Learn about how to protect your digital assets from known external threats at the API layer. Secure your assets against threats like SQL injection, JSON threat protection and application DoS. Protect your apps from cyber threats and bad bots with data-driven enterprise grade API security and Adaptive Threat Protection.
6. Are you sure you don’t have an API?
6
Wired, 9/22/15
www.ifc0nfig.com, 1/5/15
troyhunt.com, 2/24/16
Everything with a URI has an API
7. Some API Security Breaches
Breach Reason Source
Buffer Compromised third-party admin password; OAuth
secret in GitHub
ProgrammableWeb
Snapchat No authentication; no rate limit Gibson Security
Multiple Kardashian Apps No authentication or authorization Wired
MoonPig No authentication or authorization www.ifc0nfig.com
Facebook Graph API Users can delete other users’ photos; Improper
authorization check
ProgrammableWeb
IRS GetTranscript
Application
Password reset mechanism relied on personal data IRS
Instagram Malicious app was stealing passwords; no approval
process
Daily Dot
Nissan Leaf VIN number only security credential on API Troy Hunt
Tesla Model S Six-character password that’s easily guessable Security Affairs,
Elsewhere
9. • No rate limit on request to get friends by phone
number
• Hard-coded encryption key
• Weak cipher
• http://gibsonsec.org/snapchat/
Snapchat
10. Mobile Banking Apps
• Security researcher Ariel Sanchez
examined 20 iOS banking apps from
banks around the world
• More than 30% used non-TLS-
encrypted links for at least part of the
app
• Down from 90% two years ago
• Demonstrated JavaScript interception
of some apps’ “login” page to gather
passwords
10
Ariel Sanchez, blog.ioactive.com
11. A South Asian Bank
• Security researcher Sathya Prakash tested the
security of the app he used for one of his bank
accounts
• Found many major flaws and one huge one
• All validation of account numbers for funds
transfers was performed in the mobile app only –
not on the server
11
Main Point
It is extremely easy to add API management capabilities to your microservices
Script
Your developer just bundle microgateway (node.js code) with your microservices and use existing CI/CD process. In the background, you create standard security and traffic management policies and proxy definitions in the cloud on the Apigee platform. The policies are automatically pushed to the microgateways in your environment. Microgateways are in line with your API traffic and enforce the polices.
In the background, microgateway is sending API traffic data to the Apigee Cloud for analytics. You can now easily get insights on usage of your APIs/microservices by developers/apps , performance issues and real time visibility into any issues.