SlideShare a Scribd company logo

API Security with Postman and Qualys

Postman, profile picture
Postman

This document discusses API security testing with Postman and Qualys. It notes that APIs are widely used but often built without security in mind. It highlights some of the top API security risks from the OWASP API Security Top 10, including broken object level authorization, broken user authentication, and broken function level authorization. The document then outlines Qualys' web application scanning capabilities for APIs and how it can utilize existing Postman collections to quickly scan APIs for vulnerabilities. It concludes by emphasizing the importance of API security and recommending the OWASP API Security Top 10 as a resource.

Software
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
API Security with Postman and Qualys Security Solution Architect, Application Security Qualys, Inc.
2 APIs Are Everywhere Highly exposed Greater likelihood of attack Constantly being probed Internet-facing APIs Custom / domain-specific For employees or contractors Often built without security considered Internal APIs Unknown risk posture No access to source code Often process critical data Vendor APIs Cloud provider not responsible for security of your apps and APIs APIs in public clouds
3 https://owasp.org/www-project-api-sec urity/ OWASP API Security Top 10 API1 Broken Object Level Authorization API2 Broken User Authentication API3 Excessive Data Exposure API4 Lack of Resources & Rate Limiting API5 Broken Function Level Authorization API6 Mass Assignment API7 Security Misconfiguration API8 Injection API9 Improper Assets Management API10 Insufficient Logging & Monitoring
OWASP API Security Top 10 - Highlights API1 Broken Object Level Authorization API2 Broken User Authentication API5 Broken Function Level Authorization
API1 Broken Object Level Authorization API1 Broken Object Level Authorization (BOLA)
API5 Broken Function Level Authorization API5 Broken Function Level Authorization
API2 Broken User Authentication API2 Broken User Authentication SolarWinds CVE-2020-10148 Administration bypass Lack of authentication Request processed before authentication is verified
API6 Mass Assignment
API6 Mass Assignment
Note on API8 Injection Frequently, practitioners feel that XSS attacks are not valid for APIs due to JSON responses If JSON is written into an application with a UI, the attack may execute Microservices - Be aware of all areas the responses are used
Qualys Web Application Scanning
Qualys WAS Highlights Unlimited scans Unlimited users Cloud based Not a point solution Massive scalability Flexible licensing Scheduled scans Ad-hoc, targeted scans Multi-site scanning Scanner pooling API scanning Out-of-Band detections Comprehensive API Splunk TA Integrations with: - Qualys WAF - CI/CD tools - Burp Suite - Bugcrowd RBAC Tagging Detection history Scheduled reports Customizable reports Retest findings Ignore findings Low TCO Scanning Flexibility Integrations Features
Postman Support
API Security - Coming Soon
Demo
Wrap-up Qualys can utilize existing Postman collections Quickly scan APIs for vulnerabilities API Security is important The OWASP API Security Top 10 is an excellent resource
Thank You! earnold@qualys.com Security Solution Architect, Application Security Qualys, Inc.

More Related Content

PDF
OWASP API Security Top 10 - API World
42Crunch
 
PDF
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
PPTX
API Management in Digital Transformation
Aditya Thatte
 
PDF
REST API Authentication Methods.pdf
Rubersy Ramos García
 
PPTX
Session Hijacking
n|u - The Open Security Community
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
API Management in Digital Transformation
Aditya Thatte
 
REST API Authentication Methods.pdf
Rubersy Ramos García
 
Session Hijacking
n|u - The Open Security Community
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
OAuth2 - Introduction
Knoldus Inc.
 
OWASP Top 10 2021 What's New
Michael Furman
 

What's hot (20)

PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PPTX
What's New in API Connect & DataPower Gateway in 1H 2018
IBM API Connect
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PDF
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
PDF
Owasp top 10
YasserElsnbary
 
PDF
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
PPT
Introduction To OWASP
Marco Morana
 
PDF
DataPower API Gateway Performance Benchmarks
IBM DataPower Gateway
 
PDF
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
PDF
Attacking AWS: the full cyber kill chain
SecuRing
 
PDF
Api security-testing
n|u - The Open Security Community
 
PPTX
DataPower Restful API Security
Jagadish Vemugunta
 
PDF
How to migrate an application in IBM APIc, and preserve its client credential
Shiu-Fun Poon
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PPTX
What is an API Gateway?
LunchBadger
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPTX
API Governance in the Enterprise
Apigee | Google Cloud
 
