SlideShare a Scribd company logo

Outpost24 webinar Why API security matters and how to get it right.pdf

Outpost24
Outpost24

In this webinar, our expert panel will discuss why continuous API security testing is critical to securing your applications and reducing risk of API hacking in the wild. We will provide best practice guidance to improve your API security posture through automated detection for vulnerabilities lurking in API endpoints, ensuring your application business is protected against abuse.

1 of 14
Download to read offline
Why API security matters and how to get it right 27th April 2022
2 Corey Ball Author Hacking APIs: Breaking Web Application Programming Interfaces Dan Barahona CMO and VP of Business Development, APIsec Simon Roe Application Security Product Manager at Outpost24 Speakers
Outpost24 Group leads to cyber risk reduction 3 Technology Assets Applications – website, CMS, shopping carts Critical data – PII and cardholder data Cloud infrastructure – AWS, Azure, Docker Endpoints – desktop, laptop, smartphone Data center – data storage, backup, recovery User access – password and credential Malware Ransomware kit Data breach Vulnerability exploits Phishing attempts Credential stuffing Crytojacking Cyber Threats Where can attackers gain access and disrupt, extort, or steal? Who are the attackers, who are they targeting, and what techniques do they use? Outpost24 Group uniquely bridges these domains with continuous risk assessment • Security assessment of all technology assets • Intelligence about threat actors and their methods of attack • Combined into the most effective prescriptive actions that reduce business risk at the least cost
What is an API? • Application programming interface • Governs the communication between services • Used in almost all web applications today • Segregation of front end and back end elements of an Application • Machine to Machine, Machine to human communication is evolving • You use them every day • Reports suggest 83% of web traffic passes through one or more API’s 4
APIs are everywhere APIs, microservices, CI/CD have transformed how apps are built and run 5 of all internet traffic is from APIs 83% of web app attack surface area are APIs 90% of breaches targeted web applications 90% APIs will become “most frequent attack vector” 2022
Why attackers target API layer APIs: •Direct access to sensitive data •Often “over-permissioned” •Vulnerable to logic flaws 6
Corey Ball 7
Simon Roe, sro@outpost24.com Thank you for attending Any questions?
1 API Exposure APIs are the pipelines that enable modern business APIs are a technological advancement that facilitates the transfer of one of the most valuable commodities, data. APIs are often the path of least resistance for data theft APIs expose programming logic and data to consumers. Unprotected APIs are an attack vector that can help an attacker bypass complex security infrastructure. Testing API security is the way to validate weaknesses. If you have the best developers, cybersecurity team, and tools the only way to provide assurance that your API is secure is to test the security controls in place.
2 Getting API Security Right API Defense in Depth • Ensure that security has a seat at the table • Document and Manage • Limit Access • Test Regularly • Monitor
1 Today’s Challenges with API Security Rapid migration to microservices and API-based applications Massive expansion in number of API endpoints Ever-widening attack surface of APIs Developers are closer to production changes than ever Changes can happen daily/hourly There is a wide gap between code releases and security testing Manual security testing requires skilled engineer and knowledge of application APIs very difficult to test manually – no UI, no standard workflows
2 API Breaches in the News API returned full transaction details. 200M transactions harvested. API allowed User A to access User B data. 60M accounts accessed. API required 6-digit code for account reset but did not prevent brute force. API breaches are result of logic flaws in application Unsecured API endpoint provided access to all 4M users. “The underlying cause of the bug was a missing logic validation check.”
3 Addressing API Security Leverage automation to create relevant security attack playbooks Test for logic flaws, not just common vulnerabilities or contract validation Maintain full test coverage as your APIs grow Security testing should be continuous Provides safety net to developers, prevents issues from getting to production Precisely matches security testing frequency with release cycles FUNCTIONAL SECURITY TESTING
4 Continuous, Automated API Testing • No source code access • Nothing to install • Nothing inline Zero Touch Deployment Endpoints Target API API Analyzer Attack Generator Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ad

Recommended

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays
 
7 Best Practices for Secure API Development .pdf
7 Best Practices for Secure API Development .pdf7 Best Practices for Secure API Development .pdf
7 Best Practices for Secure API Development .pdf
chrisbrown798789
 
7 Best Practices for Secure API Development .docx
7 Best Practices for Secure API Development .docx7 Best Practices for Secure API Development .docx
7 Best Practices for Secure API Development .docx
chrisbrown798789
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays
 
API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas maurya
Krishna Murari
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
Best Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdfBest Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
FahmiDzikrullah
 
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
JeremySnyder8
 
Comprehensive Guide on API Security Risks and Solutions for Developers
Comprehensive Guide on API Security Risks and Solutions for DevelopersComprehensive Guide on API Security Risks and Solutions for Developers
Comprehensive Guide on API Security Risks and Solutions for Developers
Neil Johnson
 
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service ProfileVSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
Vietnamese Network Security J.S.C
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
Damilola Longe, CISSP, CCSP, MSc
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays
 
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
apidays
 
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICSA REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
IRJET Journal
 
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptxPerfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
30392csai
 
What is API Security and How Does It Keep Apps Safe_.pdf
What is API Security and How Does It Keep Apps Safe_.pdfWhat is API Security and How Does It Keep Apps Safe_.pdf
What is API Security and How Does It Keep Apps Safe_.pdf
CyberPro Magazine
 
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24
 
Ad

More Related Content

Similar to Outpost24 webinar Why API security matters and how to get it right.pdf (20)

apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
Best Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdfBest Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
FahmiDzikrullah
 
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
JeremySnyder8
 
Comprehensive Guide on API Security Risks and Solutions for Developers
Comprehensive Guide on API Security Risks and Solutions for DevelopersComprehensive Guide on API Security Risks and Solutions for Developers
Comprehensive Guide on API Security Risks and Solutions for Developers
Neil Johnson
 
