Mining API Traffic Metadata

Nov 6, 2019Download as PPTX, PDF1 like242 views

Lack of API visibility is a top security concern at many enterprises today. APIs that operate in disconnected silos produce inconsistent analytics and decentralized security. API traffic metadata mining is the new gold rush. Learn how mining and analysing this untapped resource leads to richer API insights and stronger threat detection and blocking.

1 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Mining API Traffic
Metadata
Francois Lascelles
Office of the CTO
Ping Identity
2019 Platform Summit

WHAT IS API TRAFFIC METADATA?
API Clients
{API}
{API} {API}
{API}
API Endpoints
API Traffic
• Which resource
• Which token
• Which cookie
• Where from
• How big
• Latency
• Content type
• Errors
• Over time:
o Sequence
o How many
o …

WHO CARES?
API Traffic
metadata is the key
to addressing
1. an API visibility gap
2. an API security gap

THE “IMPLEMENTATION DETAIL”
PROBLEM
Only 6 people
know about this
API (it’s private)

BLINDSPOT – THE APIS NOT ON YOUR
RADAR
Organization’sAPIs
Old forgotten versions
Shadow APIs
“We’re not confident our
security team knows about
all of the APIs that exist in
our organization.”
- 51% of respondents
Ping Identity IDENTIFY 2018 Survey
Gartner: “Discover Your APIs
Before Attackers Discover
Them”
- Aug’19 API Security Report

BLINDSPOT – API SILOS
APIs are deployed across
heterogenous stacks and
environments each
providing separate visibility
and governance.
Organization’sAPIs
API Silos

HACKERS KNOW ABOUT YOUR APIS
Your API is either well documented or easily reverse-engineered

HACKERS USE YOUR API OUTSIDE OF YOUR
APP
AppUser API
Data
Service
ToolsHacker API
Data
Service
• Client-side rules skipped
• Unexpected and untested-for API
abuse scenarios
• Freedom to poke around and find
vulnerabilities
• More blindspots
skip
that
YOUR API CAN’T TELL THE
DIFFERENCE

BREACHES NOT DETECTED
Average Time to Detect First Breach
2018 Verizon DBIR

Persisting API Security Gaps
 Unexpected ”outside-the-
app” scenarios
 Deficit of available
expertise
 Real-time security focus
 Downstream
vulnerabilities
 Users (phish, password
reuse, insider threat)
 Clients that can’t keep
secrets
 Bearer tokens
Foundational API
security blindspots
External
Vulnerabilities
How to mitigate these persisting
vulnerabilities?

visibility gap
Addressing the
With API traffic metadata

EFFECTIVE API VS API CATALOGUES
API Management
API Traffic Metadata “Effective” APIs
API Catalogue

API METADATA ACROSS API SILOS
 Aggregate in a centralized data
lake
 Tapping wide
– API Gateways
– Load-balancers
– Cloud fronts
– Inline
– Service Filters
Load-balancer
Word

TAPPING DEEP
A Sideband api for
collecting api traffic
metadata
Collect Metadata
Downstream
Microservice,
Mesh layer
Metadata collection point

ENRICH METADATA WITH IDENTITY
CORRELATION
Show the username report video

security gap
Addressing the
By analyzing API traffic metadata

MITIGATE PERSISTING RISKS BY
LEVERAGING MACHINE LEARNING
MODEL
• Learn from API
traffic
• Build models:
APIs traffic from
legit apps
DETECT
• Inspect runtime
traffic
• Look for
deviations from
model
BLOCK
• Block compromised
tokens
• Notify/alert

API TRAFFIC METADATA IS PRECIOUS
AND UNDERUTILIZED
 API Visibility
– Effective API visibility
– De-siloed and enriched insights
 Security posture
– ML-based attack prediction and
remediation
 Legal
– Metadata is electronic equivalent of DNA
Deriving metadata from your existing
API traffic requires no heavy lifting

This document discusses the importance of API security testing. It notes that 56% of webinar attendees felt API security was very important to their organization, but only 12% were doing extensive security testing. It highlights some examples of security breaches caused by insecure APIs and recommends implementing API management solutions to protect against threats like unauthorized access, data exposure, and denial of service attacks. The document demonstrates how an API gateway can detect and block a SQL injection attack on a banking API. It emphasizes the importance of putting security protections in place for APIs and including testing in the development process.

