SlideShare a Scribd company logo

Peeling the Onion: Making Sense of the Layers of API Security

M
Matt Tesauro

This document provides an overview of API security from multiple perspectives: API security posture, runtime security, and security testing. It discusses the complex API ecosystem involving various stakeholders. The document also outlines common API attack classes like DDoS, data breaches, and abuse of functionality. Finally, it provides key takeaways that APIs have complex interconnected systems, require coordination across teams, and need to be evaluated from different security perspectives.

1 of 34
Downloaded 63 times
Peelingthe Onion Making Sense of the Layers of API Security
Tableofcontents Overview Quick overview of APIs in general 01 APISecurity Overview of API Security 02 APISecurityLandscape All the parts that make up the API ecosystem 03 APISecurityConcerns Items to consider when securing your API 04 Conclusion Key Takeaways 05
Overview 01 Quick overview of APIs in general
APISecurity I believe that API Security is different enough from ‘traditional’ AppSec that it needs special attention. I also believe that API use is only going to grow over time.
Who’sthisguy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
APIs areSimple… Wikipedia: An application programming interface (API) is a connection between computers or between computer programs.
APIs aresimplynotSimple XML-RPC, SOAP REST, gRCP, GraphQL Type Data Encoding: XML, JSON, binary (protobuf, thrift, …) INfra Transport HTTP(S), HTTP/2, HTTP/3, QUIC Load balancer, API Gateway, Control plane ● Product Teams ● Developers ● Network Admins ● InfoSec / AppSec ● API Gateway Admins ● Security Operations (SOC/IR) ● Mobile Teams Stakeholders
APILandscape https://apilandscape.apiscene.io/
APIBreadth anddepth Over time your APIs will grow: ● Breadth growth More and more API endpoints get added ● Depth growth APIs calls create calls to other APIs, rinse & repeat, especially for microservices
CardinalDirections& APIs North/South traffic ● Traffic from the client to an API usually through an API gateway ● Originates outside the ‘data center’ or VPC e.g. external East/West traffic ● Traffic between internal APIs frequently bypassing an API gateway ● Originates inside the ‘data center’ or VPC e.g. internal
A BetterDefinitionof an API From a security controls point of view, an API is really a combination of: ● Method ○ GET, POST, PUT, … ● Hostname ○ example.com ● Path ○ /v2/users/all GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
APISecurity 02 Overview of API Security
These arenotthe APISyou’relookingfor
APISecurityDefined For the purposes of this talk: API Security includes determining the state of security from the perspectives of: ● API Security Posture ● API Runtime Security ● API Security Testing (hopefully continuous)
APISecurityPosture Getting a broad, holistic view of your API landscape including: ● An inventory of every API (the security control definition) ○ Those going through an API gateway ○ Those not going through an API gateway / legacy ○ Internal APIs (east/west) ● Mapping of data going to and from the APIs ○ Classify data traversing the APIs ● Who, What, from Where ○ Who is calling the API? ○ What data are they sending/receiving? ○ Where did the call originate?
APIRuntimeSecurity Understanding the ‘normal’ operations of running APIs including: ● Watching / inspecting traffic to and from the API ○ Inline or out of band ○ Understand all types (REST, gRPC, GraphQL, …) ● Creating behavior based models of traffic for anomaly detection ○ Heuristic, ML, ‘AI’ modeling ○ Continual learning methods ● Thresholds for abnormal traffic, triggering alerts ○ Policies on sensitive or large volumes of data ○ Respond to alerts, manual, semi-auto or automatically ○ Blocking, geo-fencing, deny external traffic