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service ProfileVSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
Vietnamese Network Security J.S.C
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
Damilola Longe, CISSP, CCSP, MSc
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays
 
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
apidays
 
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICSA REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
IRJET Journal
 
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptxPerfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
30392csai
 
What is API Security and How Does It Keep Apps Safe_.pdf
What is API Security and How Does It Keep Apps Safe_.pdfWhat is API Security and How Does It Keep Apps Safe_.pdf
What is API Security and How Does It Keep Apps Safe_.pdf
CyberPro Magazine
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
Best Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdfBest Practices for Secure Web Application Development by Site Invention.pdf
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
FahmiDzikrullah
 
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
JeremySnyder8
 
Comprehensive Guide on API Security Risks and Solutions for Developers
Comprehensive Guide on API Security Risks and Solutions for DevelopersComprehensive Guide on API Security Risks and Solutions for Developers
Comprehensive Guide on API Security Risks and Solutions for Developers
Neil Johnson
 
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service ProfileVSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
Vietnamese Network Security J.S.C
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
Damilola Longe, CISSP, CCSP, MSc
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
apidays
 
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays Australia 2023 - 3 Simple Steps to Improve API Security, Carlos Rodri...
apidays
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
apidays
 
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICSA REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
IRJET Journal
 
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptxPerfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
Perfect_Cube_InfoSecaaaaaaaaaaaaaaaaaaaaaaaaaaaa.pptx
30392csai
 
What is API Security and How Does It Keep Apps Safe_.pdf
What is API Security and How Does It Keep Apps Safe_.pdfWhat is API Security and How Does It Keep Apps Safe_.pdf
What is API Security and How Does It Keep Apps Safe_.pdf
CyberPro Magazine
 

More from Outpost24 (20)

Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theft
Outpost24
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24
 
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theft
Outpost24
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24
 
Ad

Recently uploaded (20)

Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Ad

Outpost24 webinar Why API security matters and how to get it right.pdf

  • 1. Why API security matters and how to get it right 27th April 2022
  • 2. 2 Corey Ball Author Hacking APIs: Breaking Web Application Programming Interfaces Dan Barahona CMO and VP of Business Development, APIsec Simon Roe Application Security Product Manager at Outpost24 Speakers
  • 3. Outpost24 Group leads to cyber risk reduction 3 Technology Assets Applications – website, CMS, shopping carts Critical data – PII and cardholder data Cloud infrastructure – AWS, Azure, Docker Endpoints – desktop, laptop, smartphone Data center – data storage, backup, recovery User access – password and credential Malware Ransomware kit Data breach Vulnerability exploits Phishing attempts Credential stuffing Crytojacking Cyber Threats Where can attackers gain access and disrupt, extort, or steal? Who are the attackers, who are they targeting, and what techniques do they use? Outpost24 Group uniquely bridges these domains with continuous risk assessment • Security assessment of all technology assets • Intelligence about threat actors and their methods of attack • Combined into the most effective prescriptive actions that reduce business risk at the least cost
  • 4. What is an API? • Application programming interface • Governs the communication between services • Used in almost all web applications today • Segregation of front end and back end elements of an Application • Machine to Machine, Machine to human communication is evolving • You use them every day • Reports suggest 83% of web traffic passes through one or more API’s 4
  • 5. APIs are everywhere APIs, microservices, CI/CD have transformed how apps are built and run 5 of all internet traffic is from APIs 83% of web app attack surface area are APIs 90% of breaches targeted web applications 90% APIs will become “most frequent attack vector” 2022
  • 6. Why attackers target API layer APIs: •Direct access to sensitive data •Often “over-permissioned” •Vulnerable to logic flaws 6
  • 8. Simon Roe, [email protected] Thank you for attending Any questions?
  • 9. 1 API Exposure APIs are the pipelines that enable modern business APIs are a technological advancement that facilitates the transfer of one of the most valuable commodities, data. APIs are often the path of least resistance for data theft APIs expose programming logic and data to consumers. Unprotected APIs are an attack vector that can help an attacker bypass complex security infrastructure. Testing API security is the way to validate weaknesses. If you have the best developers, cybersecurity team, and tools the only way to provide assurance that your API is secure is to test the security controls in place.
  • 10. 2 Getting API Security Right API Defense in Depth • Ensure that security has a seat at the table • Document and Manage • Limit Access • Test Regularly • Monitor
  • 11. 1 Today’s Challenges with API Security Rapid migration to microservices and API-based applications Massive expansion in number of API endpoints Ever-widening attack surface of APIs Developers are closer to production changes than ever Changes can happen daily/hourly There is a wide gap between code releases and security testing Manual security testing requires skilled engineer and knowledge of application APIs very difficult to test manually – no UI, no standard workflows
  • 12. 2 API Breaches in the News API returned full transaction details. 200M transactions harvested. API allowed User A to access User B data. 60M accounts accessed. API required 6-digit code for account reset but did not prevent brute force. API breaches are result of logic flaws in application Unsecured API endpoint provided access to all 4M users. “The underlying cause of the bug was a missing logic validation check.”
  • 13. 3 Addressing API Security Leverage automation to create relevant security attack playbooks Test for logic flaws, not just common vulnerabilities or contract validation Maintain full test coverage as your APIs grow Security testing should be continuous Provides safety net to developers, prevents issues from getting to production Precisely matches security testing frequency with release cycles FUNCTIONAL SECURITY TESTING
  • 14. 4 Continuous, Automated API Testing • No source code access • Nothing to install • Nothing inline Zero Touch Deployment Endpoints Target API API Analyzer Attack Generator Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .