SlideShare una empresa de Scribd logo

What Hackers Don’t Want You To Know: How to Maximize Your API Security

Descargar como PPTX, PDF
A
AaronLieberman5

With the number of APIs increasing constantly right along with the number of cyber attacks, API security has never been so important to success in an enterprise. This MuleSoft Meetup was a co-presentation from Big Compass and PingIntelligence by Ping Identity. We looked at how API security works with MuleSoft including the API development lifecycle and implementing security policies on a live API from Anypoint Platform API Manager. We also displayed the monitoring capabilities from API Manager and what a policy violation might look like. Then, we had some fun by simulating hacks on our own API. We simulated some common attacks and how API Manager and/or a WAF can block these common attacks. From there, we dove even deeper by simulating very advanced attacks like OAuth token hijacking, data theft, and DoS attacks that fly under the SLA radar. This is where we implemented PingIntelligence’s Anypoint integration custom API policy, showed how a MuleSoft API can connect with PingIntelligence, and how PingIntelligence uses AI to discover and model normal behavior and learn about your APIs to prevent and report on advanced attacks and instruct Anypoint Platform to stop these requesters.

Tecnología
1 de 35
WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY June 20, 2019 Denver MuleSoft Meetup Group
All contents © MuleSoft Inc. Agenda 2 • 6:00PM – Doors open • 6:00PM - 6:30PM – Network, Eat, and Socialize • 6:30PM - 6:35PM – Introductions • 6:35PM - 7:30PM – Presentation/Demo • 7:30PM - 7:45PM – Q&A • 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and Speakers
All contents © MuleSoft Inc. Introductions 3 • About the organizer: – Big Compass • About the presenters: – Aaron Lieberman – Tyler Reynolds
• MuleSoft API Lifecycle • MuleSoft API Management • Securing a MuleSoft API • PingIntelligence with MuleSoft APIs MuleSoft API Management and Security
All contents © MuleSoft Inc. API Lifecycle 5 • Design • Build • Test • Deploy • Manage
Demo API Lifecycle
With MuleSoft API Manager security policies, what is the difference between rate limiting and request throttling? Giveaway!
All contents © MuleSoft Inc. MuleSoft API Management 8 • API Manager – Creating an API – SLA Tiers – Contracts – Alerts – Policies • Out of the box policies • Custom Policy from API Manager • Develop Custom Policy in Anypoint Studio • Secure your APIs! – Monitoring
All contents © MuleSoft Inc. Securing APIs in MuleSoft With API Manager 9 • Specific to one API – New feature of automated policies to apply same set of policies to many APIs • Common Policies in API Manager – Basic authentication – IP whitelist/blacklist – Client ID Enforcement – OAuth 2.0 – SLA based rate limiting and throttling
Demo MuleSoft API Management/Security and Attacking a MuleSoft API
All contents © MuleSoft Inc. MuleSoft Anypoint Security 11 • Secure all applications deployed to your Runtime Fabric with Edge Policies • Implement a Web Application Firewall (WAF) • Other policies – IP whitelist – Denial of service – HTTP limits
All contents © MuleSoft Inc. MuleSoft + WAF Security 12 • Protects against many common attacks – SQL Injection – Cross Site Scripting – Body scanning – OWASP Top 10 attacks – These are known vulnerabilities!
All contents © MuleSoft Inc. Security Policies + WAF Protection 13 • What do security policies + WAF actually protect against? – Basic attacks (authentication, rate limiting, SQL injection, etc.) • What are the vulnerabilities? – Advanced API attacks from authenticated hackers – No way to detect authenticated attacks • Google took 2.5 years to detect a breach • How do we protect against these vulnerabilities?
All contents © MuleSoft Inc. MuleSoft + WAF Security Demo Architecture 14
Demo MuleSoft API + WAF Security and Attacking an API Behind a WAF
How long did it take Google to detect an ongoing breach on their API? A.0-6 Months B.6-12 Months C.12-24 Months D.2+ Years Giveaway!
All contents © MuleSoft Inc. Current API Landscape 17 • APIs steadily increasing • Attacks steadily increasing
All contents © MuleSoft Inc. Current API Security Landscape 18 Reactive -> Proactive Average Time to Detect First Breach 2018 Verizon DBIR • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all APIs API Security Survey:
All contents © MuleSoft Inc. API Security – A Difficult Problem! 19 IP Geolocation Time /Day Session Length ... API 1 API 2 API 3 API 4 • High number of sessions across many APIs • High velocity connections • Large mix of inbound client types and activity – Legitimate clients – High velocity attackers disrupt services, access content, etc. – Hackers with valid credentials blend in while maliciously accessing API services • Looking for a needle in a haystack