APITesting Assess the security state of a running API ● DAST not SAST ○ SAST isn’t API specific so out of scope ○ Bonus points for continuous or CI/CD friendly ● Understand the APIs available methods ○ Swagger/OpenAPI spec files ○ Recorded traffic (http or other) ○ Automatic understanding based on traffic +1 ● Forwarding results to the right people ○ Issue tracker integrations e.g. Jira ○ Ability to see vulnerable requests/responses ○ Ability to re-test specific issue
APISecurity Landscape 03 All the parts that make up the API ecosystem
All the world’s a stage, and all the men and women merely players API stakeholders Wait, what?
Settingthestage
Breakingdownthelandscape WAF Stakeholders: Network Ops, AppSec, Product Teams, … Web App Stakeholders: Product Teams, AppSec, Marketing, … Mobile App Stakeholders: Mobile & Product Teams, AppSec, …
Breakingdownthelandscape IdP Stakeholders: Identity and Access, AppSec, InfoSec, … APIGateway Stakeholders: Gateway Admins, Product, AppSec, … APIs Stakeholders: Product Teams, AppSec, Marketing, …
Breakingdownthelandscape Cloud Stakeholders: Cloud Team, Product, AppSec, Finance, … SOC Stakeholders: IR Team, Product Team, InfoSec / AppSec, …
APISecurity Concerns 04 Items to consider when securing your API
APISecurityislike anonion, Lotsoflayers
AttackClasses DDOS - Distributed Denial Of Service ● Network DDOS ○ Traditional flood of traffic ○ Controls are fairly standardized ● HTTP Flood ○ Uses HTTP methods (GET, POST, …) ○ Mirrors legit traffic ○ Single client/customer ‘over consuming’ ● Application DOS ○ Consumption attacks (CPU, RAM, …) ○ Can be single or few requests ○ Lack of pagination Posture RUntime Testing
AttackClasses Data breach / leak attacks ● Internal services made public ○ Misconfiguration / Lack of API Gateway ○ Lack of Policy enforcement ● Excessive data exposure ○ Verbose API responses ○ Return full data objects, clients ‘filter’ ○ Injection attacks ● Auth-n and Auth-Z weakness ○ Allows account/token takeover ○ BOLA - Client can request others’ data Posture RUntime Testing
AttackClasses Abuse of Functionality ● Business Logic Flaws ○ Normal use-case, unintended use ○ Attackers use your API for their purpose ○ Automatic testing won’t find these ● Examples ○ Spamming using your API ○ Denial of Inventory - products in a cart ○ Carding - validate stolen card data ○ Ad Fraud / Evil SEO ● See “OWASP Automated Threat Handbook” Posture RUntime Testing
OWASP APITop10 Risk Posture Runtime Testing 01: Broken Object Level Authorization 02: Broken User Authentication 03: Excessive Data Exposure 04: Lack of Resource & Rate Limiting 05: Broken Function Level Authorization
OWASP APITop10 Risk Posture Runtime Testing 06: Mass Assignment 07: Security Misconfiguration 08: Injection 09: Improper Assets Management 10: Insufficient Logging & Monitoring
Conclusion 05 Key Takeaways
APIstakeholderSoup Product Team AppSec Onion Network Ops Mobile Team InfoSec IAM Team
Key Takeaways Complexity APIs seem simple on the surface but quickly become a complex collections of systems with many moving parts Perspectives API security has many perspectives which need to be taken into account when evaluating an API security program Coordination Beyond the multiple IT systems, secure APIs require tight coordination between many different teams Multifaceted Protecting APIs includes evaluation from the perspective of security posture, runtime security and testing
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik THANKS! Doyouhave anyquestions? matt.tesauro@owasp.org https://www.linkedin.com/in/matttesauro/ @matt_tesauro
Ad