[WSO2 Integration Summit London 2019] Identity and Access Management in an AP...WSO2

apidays LIVE Paris - Driving innovation through External APIs without putting...apidays

External APIs are driving unprecedented innovation across industries like e-commerce and fintech by automating processes, improving customer experiences, and enabling new business models. However, using third-party APIs also carries risks around security, compliance, and business continuity if not properly governed. The concept of "shadow APIs" - APIs used without an organization's knowledge - exacerbates these risks. To mitigate risks, organizations should detect all API dependencies, build an API knowledge base, integrate governance into development processes, and map all API data flows. Proper API governance is crucial, especially for external APIs over which organizations have less control.

apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays

apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange August 25 & 26, 2021 Event-driven APIs & Schema governance for Apache Kafka Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud

Open API and API Management - Introduction and Comparison of Products: TIBCO ...Kai Wähner

In October 2014, I had a talk at Jazoon in Zurich, Switzerland: "A New Front for SOA: Open API and API Management as Game Changer" Open API represent the leading edge of a new business model, providing innovative ways for companies to expand brand value and routes to market, and create new value chains for intellectual property. In the past, SOA strategies mostly targeted internal users. Open APIs target mostly external partners. This session introduces the concepts of Open API, its challenges and opportunities. API Management will become important in many areas, no matter if business-to-business (B2B) or business-to-customer (B2C) communication. Several real world use cases will discuss how to gain leverage due to API Management. The end of the session shows and compares API management products from different vendors such as TIBCO API Exchange, IBM, Apigee, 3scale, WSO2, MuleSoft, Mashery, Layer 7, Vordel

API Management Workshop (at Startupbootcamp Berlin)3scale

These are the slides from the API Management Workshop, held at the Startupbootcamp Berlin on October 17. We covered benefits of APIs for an organisation (regardless of size, sector, stage or purpose) and gave examples of successful deployment of APIs. We then described the typical API lifecycle: plan/design > build/integrate > operate/manage > share/engage. We covered many best practices and tools for each stage and gave practical demos about how to secure and manage APIs.

London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud

The document discusses securing APIs and presents examples of security issues with Snapchat, Nissan Leaf, and other APIs. It outlines approaches to API security used by large enterprises, distinguishing between internal and external APIs. The presentation emphasizes establishing security at multiple layers, with a focus on the API management layer. It provides examples of security measures like mutual TLS, rate limiting, input validation, OAuth 2.0, and monitoring for anomalies. Governance techniques like flow hooks are also presented. Live demos illustrate bot detection, proof of work, and extending OAuth with techniques like token binding and proof of key for JWTs.

Adapt or Die Sydney - API SecurityApigee | Google Cloud

Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud

The document summarizes Accenture's Technology Vision for 2013, which identifies eight technology trends and discusses each trend from an API-centric perspective. The eight trends are relationships at scale, design for analytics, data velocity, seamless collaboration, software-defined networking, active defense, and beyond the cloud. For each trend, the document outlines the role and importance of APIs, such as how APIs power the app economy and unlock agility in virtualization. The vision is that every business will become a digital business where the API is the central product.

O'Reilly author webinar "APIs: A Strategy guide": Transforming Your Business...Apigee | Google Cloud

Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs

APIs are a wonderful thing and bring many benefits, but by their very nature they are also a window into how your business operates. If someone can exploit your system for gain, they will. This presentation will give multiple real examples of API abuse in the wild, via methods such as data scraping, service misuse/cheating, unauthorized aggregation and fake account creation. How is it done, how are existing API controls bypassed, and what are the business implications? The audience will learn that API abusers are inventive and they use smart tools. The audience will also learn who some of these API abusers are, and may be surprised by the result. (Spoiler: they can be your customers!) Finally, some guidance will be given around what additional access controls can be put in place to ensure API based businesses continue to prosper.

