SlideShare a Scribd company logo

Evolving challenges for modern enterprise architectures in the age of APIs

Dinis Cruz, profile picture
Dinis Cruz

Dinis Cruz, CISO of Photobox, discusses the challenges of modern enterprise architectures, particularly in managing API security and visibility. He emphasizes the importance of a zero-trust approach and the need for effective risk management, security testing, and performance optimization in API development. Cruz also shares insights on building high-performance security teams and the necessity of having robust monitoring systems to detect and respond to security incidents.

Technology
Related topics:
API Security Insights
1 of 58
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Evolving challenges for modern enterprise architectures 
 in the age of APIs Dinis Cruz, CISO, Photobox April 2018
I’m a CISO focused on securing our client’s Magic moments by creating secure environments that enable and accelerate the business and contribute to the 
 top and bottom line
Here are my challenges
 1.How to make rational risk based decisions 2.How to create high performance teams 3.How to scale Security knowledge 4.How to drive and enable change 5.How to map data as graphs
Everything is a API
Evolving challenges for modern enterprise architectures in the age of APIs
You might think your API landscape looks like this
Or like this
But in reality it looks like this Dependencies between APIs
and like this Traffic patterns (who talks to to who)
How do you understand API dependencies?
One way to do it is to break stuff and see what happens
Netflix Chaos Monkey
Chaos Engineering is 
 carefully injecting harm into 
 our systems to test the system’s ability to respond to it.
Success story Netflix recommendations
The best model is to use Security to improve: visibility , availability, data validation, authentication, authorisation, etc…
Every API needs to be protected
You need to think about API Security at the Gate Central API filtering Outside world
But also at API level
Every API needs to protect herself
Apis should trust no-one that connects to them that gives them data that they depend on
We want zero-trust networks (and zero-trust APIs)
See Google’s Beyondcorp for a great framework
Change the defend paradigm
The myth of the singe point of failure (i.e. attackers only need to run code and find a weak spot)
Do you understand what is going on in your APIs?
Biggest threat is not the issue, but is not having visibility
When do you know about security incidents? 
 (or changes)
You need to know what the attackers are 
 doing on your APIs
If you don’t know what is on the pentest report … you have a bigger problem (i.e. your SOC should be able to tell you)
Best Security model is one based on the attacker making a mistake (i.e. a change)
Use risks to understand reality and to make the business owners responsible for their decisions
Use Threat Models to understand how your system works and to document it
Use tests to replicate known behaviours, attacks and simulate changes 
 (with and without random events)
Which can also called Security tests
 (which pass on vulnerable state and on regression test)
Properties of secure APIs
Availability
Plan for Failure Ability to sustain failures
Validate and Sanitise all requests
Authenticate and Authorise all requests
Reduce capabilities and features gracefully
Hostile to insecure traffic and insecure code
Have error budgets 
 (from Google SRE)
Are easy to change
Are easy to refactor (make changes with confidence)
Pushes to production 
 happen minutes (fully tested and 100x a day (if needed))
The bigger they get the faster they go 
 (it is smooth and safe to make changes)
Have 99% change coverage
Change coverage
What matters is change coverage
If you make changes and they are not detected
you are just making random changes
Every change you make has to have a respective test change 
 (much better pair programming model)
Two more little things
See Photobox Group Security blog for real- world examples of how we think and operate https://pbx-group-security.com
We are hiring :)
 Head of InfoSec Senior AWS Security Engineer https://pbx-group-security.com/roles/
I’m writing a book and would really appreciate your feedback https://leanpub.com/generation-z
Thanks
Any questions @DinisCruz

More Related Content

PDF
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
PDF
Using security to drive chaos engineering - April 2018
Dinis Cruz
 
PPTX
6 Most Common Threat Modeling Misconceptions
Cigital
 
PPTX
Information Security Life Cycle
vulsec123
 
PPTX
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
PPTX
Should You Use Security Point Solutions?
Threat Stack
 
PPTX
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
PPTX
TDC PoA submission
Marcelo Yuri Benesciutti
 
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
Using security to drive chaos engineering - April 2018
Dinis Cruz
 
6 Most Common Threat Modeling Misconceptions
Cigital
 
Information Security Life Cycle
vulsec123
 
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Should You Use Security Point Solutions?
Threat Stack
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
TDC PoA submission
Marcelo Yuri Benesciutti
 

What's hot (20)

PPTX
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
PDF
SHOWDOWN: Threat Stack vs. Red Hat AuditD
Threat Stack
 