All contents © MuleSoft Inc. 20 API Login and API DDoS Attacks •Brute force login attacks •Stolen identifiers: cookies and tokens •API specific DoS and API DDoS attacks Compromised Account / Insider Attacks •Account take over •Data theft •Application control Hackers using Machine Learning •Every attack looks different •Every blocked attack leads to a new attack … How vulnerable are APIs to attacks?
All contents © MuleSoft Inc. Answer: Leverage AI MODEL • Learn from API traffic • Build model for legit apps DETECT • Inspect runtime traffic • Look for deviations from model BLOCK • Block compromised tokens • Notify/alert
All contents © MuleSoft Inc. PingIntelligence For APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs • Deep API Visibility – Dynamically discover APIs across all environments – Monitor all API activity including every command and method used throughout a session • Automated threat detection and blocking – Detect and stop attacks that use APIs to compromise data and applications – Use API honeypots to instantly detect probing hackers and prevent access to production APIs • Self Learning – Use AI to discover expected behavior for each API in API gateway and app server environment – Eliminate the need to write and manage policies and update API attack signatures
All contents © MuleSoft Inc. • You can’t fully trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level – Client app, user, 3rd party identities Phishing +token Stolen token User data <api> >collections _ GitHub leaking client secrets Password reuse Zero Trust
All contents © MuleSoft Inc. Comprehensive Security: MuleSoft + PingIntelligence Foundational API Security Content Injection JSON, XML, SQL injection protection, XSS Flow Control Throttling, Metering, Quota Management, Circuit- breakers Access Control AuthN, AuthZ, Token Management, Microgateway AI-Powered Cyberattacks Detection Automated Cyber Attack Blocking Blocks stolen tokens/cookies, Bad IP’s & API keys API Deception & Honeypot Instant hacking detection and blocking Deep API Traffic Visibility & Reporting Monitor & report on all API activity Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs PingIntelligence for APIs
All contents © MuleSoft Inc. PingIntelligence Augments API Security Web Application FirewallsPingIntelligence for APIsAPI Gateways Complementary to API Gateways and WAFs OWASP Top 10 Protection + + Authenticated users Advanced attacks API Management Security Policies
All contents © MuleSoft Inc. 26 Hacker Deception
All contents © MuleSoft Inc. • API Breaches go undetected for months or years • Enterprises need incorporate zero-trust for API Strategy • Gartner: “by 2022, API abuses will be the most frequent attack vector that result in breaches” • Many attacks can’t be detected with traditional API security • Help is here from MuleSoft and PingIntelligence your customer your org Attack Landscape Summary
All contents © MuleSoft Inc. MuleSoft + WAF + PingIntelligence Architecture Full Lifecycle API Mgmt. Design, Create, Publish APIs Content Inspection Content Validation Session Management Policy Based Security enforcement Rate Limiting API Visibility & Protection Deep Visibility & Reporting Unique API Behavioral models Automated Attack Blocking API Discovery API Deception Self Learning – no rules or Policies Web Application Security WAF Positive Security Model OWASP Top 10 Protection DDoS Prevention RASP Content Filtering Rate Limiting Signature Based Detection
Demo Attacking a MuleSoft Security+ WAF + PingIntelligence Protected API
All contents © MuleSoft Inc. References and Documentation 30 • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_ Guide_pingintel_32/page/pingintelligence_product_deployment.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white- papers/2018/evolving-api-security-landscape.html
All contents © MuleSoft Inc. References and Documentation 31 • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
Questions?
All contents © MuleSoft Inc. What’s Next? 33 • Share: – Tweet your pictures with the hashtag #MuleMeetup – Invite your network to join: https://meetups.mulesoft.com/denver/ • Feedback: – Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com to suggest topics – Contact MuleSoft at meetup@mulesoft.com for ways to improve the program • Our next meetup: – Date: August 2019 – Location: TBD – Topic: TBD
See you next time Please send topic suggestions to the organizer
What Hackers Don’t Want You To Know: How to Maximize Your API Security