APIs for... Your MomCarlo Longino

Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud

apidays LIVE Paris - Drawing the right lines: DDD, APIs and Microservices by ...apidays

API Security Webinar : Security Guidelines for Providing and Consuming APIsDevOps Indonesia

1) The document provides guidelines for securing APIs when providing and consuming services. It outlines evaluating API risks, securing ingress API connectivity, and mapping the OWASP API security risks to the ingress API development lifecycle. 2) The guidelines include five phases for ingress API connectivity: design, development, testing, implementation, and logging/monitoring. Each OWASP API security risk is mapped to elements within these phases. 3) APIs have become critical to modern applications, but many organizations' security measures have not kept up with requirements. Robust API security policies that span the entire development lifecycle are needed to securely provide and consume services.

apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays

The document discusses trends in SaaS integration and API standardization. It notes that the number of SaaS apps used by companies is growing significantly each year, driving demand for easier integration. API standards like OpenAPI are gaining adoption and helping improve integration. It recommends companies adopt a hybrid integration strategy using both native and third-party integrations. Focusing on the developer experience through SDKs, documentation, and events can help attract more developers to an API. The document predicts continued growth in areas like no-code/low-code platforms, embedded workflows, and compliance-focused APIs.

apidays LIVE New York 2021 - API design is where culture and tech meet each o...apidays

5 Tips for Scaling API GovernanceJohn Phenix

John Phenix proposes automating API governance at HSBC to improve the developer experience and ensure consistency. He outlines five tips: 1) Govern only real risks, not preferences; 2) Ensure governance scales with development; 3) Shift governance left to catch issues earlier; 4) Transition from reviewing correctness to reviewing appropriateness; 5) Automate as much as possible while still involving people. Phenix advocates a hybrid centralized-federated model and using tools to automate reviews, integrate with CI/CD, and provide dashboards. Example rules cover security, operations, and style standards.

[WSO2 API Day Toronto 2019] Extending Service Mesh with API ManagementWSO2

apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays

apidays LIVE Australia 2021 - Leveraging Async APIs to deliver Cross Domain A...apidays

apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays

Api architectures for the modern enterpriseCA API Management

Extend your legacy SOA/ESB infrastructure to Mobile & IoT This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps. Watch this webinar recording to learn about: - Strengths and weaknesses of your existing ESB/SOA infrastructure - Architecture strategy: extend and add value to legacy middleware with APIs - Integration / API use cases in Retail, Manufacturing and Telecom - The API360 approach to digital strategy

Modernize Service-Oriented Architecture with APIsApigee | Google Cloud

apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays

The document discusses lessons from building the world's largest API marketplace. It summarizes that (1) API businesses are more valuable than software/SaaS businesses, (2) APIs have become a new business model as REST APIs surpassed SOAP APIs, and (3) the growth of public APIs will continue but providers risk being trapped in a "digital ocean". It also notes that developer experience needs to improve as API discovery, access, and management are challenging due to the number and diversity of APIs.

apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays

apidays London 2023 - APIs for Smarter Platforms and Business Processes September 13 & 14, 2023 APIs: The Attack Surface That Connects Us All Stefan Mardak Enterpise Security Architect, Principal at Akamai Technologies ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

This document discusses the importance of API security and how AI can be used to augment API security. It notes that cyber threats are evolving quickly and becoming more sophisticated. API usage has increased access points for potential hackers. The document then outlines how the Accenture APIQ platform uses AI and machine learning for automated API assessment and security. It analyzes API configurations and behavior patterns to provide insights, detect anomalies, monitor APIs, and provide real-time remediation to protect digital assets.

More Related Content

What's hot (20)

API Management Workshop (at Startupbootcamp Berlin)3scale

London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud

Adapt or Die Sydney - API SecurityApigee | Google Cloud

Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud

O'Reilly author webinar "APIs: A Strategy guide": Transforming Your Business...Apigee | Google Cloud

Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs

APIs for... Your MomCarlo Longino

Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud

apidays LIVE Paris - Drawing the right lines: DDD, APIs and Microservices by ...apidays

API Security Webinar : Security Guidelines for Providing and Consuming APIsDevOps Indonesia

apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays

apidays LIVE New York 2021 - API design is where culture and tech meet each o...apidays

5 Tips for Scaling API GovernanceJohn Phenix

[WSO2 API Day Toronto 2019] Extending Service Mesh with API ManagementWSO2

apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays

apidays LIVE Australia 2021 - Leveraging Async APIs to deliver Cross Domain A...apidays

apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays

Api architectures for the modern enterpriseCA API Management

Modernize Service-Oriented Architecture with APIsApigee | Google Cloud

apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays

API Management Workshop (at Startupbootcamp Berlin)3scale

London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud

Adapt or Die Sydney - API SecurityApigee | Google Cloud

Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud

O'Reilly author webinar "APIs: A Strategy guide": Transforming Your Business...Apigee | Google Cloud

Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs

APIs for... Your MomCarlo Longino

Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud

apidays LIVE Paris - Drawing the right lines: DDD, APIs and Microservices by ...apidays

API Security Webinar : Security Guidelines for Providing and Consuming APIsDevOps Indonesia

apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wildeapidays

apidays LIVE New York 2021 - API design is where culture and tech meet each o...apidays

5 Tips for Scaling API GovernanceJohn Phenix

[WSO2 API Day Toronto 2019] Extending Service Mesh with API ManagementWSO2

apidays LIVE JAKARTA - The modern digital with API Economy Ecosystems by Hari...apidays

apidays LIVE Australia 2021 - Leveraging Async APIs to deliver Cross Domain A...apidays

apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays

Api architectures for the modern enterpriseCA API Management

Modernize Service-Oriented Architecture with APIsApigee | Google Cloud

apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays

Similar to Mining API Traffic Metadata (20)

apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays

Layered Approach of API Security Strategies and its Business Impact Akansha Shukla, Security Domain Expert at ABN AMRO NL apidays Paris 2024 - The Future API Stack for Mass Innovation December 3 - 5, 2024 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays

apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance April 21 & 22, 2021 Novel approaches in API security Dr Tal Steinherz, CTO at Syber.ai ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2

What do Google, Facebook, Paypal, IRS, T-mobile, and USPS have in common? Answer -- hackers used their APIs to access sensitive customer information. Although these API attacks were exposed, most API-based attacks go undetected these days. This deck will discuss today’s evolving API threat landscape and explore what you can do to both detect and block cyberattacks from authenticated users and hackers who have reverse engineered your API with an integrated solution from WSO2 and PingIntelligence.

WEBINAR: OWASP API Security Top 1042Crunch

WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

How Secure Are Your APIs?Apigee | Google Cloud

A Look At API Economy Trends In 2024 - by Bill Doerrfeld, Nordic APIsNordic APIs

A presentation given by Bill Doerrfeld, Editor in Chief at Nordic APIs, at our 2024 Platform Summit, October 8-9 As in previous years, the API economy continues to evolve with new practices and exciting possibilities. In this presentation, I'll look at some of the most pressing trends in 2024, from API design to API business, that are affecting our niche (yet important) economy. I'll highlight some top API economy trends, like: - New description languages and specifications and what they're enabling. - The burgeoning role of AI in API design and management. - The state of API security breaches and novel vulnerabilities. - Platform engineering, cloud-native, and the role these have in enhancing developer experience. - Trends around documentation, SDKs, and how the API consumption experience is changing at large. - A look behind API-first models and the business drivers behind these initiatives. Attendees will leave this presentation with a lay of the API land as it stands in 2024, with insights garnered from industry reports and firsthand accounts. Furthermore, I intend to set the stage by providing a taste of the topics you can anticipate throughout this year's Platform Summit.

FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...JeremySnyder8

What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®United States Cybersecurity Institute (USCSI®)

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays

APIdays London 2019 - Value in the API Economy: Insights from the world’s lar...apidays

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official

OWASP API Security Top 10 - Austin DevSecOps Days42Crunch

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

Protecting Your APIs Against Attack & Hijack CA API Management

Secure Enterprise APIs for Mobile, Cloud & Open Web APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed. By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data. You Will Learn How APIs increase the attack surface What key types of risk are introduced by APIs How enterprises can mitigate each of these risks Why it is crucial to separate API implementation and security into distinct tiers Presented By Scott Morrison, CTO, Layer 7 Technologies

Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24

Intro to Azure Api Management - With CatsXamariners

This document provides an introduction to API management. It defines an API as a set of requirements that enables one application to communicate with another. A Web API is specified as using HTTP/HTTPS, being RESTful, and using JSON or XML. API management platforms provide services like authentication, analytics, policy enforcement, and developer engagement. They allow organizations to publish and manage APIs to external developers. The document discusses how APIs have enabled companies like Uber and Airbnb to build large businesses without direct ownership of core assets. It presents Azure API Management as an example of an API management platform and demonstrates its capabilities like provisioning, analytics, testing, policies, and security features.

F5-API-Security-Best-Practices.pdfFahmiDzikrullah

This document discusses API security best practices and considerations for protecting APIs. It notes that APIs have become fundamental to modern applications but also introduce security risks. Traditional security controls are often insufficient for APIs, which are vulnerable to attacks like those targeting web applications. The document recommends continuously monitoring APIs, implementing a positive security model, embracing zero-trust principles, and adapting security as application lifecycles change, in order to strengthen API security.

