Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
API Security in the Digital Age
Subra Kumaraswamy, Apigee &
Jason Kobus, Silicon Valley Bank
youtube.com/apigee
slideshare.net/apigee
@Subrak
Subra Kumaraswamy
Jason Kobus
Silicon Valley Bank
Agenda
• API Security 101
• Launching an API Platform for a regulated company
• Key Takeaways
5
Apigee
Managemen
t
Develope
r
API Team
Enterprise Security Requirements
6
API Threat Protection
IT Security
Developer frie...
API Security Stakeholders
7
Product Manager
How can I release features with
built-in security?
How I can reduce the releas...
The risk must be mitigated on several layers
8
Application Architecture (user and data mgmt)
Application Topology (zoning,...
Threat Modeling and API/infrastructure Design
• Your APIs are vulnerable to the typical Web application
security attacks –...
API Security Governance – Integrate into Life
Cycle
Govern
Design
Develop
Secure
Deploy
Doc.
Test
10
Support for open stan...
Launching an API Platform for a regulated
company
{
“Jason Kobus”: {
“role”: “Director API Banking / Fintech Integration”,...
API Opportunity and Risk Management
What are the biggest cyber-threats facing regulated financial entities today and on th...
Visibility
• Risk Assessment:
– OWASP/NIST for typical threats
– Brute force: How strong are your keys?
• Vulnerability as...
Protect Sensitive Data
• Avoid Data breaches, Partner with Privacy:
– GLBA, HIPAA, PCI DSS, EU DPD, State laws, etc. == Co...
API $ecurity
• Vet your API gateway partner and leverage their security infrastructure, assurance, and
experts.
• Consider...
Partner Integration
• How to “Trust” your API partners:
– Good vendor management – financials / SOC-2
– Data sharing agree...
Security at Points of Engagement
17
P
A I
Users Apps Developers APIs API Team Backend
Mutual TLS
IP Access
control
RBAC
Id...
Key Takeaways
• Follow API Threat Model and build API security into your API
products
• Ensure identity and security contr...
Thank you
Nächste SlideShare
Wird geladen in …5
×

Deep-Dive: API Security in the Digital Age

11.732 Aufrufe

Veröffentlicht am

What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management?

Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can
- provide visibility for all security threats targeting their backend services
- control access to sensitive data - end-to-end
- enable developers to build secure apps with secure APIs
- facilitate secure access with partners and developers

Veröffentlicht in: Technologie
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • I'll share this on Twitter...GET FUNDING NOW...Instantly send your startups pitchdeck to over 5700 of VC's and Angel's with just 1 click. Visit: Angelvisioninvestors.com
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Deep-Dive: API Security in the Digital Age