PPTX
It All Started With a Wager About System Upgrades
Threat Stack
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
PDF
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PDF
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
Threat Stack
 
PDF
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
PPTX
Assess all the things
Jerod Brennen
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
ODP
Basic of SSDLC
Chitpong Wuttanan
 
PPTX
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
PPT
Software Security Engineering
Marco Morana
 
PDF
Threat Modeling: Best Practices
Source Conference
 
PDF
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PDF
SentinelOne Buyers Guide
Exclusive Networks ME
 
PPTX
Secure Design: Threat Modeling
Cigital
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
Threat Stack
 
It All Started With a Wager About System Upgrades
Threat Stack
 
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
The path of secure software by Katy Anton
DevSecCon
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
Threat Stack
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Assess all the things
Jerod Brennen
 
The Intersection of Security & DevOps
Alert Logic
 
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Basic of SSDLC
Chitpong Wuttanan
 
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
Software Security Engineering
Marco Morana
 
Threat Modeling: Best Practices
Source Conference
 
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
SentinelOne Buyers Guide
Exclusive Networks ME
 
Secure Design: Threat Modeling
Cigital
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
Ad

Similar to Evolving challenges for modern enterprise architectures in the age of APIs (20)

PPTX
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
Infosectrain3
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PPTX
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
PDF
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
PDF
Alienvault how to build a security operations center (on a budget) (2017, a...
Al Syihab
 
PPTX
Appsec2013 assurance tagging-robert martin
drewz lin
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PPTX
Hacker Halted Miami , USA 2010
Aditya K Sood
 
PDF
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
 
PPSX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
PPTX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
PPTX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
PDF
How to Become a Cyber Security Analyst in 2021..
Sprintzeal
 
PPTX
Securing Underprotected APIs - Deja vu Security
Deja vu Security
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
PDF
Cybersecurity Basics for Non-Techie Startup Founders
Kristian Melquiades
 
PDF
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
PPS
BISS - 11nov2011
Agora Group
 
DOCX
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
Infosectrain3
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Al Syihab
 
Appsec2013 assurance tagging-robert martin
drewz lin
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Hacker Halted Miami , USA 2010
Aditya K Sood
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
How to Become a Cyber Security Analyst in 2021..
Sprintzeal
 
Securing Underprotected APIs - Deja vu Security
Deja vu Security
 
Software Security in the Real World
Mark Curphey
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
Cybersecurity Basics for Non-Techie Startup Founders
Kristian Melquiades
 
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
BISS - 11nov2011
Agora Group
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Ad

More from Dinis Cruz (20)

PDF
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
PDF
Glasswall - Safety and Integrity Through Trusted Files
Dinis Cruz
 
PDF
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
PDF
The benefits of police and industry investigation - NPCC Conference
Dinis Cruz
 
PDF
Serverless Security Workflows - cyber talks - 19th nov 2019
Dinis Cruz
 
PDF
Modern security using graphs, automation and data science
Dinis Cruz
 
PDF
Using Wardley Maps to Understand Security's Landscape and Strategy
Dinis Cruz
 
PDF
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz
 
PDF
Making fact based decisions and 4 board decisions (Oct 2019)
Dinis Cruz
 
PDF
CISO Application presentation - Babylon health security
Dinis Cruz
 
PDF
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Dinis Cruz
 
PDF
GSBot Commands (Slack Bot used to access Jira data)
Dinis Cruz
 
PDF
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
Dinis Cruz
 
PDF
OSBot - Data transformation workflow (from GSheet to Jupyter)
Dinis Cruz
 
PDF
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Dinis Cruz
 
PDF
Template for "Sharing anonymised risk theme dashboards v0.8"
Dinis Cruz
 
PDF
Owasp and summits (may 2019)
Dinis Cruz
 
PDF
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Dinis Cruz
 
PDF
Open security summit 2019 owasp london 25th feb
Dinis Cruz
 
PDF
Owasp summit 2019 - OWASP London 25th feb
Dinis Cruz
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Dinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
Dinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Dinis Cruz
 
Modern security using graphs, automation and data science
Dinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Dinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Dinis Cruz
 
CISO Application presentation - Babylon health security
Dinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Dinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Dinis Cruz
 
Owasp and summits (may 2019)
Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Dinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Dinis Cruz
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
A Presentation on Artificial Intelligence
memembruh336
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 

Evolving challenges for modern enterprise architectures in the age of APIs