Recommended

AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
NUS-ISS
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
generative-ai-fundamentals and Large language models
generative-ai-fundamentals and Large language modelsgenerative-ai-fundamentals and Large language models
generative-ai-fundamentals and Large language models
AdventureWorld5
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
KPIs for APIs (and how API Calls are the new Web Hits, and you may be measuri...
KPIs for APIs (and how API Calls are the new Web Hits, and you may be measuri...KPIs for APIs (and how API Calls are the new Web Hits, and you may be measuri...
KPIs for APIs (and how API Calls are the new Web Hits, and you may be measuri...
John Musser
 
Continuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeContinuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQube
Emre Dündar
 
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
Mydbops
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays
 
Ad

More Related Content

What's hot (20)

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 

Similar to Peeling the Onion: Making Sense of the Layers of API Security (20)

Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
VMware Tanzu
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
apidays
 
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.aiAPIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
Nordic APIs
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
Vishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
Vishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
VishwasN6
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API Integrations
Nordic APIs
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
apidays
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
WSO2
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
VMware Tanzu
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
apidays
 
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.aiAPIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
APIs SOS: A Tactical Guide to Detection and Response - Anjum Ahuja, Traceable.ai
Nordic APIs
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
Vishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
Vishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
VishwasN6
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API Integrations
Nordic APIs
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
apidays
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
WSO2
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays
 
Ad

More from Matt Tesauro (20)

DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
Ad

Recently uploaded (20)

Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 

Peeling the Onion: Making Sense of the Layers of API Security

  • 1. Peelingthe Onion Making Sense of the Layers of API Security
  • 2. Tableofcontents Overview Quick overview of APIs in general 01 APISecurity Overview of API Security 02 APISecurityLandscape All the parts that make up the API ecosystem 03 APISecurityConcerns Items to consider when securing your API 04 Conclusion Key Takeaways 05
  • 3. Overview 01 Quick overview of APIs in general
  • 4. APISecurity I believe that API Security is different enough from ‘traditional’ AppSec that it needs special attention. I also believe that API use is only going to grow over time.
  • 5. Who’sthisguy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
  • 6. APIs areSimple… Wikipedia: An application programming interface (API) is a connection between computers or between computer programs.
  • 7. APIs aresimplynotSimple XML-RPC, SOAP REST, gRCP, GraphQL Type Data Encoding: XML, JSON, binary (protobuf, thrift, …) INfra Transport HTTP(S), HTTP/2, HTTP/3, QUIC Load balancer, API Gateway, Control plane ● Product Teams ● Developers ● Network Admins ● InfoSec / AppSec ● API Gateway Admins ● Security Operations (SOC/IR) ● Mobile Teams Stakeholders
  • 9. APIBreadth anddepth Over time your APIs will grow: ● Breadth growth More and more API endpoints get added ● Depth growth APIs calls create calls to other APIs, rinse & repeat, especially for microservices
  • 10. CardinalDirections& APIs North/South traffic ● Traffic from the client to an API usually through an API gateway ● Originates outside the ‘data center’ or VPC e.g. external East/West traffic ● Traffic between internal APIs frequently bypassing an API gateway ● Originates inside the ‘data center’ or VPC e.g. internal
  • 11. A BetterDefinitionof an API From a security controls point of view, an API is really a combination of: ● Method ○ GET, POST, PUT, … ● Hostname ○ example.com ● Path ○ /v2/users/all GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
  • 14. APISecurityDefined For the purposes of this talk: API Security includes determining the state of security from the perspectives of: ● API Security Posture ● API Runtime Security ● API Security Testing (hopefully continuous)
  • 15. APISecurityPosture Getting a broad, holistic view of your API landscape including: ● An inventory of every API (the security control definition) ○ Those going through an API gateway ○ Those not going through an API gateway / legacy ○ Internal APIs (east/west) ● Mapping of data going to and from the APIs ○ Classify data traversing the APIs ● Who, What, from Where ○ Who is calling the API? ○ What data are they sending/receiving? ○ Where did the call originate?
  • 16. APIRuntimeSecurity Understanding the ‘normal’ operations of running APIs including: ● Watching / inspecting traffic to and from the API ○ Inline or out of band ○ Understand all types (REST, gRPC, GraphQL, …) ● Creating behavior based models of traffic for anomaly detection ○ Heuristic, ML, ‘AI’ modeling ○ Continual learning methods ● Thresholds for abnormal traffic, triggering alerts ○ Policies on sensitive or large volumes of data ○ Respond to alerts, manual, semi-auto or automatically ○ Blocking, geo-fencing, deny external traffic
  • 17. APITesting Assess the security state of a running API ● DAST not SAST ○ SAST isn’t API specific so out of scope ○ Bonus points for continuous or CI/CD friendly ● Understand the APIs available methods ○ Swagger/OpenAPI spec files ○ Recorded traffic (http or other) ○ Automatic understanding based on traffic +1 ● Forwarding results to the right people ○ Issue tracker integrations e.g. Jira ○ Ability to see vulnerable requests/responses ○ Ability to re-test specific issue
  • 18. APISecurity Landscape 03 All the parts that make up the API ecosystem
  • 19. All the world’s a stage, and all the men and women merely players API stakeholders Wait, what?
  • 21. Breakingdownthelandscape WAF Stakeholders: Network Ops, AppSec, Product Teams, … Web App Stakeholders: Product Teams, AppSec, Marketing, … Mobile App Stakeholders: Mobile & Product Teams, AppSec, …
  • 22. Breakingdownthelandscape IdP Stakeholders: Identity and Access, AppSec, InfoSec, … APIGateway Stakeholders: Gateway Admins, Product, AppSec, … APIs Stakeholders: Product Teams, AppSec, Marketing, …
  • 23. Breakingdownthelandscape Cloud Stakeholders: Cloud Team, Product, AppSec, Finance, … SOC Stakeholders: IR Team, Product Team, InfoSec / AppSec, …
  • 24. APISecurity Concerns 04 Items to consider when securing your API
  • 26. AttackClasses DDOS - Distributed Denial Of Service ● Network DDOS ○ Traditional flood of traffic ○ Controls are fairly standardized ● HTTP Flood ○ Uses HTTP methods (GET, POST, …) ○ Mirrors legit traffic ○ Single client/customer ‘over consuming’ ● Application DOS ○ Consumption attacks (CPU, RAM, …) ○ Can be single or few requests ○ Lack of pagination Posture RUntime Testing
  • 27. AttackClasses Data breach / leak attacks ● Internal services made public ○ Misconfiguration / Lack of API Gateway ○ Lack of Policy enforcement ● Excessive data exposure ○ Verbose API responses ○ Return full data objects, clients ‘filter’ ○ Injection attacks ● Auth-n and Auth-Z weakness ○ Allows account/token takeover ○ BOLA - Client can request others’ data Posture RUntime Testing
  • 28. AttackClasses Abuse of Functionality ● Business Logic Flaws ○ Normal use-case, unintended use ○ Attackers use your API for their purpose ○ Automatic testing won’t find these ● Examples ○ Spamming using your API ○ Denial of Inventory - products in a cart ○ Carding - validate stolen card data ○ Ad Fraud / Evil SEO ● See “OWASP Automated Threat Handbook” Posture RUntime Testing
  • 29. OWASP APITop10 Risk Posture Runtime Testing 01: Broken Object Level Authorization 02: Broken User Authentication 03: Excessive Data Exposure 04: Lack of Resource & Rate Limiting 05: Broken Function Level Authorization
  • 30. OWASP APITop10 Risk Posture Runtime Testing 06: Mass Assignment 07: Security Misconfiguration 08: Injection 09: Improper Assets Management 10: Insufficient Logging & Monitoring
  • 33. Key Takeaways Complexity APIs seem simple on the surface but quickly become a complex collections of systems with many moving parts Perspectives API security has many perspectives which need to be taken into account when evaluating an API security program Coordination Beyond the multiple IT systems, secure APIs require tight coordination between many different teams Multifaceted Protecting APIs includes evaluation from the perspective of security posture, runtime security and testing
  • 34. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik THANKS! Doyouhave anyquestions? [email protected] https://www.linkedin.com/in/matttesauro/ @matt_tesauro