apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isbitski, Salt Security
0 likes112 views
The document discusses key best practices in API security, focusing on documentation, runtime protection, and security operations. It emphasizes the importance of maintaining a comprehensive API catalog, utilizing effective threat protection mechanisms, and tailoring security insights for different organizational roles. The content also highlights customer challenges and successful implementations of Salt Security's capabilities in various industries.
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isbitski, Salt Security
- 1. api s ec ur it y ed it io n : W h en b es t p r a c t ic es s t o p b ein g p o l it e a n d s t a r t b ein g r ea l
- 2. © 2021 Salt Security, Inc. All rights r Software is eating the world
- 3. © 2021 Salt Security, Inc. All rights r API security predictions were accurate
- 4. © 2021 Salt Security, Inc. All rights r API security best practices help reduce risk Three areas we’ll be focusing on today: 1. API documentation, discovery, and cataloging 2. Runtime protection 3. API -centric security operations
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6. 1. a p i d o c um en t a t io n , d is c o ver y a n d c a t a l o g in g
- 7. © 2021 Salt Security, Inc. All rights r Use machine formats likeOpenAPISpecification • Standardizing on machine formats enables other life cycle activities and integration work with suppliers • Most organizations have pockets of OAS and Swagger, but practices aren’t universal • Recognize limitations of schema analysis for finding issues and business logic flaws • Disparity between documented design and deployed APIs is common, aka API drift
- 8. © 2021 Salt Security, Inc. All rights r Tag and label APIs and microservices consistently • Developers are empowered to help the organization and its security strategy • Tagging and labeling is an enabler of many DevOps best practices – Improves integrity of software supply chain when done consistently and verified – Aids SOC analysts and security operations as part of forensics and incident response – Useful for compliance activity, and CI/CD build pipelines become a system of record
- 9. © 2021 Salt Security, Inc. All rights r Industry: B usiness travel management “With Salt we can see exactly how our APIs are designed to work and how they’re reacting when they’re used and misused.” -- TarikG hbeish,Product & SecurityEngineering Customer example of pitfalls related to lack of API inventory Customer challenges • COVID forced rapid platform adjustments and enhancements that spurred • Needed API visibility to stay in line with agile development Salt Security key capabilities API discovery • Discovers all APIs automatically and continuously • Maintains an up -to-date catalog of all APIs • Captures granular details to eliminate blind spots and help teams assess r Sensitive data exposure prevention • Details where APIs expose sensitive data • Provides updates when new or updated APIs impact data exposure
- 11. © 2021 Salt Security, Inc. All rights r Use threat protection features of your API gateways and API management • Many gateways provide basic message filtering mechanisms in addition to access control enforcement • This form of threat protection may satisfy some basic security use cases but leaves gaps in API protection • Overloading API gateways impacts servic performance, particularly in microservices architectures • Maintenance of rules and signatures is often a gray area or operational nightmare
- 12. © 2021 Salt Security, Inc. All rights r Seek more than rate limiting and traffic management to stop attacks • Rate limiting mechanisms are commonly found in many network elements • Use and quota limits within API gateways are useful for API monetization and basic security control • Rate limiting stops some basic attacks and API abuse, but it falls over for distributed architectures and advanced attackers • Most useful for internal APIs and partner APIs where API consumers are known and request volume is predictable
- 13. © 2021 Salt Security, Inc. All rights r Customer challenges • ProtectingA PIs at the core ofthe Finastra FusionFabric.cloudservice • PreventingA TO ,compromisedapps callingA PIs,andexploitationofO W A SPA PISecurity Top1 0 Salt Security key capabilities Attack prevention • ID s attackers usingadvancedtechniques toevade rate limitingandother protections • B locks attackers inearlyreconnaissance stages Risk reduction • Provides insights todevelopers andpartners onpotentialvulnerabilities andsensitive data exposure • H elps mitigate riskandprevent vulnerable A PIs fromlaunching Customer example of pitfalls related to inadequate runtime protection Industry: FinTech “Salt has automatically blocked tens of 1000s of credential stuffing attacks. Without Salt, we’d be out of business.” --N irV altman,V Pproduct and data security
- 14. 3. a p i- c en t r ic s ec ur it y o p er a t io n s
- 15. © 2021 Salt Security, Inc. All rights r Account for multiple personas and work streams in the organization • Telemetry of full API call chains and data flows provides necessary technical detail and drives machine analysis • Development, Operations, and Security teams need different information at different times of the API life cycle • Integrate with IT systems to aid in DFIR collaboration and remediation workflow • Security insights should be tailored per role – Is an issue resulting from code? – Or is it an infrastructure misconfiguration?
- 16. © 2021 Salt Security, Inc. All rights r Surface actionable API events, don’t just dump data into SIEM • SecOps fatigue is common and application expertise is often lacking • Select tooling that interoperates with organizational SIEM and SOAR • Strike a balance between too many and too little data feeds • Focus on improving signal -to-noise ratio and reducing false positives
- 17. © 2021 Salt Security, Inc. All rights r Customer example of pitfalls related to inefficient SecOps Customer challenges • D etectingandpreventingattacks targetingthe unique logic ofcore A PIs • Preventingattacks missedbyN G -W A Fs andbot mitigationtools Salt Security key capabilities Attack prevention • C orrelates attackactivitytopinpoint attackers earlyduringreconnaissance • R educes alerts witha consolidatedattacker timeline • Provides SO Cteams withcontext neededfor quickaction Risk reduction • Provides insights toidentify,prioritize,andeliminatevulnerabilities • Enables teams tocontinuouslyhardenA PIs • H elps developers make A PIs more secure before launchingintoproduction Industry: M obile marketing analytics andattribution “W ithvisibility,protection,and remediationinone solution, Salt helps us respondtoissues faster andunderstandexactly what needs tobe fixed.” --G uyFlechter,C ISO
- 18. © 2021 Salt Security, Inc. All rights r Salt –the API context you need 17
- 19. © 2021 Salt Security, Inc. All rights r Additional resources • A PISecurityfor D ummies • A PISecurityEvaluationG uide • A PISecurityB est Practices G uide and C hecklist • O W A SPA PISecurityTop1 0Explained • State of A PISecurityQ 32021 • A PIThreat R esearch:D etailedFinancialR ecords ExposedonFinancialServices Platform • A PIThreat R esearch:Elastic StackM isconfigurationA llows D ata Extraction Still have questions or want more info? Reach out! • Email:michaeli@salt.security,nicolasj@salt.security • L inkedIn:https://www.linkedin.com/in/michael-isbitski-45728737,https://fr.linkedin.com/in/nicolasjeanselme 18 Over 50security best practices spread across 12 focus areas
- 20. Thank you for attending
- 21. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here