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...Priyanka Aash

The session will focus on delivering the key trends in APIs, API Management Platform technologies and how it is driving the API economy. We will also discuss the key drivers for digital transformation initiatives which include wide acceptance of APIs in Industry 4.0, Connected Devices, Cloud and Payments industry. Next, we will talk about the top 10 security risks in APIs, API Management Platforms, APIs integrations with cloud platforms, IoT/OT devices integrations with third-party applications. Lastly, we will uncover the need for implementing the API security governance framework and how to measure the API security programme’ s success through this governance framework.

Outpost24 webinar - Api securityOutpost24

API 101 discusses how to secure web applications and APIs. APIs are used extensively in web and mobile applications to allow communication between services but this can introduce security weaknesses if not implemented properly. API attacks are a growing threat, with 90% of breaches targeting web applications and APIs projected to become the most common attack vector by 2022. The document outlines security best practices for securing APIs throughout the development lifecycle from design to testing to runtime, and how one company implemented API security testing to improve their compliance and privacy posture.

apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays

apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays

[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2

WEBINAR: OWASP API Security Top 1042Crunch

How Secure Are Your APIs?Apigee | Google Cloud

A Look At API Economy Trends In 2024 - by Bill Doerrfeld, Nordic APIsNordic APIs

FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...JeremySnyder8

What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®United States Cybersecurity Institute (USCSI®)

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays

APIdays London 2019 - Value in the API Economy: Insights from the world’s lar...apidays

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official

OWASP API Security Top 10 - Austin DevSecOps Days42Crunch

Protecting Your APIs Against Attack & Hijack CA API Management

Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24

Intro to Azure Api Management - With CatsXamariners

F5-API-Security-Best-Practices.pdfFahmiDzikrullah

(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...Priyanka Aash

Outpost24 webinar - Api securityOutpost24

More from Nordic APIs (20)

How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...Nordic APIs

A presentation given by Mikkel Iversen, Business Development Director at Redpill Linpro, at our 2024 Platform Summit, October 8-9. In this session we will demo a tool developed by Redpill Linpro to help you choose the right platform to support your API initiative. The evaluation model combines AI and our vast experience from the API and integration space to help you choose the platform that best suits your requirements.

Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...Nordic APIs

A presentation given by Sean Travis Taylor, Head of Platform at Redeem, at our 2024 Platform Summit, October 8-9. The ability for web services to adapt to changes is crucial for maintaining seamless integration and operational efficiency throughout the many services that stitch together commerce, work and play across the vastness of the Internet.Illustrated with a fictional case study from the ecommerce sector, this talk introduces an approach to achieving such adaptability through the use of self-describing messages: a method where each message carries all the required data and metadata necessary for processing, without relying on any external data handling or centralized knowledge.Our case study involves an ecommerce storefront that relies on data from a third-party vendor with a highly volatile API. Despite the vendor’s frequent API changes, our approach using self-describing messages ensures that the storefront maintains uninterrupted service, safeguarding both sales and customer experience. This example not only underscores the robustness of self-describing messages in handling API volatility but also highlights their role in preventing business disruptions and reducing the need for frequent developer interventions and cross-functional meetings.The session will also discuss major advantages of systems that incorporate self-describing messages like improved scalability and easier updates and upgrades without centralized data handling. By the conclusion of this talk, attendees will appreciate the strategic value of implementing self-describing messages to enhance service adaptability and maintain business operations in the face of constant change.

Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...Nordic APIs

A presentation given by Pubudu Gunatilaka, Senior Technical Lead at WSO2, at our 2024 Platform Summit, October 8-9. Cilium, an open-source, cloud-native solution using eBPF, can integrate with the Kubernetes Gateway API to significantly enhance API management with advanced networking, security, and observability features. It offers high-performance, programmable networking for modern cloud-native environments. This session will overview Cilium and the Kubernetes Gateway API, looking at current capabilities and how to use these technologies to enhance both north-south and east-west-style API management. Attendees will walk away with actionable advice for using state-of-the-art cloud-native tools to improve API management and a zero-trust security posture.

Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SENordic APIs

A presentation given by Manuel Ottlik, Product Owner for Global Integration Platform at HDI Global SE, at our 2024 Platform Summit, October 8-9. When it comes to integrating software, you can choose between synchronous integration, most often done through REST APIs, or asynchronous communication, often referred to as event-driven architectures. While the synchronous world is pleasantly simple, asynchronous communication still lacks interoperability in terms of protocols, brokers and registries. Going cloud-native with the CloudEvents project for common event metadata and xRegistry as an approach to standardising the management of this metadata in registries will increase this interoperability and ultimately make your life easier when working with event-driven architectures.

Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...Nordic APIs

A presentation given by Daniel Kocot, Head of API Consulting at codecentric AG, at our 2024 Platform Summit, October 8-9. The Post-OpenAPI Era in API design marks a pivotal shift towards innovative frameworks like Microsoft TypeSpec, TaxiLang, Fern, and Apple Pkl, offering solutions beyond OpenAPI’s constraints. This talk dives into how these frameworks transform API design, providing flexibility, expressiveness, and improved developer experiences. We’ll explore the features and advantages of each framework, demonstrating their potential to enhance API documentation, client generation, and collaborative design processes. Highlighting real-world case studies, we illustrate the positive impact on development speed, usability, and end-user satisfaction. Attendees will gain insights into integrating these frameworks into development workflows, understanding the future landscape of API development, and envisioning the possibilities this new era brings.

Using Typespec for Open Finance Standards - Chris Wood, Ozone APINordic APIs

A presentation given by Chris Wood, Principal Architect, Ozone API, at our 2024 Platform Summit, October 8-9. The development of API standards is critical to helping markets grow their open finance ecosystem. Standards bodies typically use OpenAPI to help create API standards, but their efforts can be accelerated by using compatible design tools like TypeSpec. In this talk we’ll uncover what it means to use TypeSpec for design-first standards development, and dig into the lessons learned from the approach.

Schema-first API Design Using Typespec - Cailin Smith, MicrosoftNordic APIs

A presentation given by Cailin Smith, Senior Software Engineer at Microsoft, at our 2024 Platform Summit, October 8-9. TypeSpec is a relatively new open source schema language coming out of Azure. In this talk, I will introduce you to the basics of using TypeSpec, and how apps.methodscript.com uses a Schema-First API design, allowing for developers to skip writing glue code, while maintaining a gigantic client support matrix, minimizing bugs, and speeding up API development.

Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, XnsioNordic APIs

A presentation given by Naresh Jain, Founder & CEO of Xnsio, at our 2024 Platform Summit, October 8-9. As we build more complex distributed Applications, the resilience of APIs can be the linchpin of application reliability and user satisfaction. This demo will delve into practical tools and techniques used to enhance the resilience of APIs. We will explore how we utilise API specifications for simulating various input data, network conditions and failure modes to test how well the API handles unexpected situations. Our demo will begin with an overview of API resilience — why it matters, and what it means to build robust APIs that gracefully handles flaky dependencies in real-world operations. We'll discuss the role of contract testing in achieving resilience and how to turn API specifications into executable contracts that can be continuously validated. We'll also cover how to integrate with CI/CD pipelines and practices to foster better collaboration between API stakeholders through shared understanding and executable documentation.

How to Build an Integration Platform with Open Source - Magnus Hedner, BenifyNordic APIs

A presentation given by Magnus Hedner, Manager of Integration Platforms at Benify, at our 2024 Platform Summit, October 8-9. The talk of the town is "the great unbundling". We've added "... using open source." There are a lot of tool vendors, offering complete bundles including all components you need (Yes I have worked with a few of those). But there is also an alternative, if you want to have full control of the components of your integration platform. This is a talk on how we have built an integration platform, comprising API gateways, an integration tool, security, monitoring, and how we tailor it to our needs.

API Design First in Practise – An Experience Report - Hari Krishnan, SpecmaticNordic APIs

A presentation given by Hari Krishnan, Co-founder & CTO at Specmatic, at our 2024 Platform Summit, October 8-9. API Design First requires that all stakeholders adhere to the spec that has been agreed. Come join me in this talk where I share our experience helping team instantly convert API specs into executable contracts to help them independently develop and confidently deploy their components. This approach of using API specs as executable contracts addresses several shortcomings associated with code generation based techniques we had tried in the past. I will also be sharing how we went about iterative API Design to allow for collaborative evolution of features. And mainly avoiding breaking compatibility during API evolution. Key takeaways: 1. API Specifications to API Tests in seconds – Also generative API coverage report (similar to code coverage, but for APIs) to verify adherence for API implementations 2. API Specifications as API Mocks 3. Backward Compatibility Testing – API Spec vs API Spec 4. Using Linters effectively 5. Extracting common API Specification elements and reusing them 6. Single source of truth for API specifications to promote collaboration between all stakeholders

