How Secure Are Your APIs?
5 likes17,541 views
The document discusses the security challenges faced by APIs and highlights recent high-profile attacks, underlining the necessity for dedicated API security infrastructures. It introduces Apigee Sense, a solution designed to detect anomalous behavior patterns and proactively identify threats utilizing behavior-based algorithms. The system promotes a closed-loop security approach, allowing administrators to implement real-time actions against suspicious API requests.
How Secure Are Your APIs?
- 1. How Secure Are Your APIs? Kevin Ford Apigee | Google Cloud
- 3. APIs Are Under Attack 3 • Standard Interface • Consistent Resource model • Easy Programmability • Published Documentation • Mobile App Proliferation
- 4. Proprietary and confidential API Attacks That Made the News “An Instagram Hack Hit Millions of Accounts, and Victims’ Phone Numbers are Now for Sale.” “No Butts About It, Some Pinterest Users Have Been Hacked.” “Three Million Moonpig Accounts Exposed by Flaw.” “Nissan Leaf Hackable Through Insecure APIs.” “Thieves Stole Taxpayer Data from IRS ‘Get Transcript’ Service.”
- 5. Layered Security and Governance Backend RBAC management IDM Integration Global Policies User Provisioning AD / LDAP Groups Quota/Spike Arrest SQL threat protection JSON bomb protection IP based restrictions Bot Detection (public today) Data Security Two-way TLS API key OAuth2 Threat Protection Identity Mgmt & Governance Management Server Portal Analytics API MANAGEMENT Data Security Two-way TLS IP Access Control Logging & Auditing Data Security Org Boundaries Encryption SOC 2, PCI-DSS, HIPAA Access Control OAuth2 API Key Verification IP Access Control Logging & Auditing Partners/ Apps
- 6. Signs of Attack on APIs • Persistent attempts from same IP • Unusual error rates • Suspicious client requests • Data crawling • Key harvesting • Activity bursts • Geographical patterns • Brute force attacks • Bots probing for API security weakness • Competitors scraping price data • Credential stuffing • Abuse of guest accounts • Bot traffic skewing analytics and KPIs • Using compromised API keys to access private APIs • Dictionary-type attacks • Man-in-the-Middle attacks
- 7. Backend Systems Apigee 7 WAF API Key Access Token User Agent Contextual Volume x x x x x x x x * Other Attributes Data Warehouse CRM, ERP, etc. SOA Microservices Why Traditional Approaches Fail
- 8. Solution: Dedicated API Security Infrastructure APIs need a dedicated security infrastructure to protect against the increasing threat of malicious behavior. Once is happenstance. Twice is coincidence. The third time it’s enemy action. Ian Fleming
- 9. Intelligent behavior detection to protect APIs from attack. 9 Apigee Sense
- 10. How does Apigee Sense Protect your APIs? ● Purpose built for APIs ● Uses behavior-based rules and algorithms ● Detects anomalous behavior patterns at the API layer ● Complete closed-loop system Takes actions based on rules specified by administrators
- 11. Intelligent Apigee Sense • Studies call patterns from API metadata • Algorithms detect anomalies • Analyzes customer traffic over time
- 12. Behavior Detection Apigee Sense • Detects behavior • Finds anomalies • Proactively identifies threats • Examines metadata • Characterizes requests • Flags suspicious requests • Administrators apply desired action for a given behavior Hackers Brute Force Attacks
- 13. Protect APIs Apigee Sense • Alerts teams • Tags or blocks • Takes Action based on admin policies • Closed-loop system
- 15. Handle Flagged Requests via Configuration Handle Flagged Requests via Code Honeypot, Conditional Routing, Callouts, Logging Flexible Protection
- 17. A Secure Solution… With Extreme Visibility
- 18. The Best Defense Is A Good Offense
- 19. Questions?