SlideShare a Scribd company logo

Peeling the Onion: Making Sense of the Layers of API Security

M
Matt Tesauro

This document provides an overview of API security from multiple perspectives: API security posture, runtime security, and security testing. It discusses the complex API ecosystem involving various stakeholders. The document also outlines common API attack classes like DDoS, data breaches, and abuse of functionality. Finally, it provides key takeaways that APIs have complex interconnected systems, require coordination across teams, and need to be evaluated from different security perspectives.

Technology
1 of 34
Download to read offline
Peelingthe Onion Making Sense of the Layers of API Security
Tableofcontents Overview Quick overview of APIs in general 01 APISecurity Overview of API Security 02 APISecurityLandscape All the parts that make up the API ecosystem 03 APISecurityConcerns Items to consider when securing your API 04 Conclusion Key Takeaways 05
Overview 01 Quick overview of APIs in general
APISecurity I believe that API Security is different enough from ‘traditional’ AppSec that it needs special attention. I also believe that API use is only going to grow over time.
Who’sthisguy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
APIs areSimple… Wikipedia: An application programming interface (API) is a connection between computers or between computer programs.
APIs aresimplynotSimple XML-RPC, SOAP REST, gRCP, GraphQL Type Data Encoding: XML, JSON, binary (protobuf, thrift, …) INfra Transport HTTP(S), HTTP/2, HTTP/3, QUIC Load balancer, API Gateway, Control plane ● Product Teams ● Developers ● Network Admins ● InfoSec / AppSec ● API Gateway Admins ● Security Operations (SOC/IR) ● Mobile Teams Stakeholders
APILandscape https://apilandscape.apiscene.io/
APIBreadth anddepth Over time your APIs will grow: ● Breadth growth More and more API endpoints get added ● Depth growth APIs calls create calls to other APIs, rinse & repeat, especially for microservices
CardinalDirections& APIs North/South traffic ● Traffic from the client to an API usually through an API gateway ● Originates outside the ‘data center’ or VPC e.g. external East/West traffic ● Traffic between internal APIs frequently bypassing an API gateway ● Originates inside the ‘data center’ or VPC e.g. internal
A BetterDefinitionof an API From a security controls point of view, an API is really a combination of: ● Method ○ GET, POST, PUT, … ● Hostname ○ example.com ● Path ○ /v2/users/all GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
APISecurity 02 Overview of API Security
These arenotthe APISyou’relookingfor
APISecurityDefined For the purposes of this talk: API Security includes determining the state of security from the perspectives of: ● API Security Posture ● API Runtime Security ● API Security Testing (hopefully continuous)
APISecurityPosture Getting a broad, holistic view of your API landscape including: ● An inventory of every API (the security control definition) ○ Those going through an API gateway ○ Those not going through an API gateway / legacy ○ Internal APIs (east/west) ● Mapping of data going to and from the APIs ○ Classify data traversing the APIs ● Who, What, from Where ○ Who is calling the API? ○ What data are they sending/receiving? ○ Where did the call originate?
APIRuntimeSecurity Understanding the ‘normal’ operations of running APIs including: ● Watching / inspecting traffic to and from the API ○ Inline or out of band ○ Understand all types (REST, gRPC, GraphQL, …) ● Creating behavior based models of traffic for anomaly detection ○ Heuristic, ML, ‘AI’ modeling ○ Continual learning methods ● Thresholds for abnormal traffic, triggering alerts ○ Policies on sensitive or large volumes of data ○ Respond to alerts, manual, semi-auto or automatically ○ Blocking, geo-fencing, deny external traffic
APITesting Assess the security state of a running API ● DAST not SAST ○ SAST isn’t API specific so out of scope ○ Bonus points for continuous or CI/CD friendly ● Understand the APIs available methods ○ Swagger/OpenAPI spec files ○ Recorded traffic (http or other) ○ Automatic understanding based on traffic +1 ● Forwarding results to the right people ○ Issue tracker integrations e.g. Jira ○ Ability to see vulnerable requests/responses ○ Ability to re-test specific issue
APISecurity Landscape 03 All the parts that make up the API ecosystem
All the world’s a stage, and all the men and women merely players API stakeholders Wait, what?
Settingthestage
Breakingdownthelandscape WAF Stakeholders: Network Ops, AppSec, Product Teams, … Web App Stakeholders: Product Teams, AppSec, Marketing, … Mobile App Stakeholders: Mobile & Product Teams, AppSec, …
Breakingdownthelandscape IdP Stakeholders: Identity and Access, AppSec, InfoSec, … APIGateway Stakeholders: Gateway Admins, Product, AppSec, … APIs Stakeholders: Product Teams, AppSec, Marketing, …
Breakingdownthelandscape Cloud Stakeholders: Cloud Team, Product, AppSec, Finance, … SOC Stakeholders: IR Team, Product Team, InfoSec / AppSec, …
APISecurity Concerns 04 Items to consider when securing your API
APISecurityislike anonion, Lotsoflayers
AttackClasses DDOS - Distributed Denial Of Service ● Network DDOS ○ Traditional flood of traffic ○ Controls are fairly standardized ● HTTP Flood ○ Uses HTTP methods (GET, POST, …) ○ Mirrors legit traffic ○ Single client/customer ‘over consuming’ ● Application DOS ○ Consumption attacks (CPU, RAM, …) ○ Can be single or few requests ○ Lack of pagination Posture RUntime Testing
AttackClasses Data breach / leak attacks ● Internal services made public ○ Misconfiguration / Lack of API Gateway ○ Lack of Policy enforcement ● Excessive data exposure ○ Verbose API responses ○ Return full data objects, clients ‘filter’ ○ Injection attacks ● Auth-n and Auth-Z weakness ○ Allows account/token takeover ○ BOLA - Client can request others’ data Posture RUntime Testing
AttackClasses Abuse of Functionality ● Business Logic Flaws ○ Normal use-case, unintended use ○ Attackers use your API for their purpose ○ Automatic testing won’t find these ● Examples ○ Spamming using your API ○ Denial of Inventory - products in a cart ○ Carding - validate stolen card data ○ Ad Fraud / Evil SEO ● See “OWASP Automated Threat Handbook” Posture RUntime Testing
OWASP APITop10 Risk Posture Runtime Testing 01: Broken Object Level Authorization 02: Broken User Authentication 03: Excessive Data Exposure 04: Lack of Resource & Rate Limiting 05: Broken Function Level Authorization
OWASP APITop10 Risk Posture Runtime Testing 06: Mass Assignment 07: Security Misconfiguration 08: Injection 09: Improper Assets Management 10: Insufficient Logging & Monitoring
Conclusion 05 Key Takeaways
APIstakeholderSoup Product Team AppSec Onion Network Ops Mobile Team InfoSec IAM Team
Key Takeaways Complexity APIs seem simple on the surface but quickly become a complex collections of systems with many moving parts Perspectives API security has many perspectives which need to be taken into account when evaluating an API security program Coordination Beyond the multiple IT systems, secure APIs require tight coordination between many different teams Multifaceted Protecting APIs includes evaluation from the perspective of security posture, runtime security and testing
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik THANKS! Doyouhave anyquestions? matt.tesauro@owasp.org https://www.linkedin.com/in/matttesauro/ @matt_tesauro

