2022 APIsecure_Harnessing the Speed of Innovation
0 likes36 views
The document discusses the rapid evolution of app development and the increasing significance of APIs, highlighting that by 2022, 90% of new enterprise applications will be cloud-native and API-driven. It addresses the critical security challenges organizations face, with a significant percentage experiencing API security incidents, emphasizing the need for observability and a culture of collaboration between development and security teams. The future focuses on integrating speed and innovation while recognizing APIs as the primary attack vector, necessitating robust security measures and continuous learning in development practices.
2022 APIsecure_Harnessing the Speed of Innovation
- 1. Harnessing the Speed of Innovation Jyoti Bansal Co-Founder and CEO, Traceable jyoti@traceable.ai
- 2. ▪ Introduction ▪ The evolution of modern app development ▪ How to solve for complex API challenges ▪ Securing APIs in the new world ▪ What the future holds Agenda
- 3. Software Code and APIs are Everywhere Nos of Developers 45 million Nos of APIs 1.2 Billion 100 Million < 10 Million < 1 Million 2020 2030 2.8 have been written in the past 20 years. Trillion Lines of Code 2010 25 Million VS
- 4. APIs Connect Everyone and Everything IDC predicts by 2022, 90% of new enterprise applications worldwide will be developed as cloud-native, using agile methodologies and API-driven architectures that leverage microservices, containers, and serverless functions. IDC FutureScape: Worldwide Cloud 2020 Predictions, Doc # US44640719, October 2019 API Cloud Services Healthcare Mobile Services Real Estate E-commerce Govern ment Education Crypto Financial Services Insurance Media/ Entertai nment Hi-Tech
- 5. Growing API Security Crisis 91% of organizations had an API Security incident last year… Security Magazine - Feb 2021 Data Breaches & Exfiltration Business Fraud Sensitive Data Exposure Customer & Employee Privacy Violations Regulatory Fines Intellectual Property Theft
- 6. Business Fraud via API Allowed attacker to make unlimited cryptocurrency trades between different currency accounts Learn more Attackers could initiate orders and trade cryptocurrency they did not have by modifying the API - the coinbase validation logic did not verify source account properly, and processed the trade normally. Hacker could take over Apple iCloud Accounts by exploiting the password reset API endpoint of “Forgot Password” function Missing logic validation check in a retail brokerage API endpoint Allowed attacker to bypass 2-Factor authentication, SMS verification and password validation rate limits Learn more Rate limiting protection failed to work as designed APIs hijacked and modified
- 7. API Attacks Are Hard to Detect ▪ Mostly Unknown threats ▪ Malicious usage of APIs for unauthorized activities ▪ Exploit your own code and business logic Hard to Detect and High Signal to Noise Ratio Countless Attack Surfaces
- 8. Ever-changing Competitive Landscape. Business And Technical Challenge - Constant Change Costumer Needs Change Frequently. Critical Pivots: Process, Architecture, Culture, Engg.
- 9. Smaller, autonomous teams. Business And Technical Challenge - Agile Distributed Dev Teams Shift from tightly coupled, monolithic systems to loosely coupled APIs. Higher ratio of dev to security
- 10. Securing APIs in this new world…
- 11. You Can’t Secure What You Can’t See Application Context API ACTIVITY Edge API Calls Internal API Calls Sequence of API Calls USER ACTIVITY Identity Devices Roles & Permissions DATA FLOW Across Sequence of Calls Between Internal Services To External Services CODE EXECUTION API Parameters Request/Response Data Errors & Latency rider / view locations rider / reserver car rider / process payment rider / send receipt 01010 01010 01010 01010 01010 Observability is the core foundation of application security Edge APIs Internal APIs External Service
- 12. Move Over Networks, CODE Is The Next Frontier Of Cyber Security What the future holds…
- 13. What the future holds… Transformation journeys that integrate speed, innovation. 01 02 03 APIs will become the primary vector of attack. Even more adoption of APIs as the primary method of delivering value.
- 14. Top Three Approaches Needed for API Security Observability is Key Data Lake and Threat Hunting ▪ Capture and correlate all transactions and data for all APIs and microservices (internal, external, shadow, orphaned, 3rd party) ▪ Comprehensive breadth and depth of data captured for application security & observability ▪ Store every data trace from all API and data transactions ▪ All data is explorable, searchable, and filterable ▪ Enables deep root cause analysis and threat hunting ▪ Build full application context ▪ Understand user behavior across all activity and time based on user attribution of every transaction. ▪ Correlate all activities across sessions and time into user storylines Machine Learning Platform for Context
- 15. Culture and Collaboration is Key Data transparency is the foundation of collaboration. 01 02 03 API security has to be part of development culture. Continuous learning between API Development and Security teams.
- 16. Questions? Jyoti Bansal Co-Founder and CEO, Traceable jyoti@traceable.ai
- 17. Thank you. Jyoti Bansal Co-Founder and CEO, Traceable jyoti@traceable.ai