+ All Categories
Home > Documents > Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern...

Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern...

Date post: 13-Aug-2020
Category:

Documents
Upload: others
View: 1 times
Download: 0 times
Download Report this document
Share this document with a friend
13
Secure APIs: Road to Business Growth Anupama Natarajan
Transcript
Page 1: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Secure APIs: Road to Business Growth

Anupama Natarajan

Page 2: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

About Me

• Senior Solutions Architect

• 15+ years experience

• Passionate with Data, Integration and Business Intelligence

https://www.linkedin.com/in/anupama-natarajan-516a107/

http://www.anupamanatarajan.com

https://twitter.com/@shantha05

https://www.linkedin.com/in/anupama-natarajan-516a107/
http://www.anupamanatarajan.com/
https://twitter.com/@shantha05
Page 3: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Agenda

• Introduction to APIs

• API Security

• What are Underprotected APIs?

• Impacts of Underprotected APIs

• Examples of Underprotected APIs

• How to detect Underprotected APIs?

• How to protect Underprotected APIs?

• How do we design Secure APIs?

Page 4: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Introduction to APIs

Reference: ProgrammableWeb

Page 5: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

API Security

Reference: APIacademy

Page 6: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Underprotected APIs

• Core concern of modern Enterprises

• Increases the Attack Surface

• Breadth and Complexity of APIs makes it difficult to automate effective security testing

• Malicious APIs give attackers internal access to apps

Page 7: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Underprotected APIs Impacts

• Technical Impacts

– Data Theft

– Data Corruption

– Data Destruction

• Business Impacts

– Denial of Service Attack on Critical API

– Critical data compromised

– Critical functions compromised

Page 8: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Underprotected APIs Examples

• WordPress REST API

– Parameter Manipulation

• IoT Devices

– Clear text data transmission

• Mobile App connecting to API

• Web Application connected to Database using API

Page 9: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Detect Underprotected APIs

• API Gateways (Apigee, Mulesoft, Azure API Management, CA Technologies, Red Hat [3scale])

• Metaspoilt

• ZAP (Zed Attack Proxy)

• POSTMAN, Insomnia REST Client

• Machine Learning and Analytics

Page 10: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Protect Underprotected APIs

• Not being in a rush

• Documentation

• Developers keeping Security in mind

• Web API tracing/testing tools

– Fiddler (HTTP Requests)

– Wireshark (Traffic capture & Analysis)

– Metasploit Framework (Penetration Testing)

Page 11: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Secure API Design

• Validate Parameters e.g. sanitize incoming data

• Protect against injection of all forms

• Turn on TLS everywhere and enable SSL

• Implement rigorous Authentication and Authorisation Standards

• Separate API security and implementation as separate tiers

• Using Analytics to detect API usage patterns

Page 12: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

References

• https://github.com/shieldfy/API-Security-Checklist

• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

• https://www.metasploit.com/

• https://www.telerik.com/fiddler

• https://insomnia.rest/

• https://www.getpostman.com/

https://github.com/shieldfy/API-Security-Checklist
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.metasploit.com/
https://www.telerik.com/fiddler
https://insomnia.rest/
https://www.getpostman.com/
Page 13: Secure APIs: Road to Business Growth...2018/02/05  · Underprotected APIs •Core concern of modern Enterprises •Increases the Attack Surface •Breadth and Complexity of APIs makes

Thanks


Recommended
.. A - ERIC · arouse interest, it is a most unreliable method of initiating and maintaining. intrinsic concern. In addition to the demand for breadth in variety of experience, the

.. A - ERIC · arouse interest, it is a most unreliable method of initiating and maintaining. intrinsic concern. In addition to the demand for breadth in variety of experience, the

Documents

Growth Hacking APIs (Nordic APIs conference 2014)

Growth Hacking APIs (Nordic APIs conference 2014)

Software

Breadth #2-4 AP 2012 Breadth Theme for October: Observational Studies and Interpretations.

Breadth #2-4 AP 2012 Breadth Theme for October: Observational Studies and Interpretations.

Documents

Experiential meaning breadth variations

Experiential meaning breadth variations

Education

Adam Trumbour 2010 AE|CM Introduction Building Overview Thesis Overview Breadth Analysis 1: CHPS Study Breadth Analysis 2: Green Roof Breadth Analysis.

Adam Trumbour 2010 AE|CM Introduction Building Overview Thesis Overview Breadth Analysis 1: CHPS Study Breadth Analysis 2: Green Roof Breadth Analysis.

Documents

Breadth 2012 Brochure

Breadth 2012 Brochure

Documents

APIS M / APIS 15 / APIS 13 / APIS WR / APIS E - skynet.beusers.skynet.be/am259776/APIS FOLDER.pdf · APIS M / APIS 15 / APIS 13 / APIS WR / APIS E APIS, CARAT, AM- 01, DG- 303 ELAN,

APIS M / APIS 15 / APIS 13 / APIS WR / APIS E - skynet.beusers.skynet.be/am259776/APIS FOLDER.pdf · APIS M / APIS 15 / APIS 13 / APIS WR / APIS E APIS, CARAT, AM- 01, DG- 303 ELAN,

Documents

APIS DHS NCTC APIS Memorandum of Agreement (Redacted)

APIS DHS NCTC APIS Memorandum of Agreement (Redacted)

Documents

Breadth #2-4

Breadth #2-4

Documents

Web APIs & Google APIs

Web APIs & Google APIs

Technology

Breadth Requirements 14S

Breadth Requirements 14S

Documents

Breadth first search

Breadth first search

Education

Spe breadth

Spe breadth

Documents

Market Breadth Charts

Market Breadth Charts

Documents

Orange AMEA APIs presentation for Telecom APIs 2014

Orange AMEA APIs presentation for Telecom APIs 2014

Technology

Breadth Requirements - Bourns College of Engineeringstudent.engr.ucr.edu/policies/requirements/Breadth Requirements... · Breadth Requirements Effective 2013 Fall Quarter ... C or

Breadth Requirements - Bourns College of Engineeringstudent.engr.ucr.edu/policies/requirements/Breadth Requirements... · Breadth Requirements Effective 2013 Fall Quarter ... C or

Documents

Breadth Depth

Breadth Depth

Documents

breadth map

breadth map

Documents