PDF
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
VMware Tanzu
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
What's New in API Connect & DataPower Gateway in 1H 2018
IBM API Connect
 
Pentesting ReST API
Nutan Kumar Panda
 
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Owasp top 10
YasserElsnbary
 
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Introduction To OWASP
Marco Morana
 
DataPower API Gateway Performance Benchmarks
IBM DataPower Gateway
 
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Attacking AWS: the full cyber kill chain
SecuRing
 
Api security-testing
n|u - The Open Security Community
 
DataPower Restful API Security
Jagadish Vemugunta
 
How to migrate an application in IBM APIc, and preserve its client credential
Shiu-Fun Poon
 
OWASP API Security Top 10 Examples
42Crunch
 
What is an API Gateway?
LunchBadger
 
OAuth 2.0
Uwe Friedrichsen
 
API Governance in the Enterprise
Apigee | Google Cloud
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
VMware Tanzu
 
Ad

Similar to API Security with Postman and Qualys (20)

PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PDF
Common Security API Issues and How to Mitigate Them Using Postman
Postman
 
PPTX
Bas Dijkstra: Are you sure your APIs are secure?
Pacific Northwest Software Quality Conference
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
PDF
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
 
PPTX
Outpost24 webinar - Api security
Outpost24
 
PDF
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays
 
PDF
API Hijacking.pdf
Vishwas N
 
PDF
API Hijacking.pdf
VishwasN6
 
PDF
API Hijacking (1).pdf
Vishwas N
 
PDF
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
PPTX
Safeguarding Digital Assets_ Uncovering Security Risks in APIs - Automation G...
Pricilla Bilavendran
 
PDF
API Testing and Hacking.pdf
VishwasN6
 
PDF
API Testing and Hacking.pdf
Vishwas N
 
PDF
API Testing and Hacking (1).pdf
Vishwas N
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
PPTX
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
PDF
OWASPAPISecurity
Jie Liau
 
PDF
5 step plan to securing your APIs
💻 Javier Garza
 
PDF
How Secure Are Your APIs?
Apigee | Google Cloud
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Common Security API Issues and How to Mitigate Them Using Postman
Postman
 
Bas Dijkstra: Are you sure your APIs are secure?
Pacific Northwest Software Quality Conference
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIs
apidays
 
Outpost24 webinar - Api security
Outpost24
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays
 
API Hijacking.pdf
Vishwas N
 
API Hijacking.pdf
VishwasN6
 
API Hijacking (1).pdf
Vishwas N
 
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
Safeguarding Digital Assets_ Uncovering Security Risks in APIs - Automation G...
Pricilla Bilavendran
 
API Testing and Hacking.pdf
VishwasN6
 
API Testing and Hacking.pdf
Vishwas N
 
API Testing and Hacking (1).pdf
Vishwas N
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
OWASPAPISecurity
Jie Liau
 
5 step plan to securing your APIs
💻 Javier Garza
 
How Secure Are Your APIs?
Apigee | Google Cloud
 
Ad

More from Postman (20)

PDF
Advanced AI and Documentation Techniques
Postman
 
PDF
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
PDF
Elevating Developer Experiences with AI-Powered API Testing & Documentation
Postman
 
PDF
Discovering Public APIs and Public API Network with Postman
Postman
 
PDF
Optimizing Teamwork: Harnessing Collections & Workspaces for Collaboration
Postman
 
PDF
API testing Beyond the Basics AI & Automation Techniques
Postman
 
PDF
Not Your Grandma’s Rate Limiting (slides)
Postman
 
PDF
Five Ways to Automate API Testing with Postman
Postman
 
PDF
How to Scale APIs-as-Product for Future Success
Postman
 
PPTX
Revolutionizing API Development: Collaborative Workflows with Postman
Postman
 