Recommended

Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 

Recommended

Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementBizTalk360
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesJimmy Attia
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays
 

More Related Content

What's hot

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementBizTalk360
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 

What's hot (20)

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
 

Similar to Peeling the Onion: Making Sense of the Layers of API Security

Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesJimmy Attia
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...apidays
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...apidays
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API IntegrationsNordic APIs
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugalapidays
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open StandardsAPIsecure_ Official
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIsWSO2
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...apidays
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 

Similar to Peeling the Onion: Making Sense of the Layers of API Security (20)

Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API Integrations
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 

More from Matt Tesauro (20)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Peeling the Onion: Making Sense of the Layers of API Security

  • 1. Peelingthe Onion Making Sense of the Layers of API Security
  • 2. Tableofcontents Overview Quick overview of APIs in general 01 APISecurity Overview of API Security 02 APISecurityLandscape All the parts that make up the API ecosystem 03 APISecurityConcerns Items to consider when securing your API 04 Conclusion Key Takeaways 05
  • 3. Overview 01 Quick overview of APIs in general
  • 4. APISecurity I believe that API Security is different enough from ‘traditional’ AppSec that it needs special attention. I also believe that API use is only going to grow over time.
  • 5. Who’sthisguy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
  • 6. APIs areSimple… Wikipedia: An application programming interface (API) is a connection between computers or between computer programs.
  • 7. APIs aresimplynotSimple XML-RPC, SOAP REST, gRCP, GraphQL Type Data Encoding: XML, JSON, binary (protobuf, thrift, …) INfra Transport HTTP(S), HTTP/2, HTTP/3, QUIC Load balancer, API Gateway, Control plane ● Product Teams ● Developers ● Network Admins ● InfoSec / AppSec ● API Gateway Admins ● Security Operations (SOC/IR) ● Mobile Teams Stakeholders
  • 9. APIBreadth anddepth Over time your APIs will grow: ● Breadth growth More and more API endpoints get added ● Depth growth APIs calls create calls to other APIs, rinse & repeat, especially for microservices
  • 10. CardinalDirections& APIs North/South traffic ● Traffic from the client to an API usually through an API gateway ● Originates outside the ‘data center’ or VPC e.g. external East/West traffic ● Traffic between internal APIs frequently bypassing an API gateway ● Originates inside the ‘data center’ or VPC e.g. internal
  • 11. A BetterDefinitionof an API From a security controls point of view, an API is really a combination of: ● Method ○ GET, POST, PUT, … ● Hostname ○ example.com ● Path ○ /v2/users/all GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
  • 14. APISecurityDefined For the purposes of this talk: API Security includes determining the state of security from the perspectives of: ● API Security Posture ● API Runtime Security ● API Security Testing (hopefully continuous)
  • 15. APISecurityPosture Getting a broad, holistic view of your API landscape including: ● An inventory of every API (the security control definition) ○ Those going through an API gateway ○ Those not going through an API gateway / legacy ○ Internal APIs (east/west) ● Mapping of data going to and from the APIs ○ Classify data traversing the APIs ● Who, What, from Where ○ Who is calling the API? ○ What data are they sending/receiving? ○ Where did the call originate?
