access Control OAuth2 API Key Verification IP Access Control Logging & Auditing Apps
  • 29. ©2016 Apigee Corp. All Rights Reserved. Security by configuration 29
  • 30. ©2016 Apigee Corp. All Rights Reserved. Advanced Security with Apigee Sense 30
  • 31. ©2016 Apigee Corp. All Rights Reserved. API threats faced by customers today • Threats are Adaptive – Blend with human behavior • Bots can probe for API security weakness • Competitors can scrape your price data • Bots can be programmed for Bruteforce attacks (DDoS) • Bots can abuse guest accounts • Bot traffic skews analytics and KPIs • Bots create performance overhead on Web Operations • Bots can use your API keys to access private APIs 31
  • 32. ©2016 Apigee Corp. All Rights Reserved. What is Apigee Sense? • A new adaptive API security product to prevent sophisticated bot attacks • Detects threat patterns at the API layer, including bot attacks • Enables you to take actions on bots you find 32
  • 33. ©2016 Apigee Corp. All Rights Reserved. Closed Loop Protection – Analyze, Detect, Protect 34 API clients Target Services API Dashboard Machine Learning Models and Rules Action (Block/Throttle/Alert) Blacklist Your Traffic System-wide Purchased
  • 34. ©2016 Apigee Corp. All Rights Reserved. Conclusion • We saw lots of places where APIs were compromised – Many of these had nothing to do with an “API” • Biggest vulnerability is having an API and not realizing it – Everything with a URL has an API • Well-defined APIs can be secured – Lots of widely-known techniques and technology • A properly-secured API is verifiable • Use it!

Hinweis der Redaktion

  1. Main Point It is extremely easy to add API management capabilities to your microservices Script Your developer just bundle microgateway (node.js code) with your microservices and use existing CI/CD process. In the background, you create standard security and traffic management policies and proxy definitions in the cloud on the Apigee platform. The policies are automatically pushed to the microgateways in your environment. Microgateways are in line with your API traffic and enforce the polices. In the background, microgateway is sending API traffic data to the Apigee Cloud for analytics. You can now easily get insights on usage of your APIs/microservices by developers/apps , performance issues and real time visibility into any issues.