The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...Nordic APIs

A presentation given by Sumit Amar, Vice President of Engineering at WEX , at our 2024 Platform Summit, October 8-9. In this session we will evaluate various data formats (JSON, XML, Protocol Buffers, and YAML), and discuss their pros and cons in varying scenarios. We will also evaluate how they pair with adequate data channels (HTTP/S, Binary over gRPC, gRPCweb in browsers, or Web Sockets). We will review various API use cases and map them with the right combination of data formats and channels for best performance, scalability, and maintainability.

Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...Nordic APIs

A presentation given by Per Lange, Founder at Cillers, at our 2024 Platform Summit, October 8-9. An API hackathon is an event where developers learn how to build something interesting on top of a specific company’s API. These gatherings are crucial for software companies targeting developers. Frequent API hackathons are particularly valuable because they quickly reveal and address fundamental platform issues. Getting the basics right is essential—a trait that distinguishes the world's fastest-growing tech companies. And with the next hackathon fast approaching, there's a renewed urgency within the CTO and product teams to address these persistent issues. This ensures that developers won't encounter the same problems at successive events. Additionally, API hackathons enhance product awareness and familiarity. When developers become acquainted with your technology and realize that your software significantly improves upon critical business use cases, many will switch to your solution. In this speech, Per Lange will detail how to run world-class API hackathons effectively and frequently.

Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...Nordic APIs

A presentation given by Dominic Lüchinger, Senior Platform Engineer at SIX Group, at our 2024 Platform Summit, October 8-9. APIOps is a methodology that combines GitOps and DevOps to streamline API management. Learn how it empowers product teams, ensuring regulatory compliance, reducing cognitive load, and accelerating time to market. Discover the power of shifting down with a self-service platform approach. Does your organization need a platform engineering team for this? With real-world examples and actionable insights, this session will enable you to bootstrap APIOps effectively in your organization to continuously improve your API offerings.

APIs Vs Events - Bala Bairapaka, Sandvik ABNordic APIs

A presentation given by Bala Bairapaka, Solution Architect Sandvik AB, at our 2024 Platform Summit, October 8-9. Event-Driven Architecture (EDA) and APIs (Application Programming Interfaces) offer distinct approaches to system design. EDA uses asynchronous communication where components emit and react to events, making it highly scalable and suitable for real-time applications like IoT and financial transactions, though it can be complex to manage. In contrast, APIs typically use synchronous communication with a request-response model, resulting in tighter coupling but easier implementation, ideal for CRUD operations and microservices. While EDA excels in scenarios requiring real-time processing and scalability, APIs are better suited for web services and applications needing straightforward, synchronous interactions. Understanding these differences can help you choose the right architecture for your project’s specific needs. In this talk I will highlight how EDA’s real-time processing can revolutionize industries by enabling instant data analysis and decision-making. Imagine the power of a system that can react to events as they happen, driving innovations in fields like IoT and financial services. You will learn the simplicity and ease of use of APIs, which can significantly speed up development and integration processes, allowing businesses to bring new features to market faster than ever before. I will share real-world examples to make these concepts tangible: how EDA powers high frequency trading platforms, ensuring transactions are executed in milliseconds, or how APIs streamline interactions in popular web services, making our daily digital experiences seamless. When I illustrate these practical applications, you’ll not only informed but also take inspired actions and learn transformative potential of choosing the right architecture for your projects.”

GraphQL in the Post-Hype Era - Daniel Hervas, Reckon DigitalNordic APIs

A presentation given by Daniel Hervás, Lead Engineer / Technical Coordinator at Reckon Digital, at our 2024 Platform Summit, October 8-9. Around 2019, the year of the creation of the GraphQL Foundation, GraphQL saw a huge boom in popularity and started getting mass adoption from API devs worldwide. Now, in 2024, other technologies and trends have taken the spotlight (crypto, LLMs, AI...), and the buzz around GraphQL APIs seems to have died down somewhat... so what happened to it? Is it still relevant? Should you be building a GraphQL API in 2024 if you want to be one of the cool kids? Mature, stale, boring, or still trendy and useful? In this talk, we'll go over the current state of the GraphQL ecosystem, what the community, through extended usage throughout these years, has found to be good and bad use cases for GraphQL, and in which situations it makes sense to expose a GraphQL API layer. This talk will be of interest to both technical and non-technical audiences.