  1. 1. API Security in the Digital Age Subra Kumaraswamy, Apigee & Jason Kobus, Silicon Valley Bank
  2. 2. youtube.com/apigee
  3. 3. slideshare.net/apigee
  4. 4. @Subrak Subra Kumaraswamy Jason Kobus Silicon Valley Bank
  5. 5. Agenda • API Security 101 • Launching an API Platform for a regulated company • Key Takeaways 5
  6. 6. Apigee Managemen t Develope r API Team Enterprise Security Requirements 6 API Threat Protection IT Security Developer friendly security features – Secure SDLC Threat protection by configuration Identity and fine granular access control Security for App and API Developers Security by global policies – Separation of Duties Security automation enabled by APIs End-to-End security – In Rest and Transit OOB features for security and compliance management End-to-End Security User Apigee Run-time App/Devi ce Backend
  7. 7. API Security Stakeholders 7 Product Manager How can I release features with built-in security? How I can reduce the release cycle? Business owner How to reduce risk while expanding API exposure? How to meet compliance? Ops How do I enforce consistent security policy across APIs? What controls I have to mitigate attacks like DoS? API Developer What options I have to secure data in rest and transit? How can I securely manage keys? Security & Privacy Team How do I manage the PII life cycle of data exposed via APIs How do I govern APIs exposed to internal and external developers?
  8. 8. The risk must be mitigated on several layers 8 Application Architecture (user and data mgmt) Application Topology (zoning, protocols, …) Operating System security (access control, patches, …) Network security (firewall, topology, filtering, …) API Security (auth* and backend sheltering) Auditing, Monitoring, Processes (Data center, Development, Deployment) Scope of API Security Deployment
  9. 9. Threat Modeling and API/infrastructure Design • Your APIs are vulnerable to the typical Web application security attacks – Think OWASP Top 10 attacks • In addition you have to worry about: – API abuse via API key theft – Hackers reverse engineering Apps to access private APIs – Traffic spike protection by way of Bots or DoS attacks – Identity tracking across API sessions – XML/JSON injection type attacks – Token harvesting due to insecure communication or storage 9
  10. 10. API Security Governance – Integrate into Life Cycle Govern Design Develop Secure Deploy Doc. Test 10 Support for open standards & protocols (eg. SAML, OAuth, TLS, etc)  Security & Access Control Policies - Authentication, Authorization, Transport level security  Input validation & vulnerability detection ( XSS, CSRF,SQL injection..)  Rate Limiting & Throttling 
  11. 11. Launching an API Platform for a regulated company { “Jason Kobus”: { “role”: “Director API Banking / Fintech Integration”, “company”: “Silicon Valley Bank”, “credentials”: {“current”: [“CSPO”, “CISSP”, “CISA”]}, {“former”: [“CIA”, “CISM”, “CIPP, “Series 7”, “PMP”, “ISO 27001 LI”]}, “mission”: “Deliver secure financial APIs to make clients happy and extend reach / increase revenue” } } September 29, 2015 DISCLAIMER: The content on this site, and comments made during the presentation, are my own and don't necessarily represent the positions, strategies, or opinions of Silicon Valley Bank.
  12. 12. API Opportunity and Risk Management What are the biggest cyber-threats facing regulated financial entities today and on the horizon? How can organizations embracing innovation and agile development culture while balancing the time to market goals with risk management mission? – Visibility – Data protection – API security – Partner integration
  13. 13. Visibility • Risk Assessment: – OWASP/NIST for typical threats – Brute force: How strong are your keys? • Vulnerability assessment • Penetration testing • Packet Capture • Know your API operations: – What are they capable of? – Could they be exploited by fraudsters? The first step in avoiding a trap is knowing of its existence!" -- Thufir Hawat, Dune
  14. 14. Protect Sensitive Data • Avoid Data breaches, Partner with Privacy: – GLBA, HIPAA, PCI DSS, EU DPD, State laws, etc. == Compliance Complexity • Controls: – Network: SSL termination – Data protection strategy: • Avoid, Redact, Encrypt, Insure • Read-only/non-transact – more...
  15. 15. API $ecurity • Vet your API gateway partner and leverage their security infrastructure, assurance, and experts. • Consider the worst case scenario – what if there is an event? Make sure your Legal understands. • API Authentication paradigms in financial services – "data aggregation“ APIs used to pull account, balance, transaction data • User ID and password (challenge questions) = same creds as online banking • User ID and read-only PIN – OAUTH • Enforce client security better • Where purpose and actual grant align
  16. 16. Partner Integration • How to “Trust” your API partners: – Good vendor management – financials / SOC-2 – Data sharing agreements – Work with partners to ensure end users get clear and unambiguous notice to customers before they authorize the access UK report "Data sharing and open data in banking": https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/413766/PU1793_Open_data_re sponse.pdf
  17. 17. Security at Points of Engagement 17 P A I Users Apps Developers APIs API Team Backend Mutual TLS IP Access control RBAC Identity & Access Mgmt. Audit Spike Arrest Rate Limits Threat Protection Intrusion Detection DDoS Access Block Revoke SSO RBAC API key OAuth2 TLS OAuth2 MFA Federated Login IP Access Control
  18. 18. Key Takeaways • Follow API Threat Model and build API security into your API products • Ensure identity and security controls at every points of API lifecycle and integrate best practice into SDLC • Gain visibility into API security risks, data sensitivity prior to deployment • Protect sensitive data – In transit and at rest • Layered Protection is key 18
  19. 19. Thank you

×