PDF
Everything You Always Wanted to Know About AsyncAPI
Postman
 
PDF
Elevating Event-Driven World: A Deep Dive into AsyncAPI v3
Postman
 
PDF
Five Things You SHOULD Know About Postman
Postman
 
PDF
Integration-, Snapshot- and Performance-Testing APIs
Postman
 
PDF
How ChatGPT led OpenAPI's Recent Spike in Popularity
Postman
 
PDF
Exploring Postman’s VS Code Extension
Postman
 
PDF
2023 State of the API Report: Key Findings and Trends
Postman
 
PDF
Nordic- APIOps is here What will you build in an API First World
Postman
 
PDF
Testing and Developing gRPC APIs
Postman
 
PDF
Testing and Developing GraphQL APIs
Postman
 
Advanced AI and Documentation Techniques
Postman
 
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Elevating Developer Experiences with AI-Powered API Testing & Documentation
Postman
 
Discovering Public APIs and Public API Network with Postman
Postman
 
Optimizing Teamwork: Harnessing Collections & Workspaces for Collaboration
Postman
 
API testing Beyond the Basics AI & Automation Techniques
Postman
 
Not Your Grandma’s Rate Limiting (slides)
Postman
 
Five Ways to Automate API Testing with Postman
Postman
 
How to Scale APIs-as-Product for Future Success
Postman
 
Revolutionizing API Development: Collaborative Workflows with Postman
Postman
 
Everything You Always Wanted to Know About AsyncAPI
Postman
 
Elevating Event-Driven World: A Deep Dive into AsyncAPI v3
Postman
 
Five Things You SHOULD Know About Postman
Postman
 
Integration-, Snapshot- and Performance-Testing APIs
Postman
 
How ChatGPT led OpenAPI's Recent Spike in Popularity
Postman
 
Exploring Postman’s VS Code Extension
Postman
 
2023 State of the API Report: Key Findings and Trends
Postman
 
Nordic- APIOps is here What will you build in an API First World
Postman
 
Testing and Developing gRPC APIs
Postman
 
Testing and Developing GraphQL APIs
Postman
 

Recently uploaded (20)

PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Introduction Database Management System for Course Database
ReinertYosua
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

API Security with Postman and Qualys

  • 1. API Security with Postman and Qualys Security Solution Architect, Application Security Qualys, Inc.
  • 2. 2 APIs Are Everywhere Highly exposed Greater likelihood of attack Constantly being probed Internet-facing APIs Custom / domain-specific For employees or contractors Often built without security considered Internal APIs Unknown risk posture No access to source code Often process critical data Vendor APIs Cloud provider not responsible for security of your apps and APIs APIs in public clouds
  • 3. 3 https://owasp.org/www-project-api-sec urity/ OWASP API Security Top 10 API1 Broken Object Level Authorization API2 Broken User Authentication API3 Excessive Data Exposure API4 Lack of Resources & Rate Limiting API5 Broken Function Level Authorization API6 Mass Assignment API7 Security Misconfiguration API8 Injection API9 Improper Assets Management API10 Insufficient Logging & Monitoring
  • 4. OWASP API Security Top 10 - Highlights API1 Broken Object Level Authorization API2 Broken User Authentication API5 Broken Function Level Authorization
  • 5. API1 Broken Object Level Authorization API1 Broken Object Level Authorization (BOLA)
  • 6. API5 Broken Function Level Authorization API5 Broken Function Level Authorization
  • 7. API2 Broken User Authentication API2 Broken User Authentication SolarWinds CVE-2020-10148 Administration bypass Lack of authentication Request processed before authentication is verified
  • 10. Note on API8 Injection Frequently, practitioners feel that XSS attacks are not valid for APIs due to JSON responses If JSON is written into an application with a UI, the attack may execute Microservices - Be aware of all areas the responses are used
  • 12. Qualys WAS Highlights Unlimited scans Unlimited users Cloud based Not a point solution Massive scalability Flexible licensing Scheduled scans Ad-hoc, targeted scans Multi-site scanning Scanner pooling API scanning Out-of-Band detections Comprehensive API Splunk TA Integrations with: - Qualys WAF - CI/CD tools - Burp Suite - Bugcrowd RBAC Tagging Detection history Scheduled reports Customizable reports Retest findings Ignore findings Low TCO Scanning Flexibility Integrations Features
  • 14. API Security - Coming Soon
  • 15. Demo
  • 16. Wrap-up Qualys can utilize existing Postman collections Quickly scan APIs for vulnerabilities API Security is important The OWASP API Security Top 10 is an excellent resource
  • 17. Thank You! earnold@qualys.com Security Solution Architect, Application Security Qualys, Inc.