From Good API Design to Secure Design - Axel Grosse, 42CrunchNordic APIs

A presentation given by Axel Grosse, Global Head of Presales at 42Crunch, at our 2024 Platform Summit, October 8-9. - How to fortify your APIs leveraging AI assistants and static and dynamic testing - 85% of enterprises acknowledge suffering an API attack in 2023. This practical session demonstrates how security and development teams can collaborate to improve the overall security posture of an API implementation. Attendees will learn how to test and harden their OpenAPI Description to support a rock solid runtime protection and in parallel how to find and fix vulnerabilities in code for secure end-to-end API delivery. During the session you’ll see how Static and Dynamic API test and assessments are run and learn how to utilize the Copilot API assistant to lend a helping hand with code remediation. How to fortify your APIs leveraging AI assistants and static and dynamic testing 85% of enterprises acknowledge suffering an API attack in 2023. This practical session demonstrates how security and development teams can collaborate to improve the overall security posture of an API implementation. Attendees will learn how to test and harden their OpenAPI Description to support a rock solid runtime protection and in parallel how to find and fix vulnerabilities in code for secure end-to-end API delivery. During the session you’ll see how Static and Dynamic API test and assessments are run and learn how to utilize the Copilot API assistant to lend a helping hand with code remediation.

API Revolution in IoT: How Platform Engineering Streamlines API Development -...Nordic APIs

A presentation given by Alina Astapovich & Gang Luo, Site Reliability Engineer & SRE Manager at Electrolux, at our 2024 Platform Summit, October 8-9. As the IoT landscape continues to expand rapidly, the role of APIs in managing and controlling connected devices becomes increasingly critical. At Electrolux, where we support over 10 million appliances globally, API development is essential for delivering meaningful digital experience to our consumers. In this talk, we dive into our journey of transforming API development through Platform Engineering at Electrolux Digital Experience Organization. We will look at the challenges we overcame, addressing critical aspects such as managing public and private APIs, implementing diverse security mechanisms, and enforcing API governance. Furthermore, we will explore strategies for enhancing developer experience through self-service API provisioning, empowering developers to innovate more efficiently. Join us to gain insights into how Platform Engineering has streamlined API development at Electrolux.

Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...Nordic APIs

A presentation given by Budhaditya Bhattacharya, Developer Advocate at Tyk, at our 2024 Platform Summit, October 8-9. By 2026, 80% of software engineering organizations are expected to have a platform engineering initiative, with APIs and API management platforms playing a key role in driving the platform engineering success. While this journey has already begun in several organisations, there are several questions that are being asked over and over again: What does a good API platform actually look like? Which KPIs should we pursue, and how would they translate into ROI? How are more mature API platform teams achieving their objectives? In this presentation, we will explore the answers to these questions through real-world case studies across industries. We will take a closer look at: The key metrics and KPIs they set out to achieve Challenges they faced Strategies they implemented to overcome them How you can apply these strategies to evolve your platform maturity

Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red HatNordic APIs

A presentation given by Hugo Guerrero, Sr. Principal Developer Advocate at Red Hat, at our 2024 Platform Summit, October 8-9. You're about to embark on a new adventure that incorporates GraphQL! Here's a filthy method for becoming a ten-time engineer: fake it until you make it! Mocking GraphQL allows you to better serve the business by providing clear descriptions of schemas, types, and examples. This also aids in the separation of front-end and back-end activities. Join this session to learn more about getting started with GraphQL mocking without having to worry about coding or constructing your own fake server.

Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...Nordic APIs

A presentation given by Ruben Sitbon, Lead Solution Architect at Theodo Fintech, at our 2024 Platform Summit, October 8-9. ChatGPT has changed the way people and companies perceive the value of artificial intelligence. Many startups have launched products with generative AI at their core, and innovative SaaS players have all integrated GenAI extensions or plugins, but it’s now clear that users will continue to expect bigger and better GenAI upgrades to the features of products they use on a daily basis. Ruben Sitbon describes how a framework relying on generative AI in-house APIs can be used to easily boost product features, and bundle security and continuous compliance.