  • 16. APIRuntimeSecurity Understanding the ‘normal’ operations of running APIs including: ● Watching / inspecting traffic to and from the API ○ Inline or out of band ○ Understand all types (REST, gRPC, GraphQL, …) ● Creating behavior based models of traffic for anomaly detection ○ Heuristic, ML, ‘AI’ modeling ○ Continual learning methods ● Thresholds for abnormal traffic, triggering alerts ○ Policies on sensitive or large volumes of data ○ Respond to alerts, manual, semi-auto or automatically ○ Blocking, geo-fencing, deny external traffic
  • 17. APITesting Assess the security state of a running API ● DAST not SAST ○ SAST isn’t API specific so out of scope ○ Bonus points for continuous or CI/CD friendly ● Understand the APIs available methods ○ Swagger/OpenAPI spec files ○ Recorded traffic (http or other) ○ Automatic understanding based on traffic +1 ● Forwarding results to the right people ○ Issue tracker integrations e.g. Jira ○ Ability to see vulnerable requests/responses ○ Ability to re-test specific issue
  • 18. APISecurity Landscape 03 All the parts that make up the API ecosystem
  • 19. All the world’s a stage, and all the men and women merely players API stakeholders Wait, what?
  • 21. Breakingdownthelandscape WAF Stakeholders: Network Ops, AppSec, Product Teams, … Web App Stakeholders: Product Teams, AppSec, Marketing, … Mobile App Stakeholders: Mobile & Product Teams, AppSec, …
  • 22. Breakingdownthelandscape IdP Stakeholders: Identity and Access, AppSec, InfoSec, … APIGateway Stakeholders: Gateway Admins, Product, AppSec, … APIs Stakeholders: Product Teams, AppSec, Marketing, …
  • 23. Breakingdownthelandscape Cloud Stakeholders: Cloud Team, Product, AppSec, Finance, … SOC Stakeholders: IR Team, Product Team, InfoSec / AppSec, …
  • 24. APISecurity Concerns 04 Items to consider when securing your API
  • 26. AttackClasses DDOS - Distributed Denial Of Service ● Network DDOS ○ Traditional flood of traffic ○ Controls are fairly standardized ● HTTP Flood ○ Uses HTTP methods (GET, POST, …) ○ Mirrors legit traffic ○ Single client/customer ‘over consuming’ ● Application DOS ○ Consumption attacks (CPU, RAM, …) ○ Can be single or few requests ○ Lack of pagination Posture RUntime Testing
  • 27. AttackClasses Data breach / leak attacks ● Internal services made public ○ Misconfiguration / Lack of API Gateway ○ Lack of Policy enforcement ● Excessive data exposure ○ Verbose API responses ○ Return full data objects, clients ‘filter’ ○ Injection attacks ● Auth-n and Auth-Z weakness ○ Allows account/token takeover ○ BOLA - Client can request others’ data Posture RUntime Testing
  • 28. AttackClasses Abuse of Functionality ● Business Logic Flaws ○ Normal use-case, unintended use ○ Attackers use your API for their purpose ○ Automatic testing won’t find these ● Examples ○ Spamming using your API ○ Denial of Inventory - products in a cart ○ Carding - validate stolen card data ○ Ad Fraud / Evil SEO ● See “OWASP Automated Threat Handbook” Posture RUntime Testing
  • 29. OWASP APITop10 Risk Posture Runtime Testing 01: Broken Object Level Authorization 02: Broken User Authentication 03: Excessive Data Exposure 04: Lack of Resource & Rate Limiting 05: Broken Function Level Authorization
  • 30. OWASP APITop10 Risk Posture Runtime Testing 06: Mass Assignment 07: Security Misconfiguration 08: Injection 09: Improper Assets Management 10: Insufficient Logging & Monitoring
  • 33. Key Takeaways Complexity APIs seem simple on the surface but quickly become a complex collections of systems with many moving parts Perspectives API security has many perspectives which need to be taken into account when evaluating an API security program Coordination Beyond the multiple IT systems, secure APIs require tight coordination between many different teams Multifaceted Protecting APIs includes evaluation from the perspective of security posture, runtime security and testing
  • 34. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik THANKS! Doyouhave anyquestions? matt.tesauro@owasp.org https://www.linkedin.com/in/matttesauro/ @matt_tesauro