Protect your APIs from Cyber Threats
Download as PPTX, PDF2 likes8,367 views
The document discusses the unique challenges in API security, highlighting vulnerabilities like OWASP top 10 attacks, API key theft, and DDoS attacks. It emphasizes the need for a data-driven approach and sophisticated machine learning algorithms to distinguish between legitimate and malicious traffic. A comprehensive, automated security system is essential for protecting APIs and valuable data.
Protect your APIs from Cyber Threats
- 1. Droid Wars: Protect your APIs from cyber threats 1©2015 Apigee. All Rights Reserved.
- 5. 5https://en.wikipedia.org/wiki/C-3PO •Search engine indexing •Health monitoring •Performance testing
- 6. 6http://ideas.wikia.com/http://starwars.wikia.com/ •Scrapers: Content, price data, inventory data •Reconnaissance: probe for API security weakness •Bruteforce bots: DDoS attacks, etc.
- 7. 7http://ideas.wikia.com/http://starwars.wikia.com/ •Theft of data and business •Promotion abuse •Bot traffic skews analytics and KPIs •Create performance overhead on Web Operations
- 8. There is also reputational risk! 8
- 9. What’s different about APIs? 9
- 11. API Security is Unique • Your APIs are vulnerable to the typical OWASP Top 10 attacks • IN ADDITION, you have to worry about: – Hackers reverse engineering apps to access private APIs – API key theft—looks like legit usage! – Traffic spike protection by way of bots or DoS attacks – Identity tracking across API sessions – XML/JSON injection-type attacks – Token harvesting due to insecure communication or storage 11
- 12. Secure Your APIs 12 Users Apps APIs Backend Mutual TLS IP access control Spike arrest Rate limits Threat protection Intrusion detection DDoS API key OAuth2 TLS IP access control OAuth2 MFA Federated login
- 13. Am I Secure Now? 13 Security Policies Configured
- 14. 14
- 15. Need to rethink the “known known” security approach 15 15 Backend Service Legitimate Traffic API Bots IP Blacklist Apps
- 16. 16
- 17. Data-driven approach to security 17
- 18. Vol URI + many other kinds… VS. Vol URI Password guessers Screen scrapers Data-driven approach to security
- 19. API Security: Data-Driven Approach
- 20. Closed Loop Protection: Analyze, Detect, Protect API clients Target Services API Dashboard Machine learning models and rules Action (Block/Throttle/Alert) Blacklist Your traffic System-wide purchased
- 21. Key Takeaways 21 • If you have valuable data, you will be targeted. • APIs bring unique challenges. Old approaches don’t work. • Sophisticated rules and machine learning algorithms are the only way to discern bots from real traffic. • An automated system is needed, to capture, analyze, report, and act.
- 23. Thank you