SlideShare a Scribd company logo

Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io

apidays, profile picture
apidays

The document discusses the interplay between AI and API security, emphasizing that effective API security is crucial as AI continues to expand and influence global API usage. It outlines various security risks associated with AI-driven APIs and recommends best practices for securing them, including the need for authentication, authorization, and visibility within API landscapes. The presentation concludes by stressing the importance of understanding these evolving threats in order to protect APIs effectively.

Technology
Related topics:
API Security InsightsAPI Governance InsightsAI Governance Overview
1 of 29
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
There’s no AI without API, but what does this mean for security? Apidays Helsinki | Timo Rüppell
Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io
About Me. VP of Product at FireTail. A former researcher in theoretical high energy physics. Now focused on API security. Earlier ● CTO @ Mapita ● Founder @ Sideric ● Lead Dev @ PiggyBaggy timo@firetail.io
Overview. What we’ll cover today. - The Rise of AI & API Proliferation: Why there is no AI without APIs. - Understanding the Security Risks: How the emergence of AI is changing the game when it comes to API security. - Best Practices for Securing API in an Age of AI: The core principles of an effective API security strategy given the emergence of AI. - The Bottom Line: A quick recap of today’s key takeaways. - Q&A: Time to answers any burning questions you may have. Effective API security is a must for organizations who want to harness the power of AI.
The Rise of AI & API Proliferation.
In November 2023, OpenAI announced a massive expansion of API calling capabilities available via ChatGPT
What Changed? AIs have been around for decades? The “assistant” has been around even longer (just ask Jeeves)? Inflection point in available computation resources, mathematical advances, and a direct-to-platform business model.
Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io
Not Just LLMs. Most news is about LLMs. And most (valid) criticism regarding capabilities is aimed at LLMs. But LLMs are “just” one niche. Specific types of models can be far more adept at interacting with APIs. - LAM: Translating human intentions into actions. Example: Rabbit AI and service integrations. Integrates AI with API communications. - LCBM: Optimizing LLM output to achieve a desired behaviour. Example: Lirio LBMs aim to make people healthier. OpenAI’s expansion on API calling capabilities announced in November.
Long term optimism. Commoditization of Large Models can be relatively fast. - Compute: Moore’s law is (still) in effect. - Maths: More efficient training methods. Example: Mamba a linear RNN is nLog(n) compared to Transformers n^2. Traits of commodities are interchangeability, availability.
Emerging LLM Tech Stack. There’s no AI without APIs Source: a16z Enterprise
Now (or very soon) everyone, everywhere, regardless of expertise will have the ability to prod and probe APIs across the globe, at pace and at scale. This will be a game changer for those charged with protecting APIs. In November 2023, OpenAI announced a massive expansion of API calling capabilities available via ChatGPT
Understanding the Security Risks.
AI & API Security. AI risks impacting APIs - Unsafe AIs: Intentionally or accidentally unsafe AIs finding vulnerabilities in application or business logic, authentication, authorization. - Bots and data spoofing: APIs processing human generated content need to make provisions for both large scale abuse and individual vetting.
AI & API Security. API risks impacting AIs. - Injection attacks: You need to carefully sanitize user provided content that is going to be handed of to an AI integration. - Resource consumption: You need to protect expensive endpoints from overuse and have robust usage metering. - Access control: You need to ensure that any data returned by an AI model is correctly authorized.
Best Practices for Securing APIs in an Age of AI.
6 Pillars of API Security. Enforcement. Authentication, authorization, validation and sanitization directly in your code. Visibility. Get a complete view of your entire API landscape across your IT fleet. Assessment. APIs analyzed for configuration settings & security policy. API security posture management. Discovery. Finding APIs not running FireTail library via network traffic, code repos & cloud APIs Observability. Commercial version sends configuration and success / failure events to cloud backend. Audit. Full & centralized audit trail of all APIs with FireTail library. Search & alert capabilities.
Existing approaches just don’t cut it. API Call Log Visibility
Where to spend your time. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response Third party API
1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. Third party API Where to spend your time.
1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 2 Third party API Where to spend your time.
1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 2 Third party API 4 6 6 4 6 4 Where to spend your time.
1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 1 2 3 5 Third party API 4 6 6 4 6 4 Where to spend your time.
1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 1 2 3 5 7 10 Third party API 4 6 6 4 6 4 Where to spend your time. 7
1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. AuthN 1 2 3 5 7 10 Third party API 4 6 6 4 6 4 Where to spend your time. 10
The Bottom Line.
The scale of the risk and the frequency of attacks are growing due to AI. The nature of the threat is evolving but the same core risks persist.
Questions.
FireTail is headquartered in Northern Virginia, USA, with additional offices in Dublin, Ireland and Helsinki, Finland. FireTail is backed by leading cybersecurity investors Paladin Capital, Secure Octane, General Advance and Zscaler. For more information, please visit www.firetail.io.

More Related Content

PDF
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
JeremySnyder8
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
PDF
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
PPTX
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
PDF
7 Best Practices for Secure API Development .pdf
chrisbrown798789
 
DOCX
7 Best Practices for Secure API Development .docx
chrisbrown798789
 
FireTail at API Days Australia 2024 - The Double-edge sword of AI for API Sec...
JeremySnyder8
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
7 Best Practices for Secure API Development .pdf
chrisbrown798789
 
7 Best Practices for Secure API Development .docx
chrisbrown798789
 

Similar to Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io (20)

PDF
API Security Best Practices and Guidelines
WSO2
 
PDF
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays
 
PDF
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays
 
PDF
How To Fix The Most Critical API Security Risks.pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
PDF
INTERFACE by apidays 2023 - API Security & Ecosystem Trust, Jeremy Snyder, Fi...
apidays
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
PDF
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Adar Weidman
 
PDF
Understanding and Mitigating Common Security Risks in API Testing.pdf
AmeliaJonas2
 
PPTX
Toronto Virtual Meetup #5 - API Security and Threats
Alexandra N. Martinez
 
PPTX
API Security from the DevOps and CSO Perspectives (Webcast)
Apigee | Google Cloud
 
PDF
Better API Security with Automation
42Crunch
 
PDF
Better API Security With A SecDevOps Approach
Nordic APIs
 
PDF
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PDF
APIsecure 2023 - Learning from a decade of API breaches and why application-c...
apidays
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
API Security Best Practices and Guidelines
WSO2
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays
 
How To Fix The Most Critical API Security Risks.pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
OWASP API Security Top 10 Examples
42Crunch
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
INTERFACE by apidays 2023 - API Security & Ecosystem Trust, Jeremy Snyder, Fi...
apidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Adar Weidman
 
Understanding and Mitigating Common Security Risks in API Testing.pdf
AmeliaJonas2
 
Toronto Virtual Meetup #5 - API Security and Threats
Alexandra N. Martinez
 
API Security from the DevOps and CSO Perspectives (Webcast)
Apigee | Google Cloud
 
Better API Security with Automation
42Crunch
 
Better API Security With A SecDevOps Approach
Nordic APIs
 
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
APIsecure 2023 - Learning from a decade of API breaches and why application-c...
apidays
 
OWASP API Security Top 10 - API World
42Crunch
 
Ad

More from apidays (20)

PDF
apidays Munich 2025 - The Physics of Requirement Sciences Through Application...
apidays
 
PDF
apidays Munich 2025 - Developer Portals, API Catalogs, and Marketplaces, Miri...
apidays
 
PDF
apidays Munich 2025 - Making Sense of AI-Ready APIs in a Buzzword World, Andr...
apidays
 
PDF
apidays Munich 2025 - Integrate Your APIs into the New AI Marketplace, Senthi...
apidays
 
PDF
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...
apidays
 
PDF
apidays Munich 2025 - Let’s build, debug and test a magic MCP server in Postm...
apidays
 
PDF
apidays Munich 2025 - The life-changing magic of great API docs, Jens Fischer...
apidays
 
PDF
apidays Munich 2025 - Automating Operations Without Reinventing the Wheel, Ma...
apidays
 
PDF
apidays Munich 2025 - Geospatial Artificial Intelligence (GeoAI) with OGC API...
apidays
 
PPTX
apidays Munich 2025 - GraphQL 101: I won't REST, until you GraphQL, Surbhi Si...
apidays
 
PPTX
apidays Munich 2025 - Effectively incorporating API Security into the overall...
apidays
 
PPTX
apidays Munich 2025 - Federated API Management and Governance, Vince Baker (D...
apidays
 
PPTX
apidays Munich 2025 - Agentic AI: A Friend or Foe?, Merja Kajava (Aavista Oy)
apidays
 
PPTX
apidays Munich 2025 - Streamline & Secure LLM Traffic with APISIX AI Gateway ...
apidays
 
PPTX
apidays Munich 2025 - Building Telco-Aware Apps with Open Gateway APIs, Subhr...
apidays
 
PPTX
apidays Munich 2025 - Building an AWS Serverless Application with Terraform, ...
apidays
 
PDF
apidays Helsinki & North 2025 - REST in Peace? Hunting the Dominant Design fo...
apidays
 
PDF
apidays Helsinki & North 2025 - Monetizing AI APIs: The New API Economy, Alla...
apidays
 
PDF
apidays Helsinki & North 2025 - How (not) to run a Graphql Stewardship Group,...
apidays
 
PDF
apidays Helsinki & North 2025 - APIs in the healthcare sector: hospitals inte...
apidays
 
apidays Munich 2025 - The Physics of Requirement Sciences Through Application...
apidays
 
apidays Munich 2025 - Developer Portals, API Catalogs, and Marketplaces, Miri...
apidays
 
apidays Munich 2025 - Making Sense of AI-Ready APIs in a Buzzword World, Andr...
apidays
 
apidays Munich 2025 - Integrate Your APIs into the New AI Marketplace, Senthi...
apidays
 
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...
apidays
 
apidays Munich 2025 - Let’s build, debug and test a magic MCP server in Postm...
apidays
 
apidays Munich 2025 - The life-changing magic of great API docs, Jens Fischer...
apidays
 
apidays Munich 2025 - Automating Operations Without Reinventing the Wheel, Ma...
apidays
 
apidays Munich 2025 - Geospatial Artificial Intelligence (GeoAI) with OGC API...
apidays
 
apidays Munich 2025 - GraphQL 101: I won't REST, until you GraphQL, Surbhi Si...
apidays
 
apidays Munich 2025 - Effectively incorporating API Security into the overall...
apidays
 
apidays Munich 2025 - Federated API Management and Governance, Vince Baker (D...
apidays
 
apidays Munich 2025 - Agentic AI: A Friend or Foe?, Merja Kajava (Aavista Oy)
apidays
 
apidays Munich 2025 - Streamline & Secure LLM Traffic with APISIX AI Gateway ...
apidays
 
apidays Munich 2025 - Building Telco-Aware Apps with Open Gateway APIs, Subhr...
apidays
 
apidays Munich 2025 - Building an AWS Serverless Application with Terraform, ...
apidays
 
apidays Helsinki & North 2025 - REST in Peace? Hunting the Dominant Design fo...
apidays
 
apidays Helsinki & North 2025 - Monetizing AI APIs: The New API Economy, Alla...
apidays
 
apidays Helsinki & North 2025 - How (not) to run a Graphql Stewardship Group,...
apidays
 
apidays Helsinki & North 2025 - APIs in the healthcare sector: hospitals inte...
apidays
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KodekX | Application Modernization Development
KodekX
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io

  • 1. There’s no AI without API, but what does this mean for security? Apidays Helsinki | Timo Rüppell
  • 3. About Me. VP of Product at FireTail. A former researcher in theoretical high energy physics. Now focused on API security. Earlier ● CTO @ Mapita ● Founder @ Sideric ● Lead Dev @ PiggyBaggy timo@firetail.io
  • 4. Overview. What we’ll cover today. - The Rise of AI & API Proliferation: Why there is no AI without APIs. - Understanding the Security Risks: How the emergence of AI is changing the game when it comes to API security. - Best Practices for Securing API in an Age of AI: The core principles of an effective API security strategy given the emergence of AI. - The Bottom Line: A quick recap of today’s key takeaways. - Q&A: Time to answers any burning questions you may have. Effective API security is a must for organizations who want to harness the power of AI.
  • 5. The Rise of AI & API Proliferation.
  • 6. In November 2023, OpenAI announced a massive expansion of API calling capabilities available via ChatGPT
  • 7. What Changed? AIs have been around for decades? The “assistant” has been around even longer (just ask Jeeves)? Inflection point in available computation resources, mathematical advances, and a direct-to-platform business model.
  • 9. Not Just LLMs. Most news is about LLMs. And most (valid) criticism regarding capabilities is aimed at LLMs. But LLMs are “just” one niche. Specific types of models can be far more adept at interacting with APIs. - LAM: Translating human intentions into actions. Example: Rabbit AI and service integrations. Integrates AI with API communications. - LCBM: Optimizing LLM output to achieve a desired behaviour. Example: Lirio LBMs aim to make people healthier. OpenAI’s expansion on API calling capabilities announced in November.
  • 10. Long term optimism. Commoditization of Large Models can be relatively fast. - Compute: Moore’s law is (still) in effect. - Maths: More efficient training methods. Example: Mamba a linear RNN is nLog(n) compared to Transformers n^2. Traits of commodities are interchangeability, availability.
  • 11. Emerging LLM Tech Stack. There’s no AI without APIs Source: a16z Enterprise
  • 12. Now (or very soon) everyone, everywhere, regardless of expertise will have the ability to prod and probe APIs across the globe, at pace and at scale. This will be a game changer for those charged with protecting APIs. In November 2023, OpenAI announced a massive expansion of API calling capabilities available via ChatGPT
  • 14. AI & API Security. AI risks impacting APIs - Unsafe AIs: Intentionally or accidentally unsafe AIs finding vulnerabilities in application or business logic, authentication, authorization. - Bots and data spoofing: APIs processing human generated content need to make provisions for both large scale abuse and individual vetting.
  • 15. AI & API Security. API risks impacting AIs. - Injection attacks: You need to carefully sanitize user provided content that is going to be handed of to an AI integration. - Resource consumption: You need to protect expensive endpoints from overuse and have robust usage metering. - Access control: You need to ensure that any data returned by an AI model is correctly authorized.
  • 16. Best Practices for Securing APIs in an Age of AI.
  • 17. 6 Pillars of API Security. Enforcement. Authentication, authorization, validation and sanitization directly in your code. Visibility. Get a complete view of your entire API landscape across your IT fleet. Assessment. APIs analyzed for configuration settings & security policy. API security posture management. Discovery. Finding APIs not running FireTail library via network traffic, code repos & cloud APIs Observability. Commercial version sends configuration and success / failure events to cloud backend. Audit. Full & centralized audit trail of all APIs with FireTail library. Search & alert capabilities.
  • 18. Existing approaches just don’t cut it. API Call Log Visibility
  • 19. Where to spend your time. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response Third party API
  • 20. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. Third party API Where to spend your time.
  • 21. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 2 Third party API Where to spend your time.
  • 22. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 2 Third party API 4 6 6 4 6 4 Where to spend your time.
  • 23. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 1 2 3 5 Third party API 4 6 6 4 6 4 Where to spend your time.
  • 24. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 1 2 3 5 7 10 Third party API 4 6 6 4 6 4 Where to spend your time. 7
  • 25. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BOLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. Consumer Server Internet GW/Proxy WAF Rate limiting Sanitize Validate AuthZ Fetch Data / Modify Data / Execute Function Request Response 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. AuthN 1 2 3 5 7 10 Third party API 4 6 6 4 6 4 Where to spend your time. 10
  • 27. The scale of the risk and the frequency of attacks are growing due to AI. The nature of the threat is evolving but the same core risks persist.
  • 29. FireTail is headquartered in Northern Virginia, USA, with additional offices in Dublin, Ireland and Helsinki, Finland. FireTail is backed by leading cybersecurity investors Paladin Capital, Secure Octane, General Advance and Zscaler. For more information, please visit www.firetail.io.