Recomendados

Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom Connectors
AaronLieberman5
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
AaronLieberman5
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
AaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
AaronLieberman5
 

Recomendados

Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Connect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom ConnectorsConnect the Dots: Logging and Custom Connectors
Connect the Dots: Logging and Custom Connectors
AaronLieberman5
 
Light Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow DesignerLight Speed Integrations With Anypoint Flow Designer
Light Speed Integrations With Anypoint Flow Designer
AaronLieberman5
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom ConnectorsHow to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
How to Expand Anypoint Platform's Capabilities by Developing Custom Connectors
AaronLieberman5
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Sprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime FabricSprinting with Anypoint Runtime Fabric
Sprinting with Anypoint Runtime Fabric
AaronLieberman5
 
Never Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoftNever Lose Data Again: Robust Integrations With MuleSoft
Never Lose Data Again: Robust Integrations With MuleSoft
AaronLieberman5
 
The RAML 1.0 Ecosystem
The RAML 1.0 EcosystemThe RAML 1.0 Ecosystem
The RAML 1.0 Ecosystem
MuleSoft
 
Warsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policyWarsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policy
Patryk Bandurski
 
Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4
Tejas Purohit
 
Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1
Tejas Purohit
 
Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3
Lalit Panwar
 
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Gaurav Sethi
 
Warsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CDWarsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CD
Patryk Bandurski
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 
Meetup bangalore june29th2019
Meetup bangalore june29th2019Meetup bangalore june29th2019
Meetup bangalore june29th2019
D.Rajesh Kumar
 
Riyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewRiyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code review
satyasekhar123
 
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafkaMuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
Royston Lobo
 
Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020
Santosh Ojha
 
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECTFlow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Sabrina Marechal
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3
Gaurav Sethi
 
Mule meetup 25thjan
Mule meetup 25thjanMule meetup 25thjan
Mule meetup 25thjan
pruthviraj krishnam
 
Meetup slide 1st june
Meetup slide 1st juneMeetup slide 1st june
Meetup slide 1st june
Santosh Ojha
 
Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01
Lalit Panwar
 
Warsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime FabricWarsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime Fabric
Patryk Bandurski
 
MuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_CharlotteMuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_Charlotte
Subhash Patel
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Manish Kumar Yadav
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 

Más contenido relacionado

La actualidad más candente

Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Gaurav Sethi
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 

La actualidad más candente (20)

The RAML 1.0 Ecosystem
The RAML 1.0 EcosystemThe RAML 1.0 Ecosystem
The RAML 1.0 Ecosystem
 
Warsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policyWarsaw MuleSoft Meetup #7 - custom policy
Warsaw MuleSoft Meetup #7 - custom policy
 
Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4Ahmedabad MuleSoft Meetup #4
Ahmedabad MuleSoft Meetup #4
 
Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1Ahmedabad MuleSoft Meetup #1
Ahmedabad MuleSoft Meetup #1
 
Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3Chandigarh MuleSoft Meetup #3
Chandigarh MuleSoft Meetup #3
 
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
 
Warsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CDWarsaw MuleSoft Meetup #6 - CI/CD
Warsaw MuleSoft Meetup #6 - CI/CD
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
 
Meetup bangalore june29th2019
Meetup bangalore june29th2019Meetup bangalore june29th2019
Meetup bangalore june29th2019
 
Riyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code reviewRiyadh Meetup4- Sonarqube for Mule 4 Code review
Riyadh Meetup4- Sonarqube for Mule 4 Code review
 
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafkaMuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
MuleSoft Online Meetup - MuleSoft integration with snowflake and kafka
 
Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020Mulesoft Pune Meetup Deck - Apr 2020
Mulesoft Pune Meetup Deck - Apr 2020
 
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECTFlow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
Flow Tuning: Mule 3 vs. Mule 4 - MuleSoft Chicago CONNECT
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3
 
Mule meetup 25thjan
Mule meetup 25thjanMule meetup 25thjan
Mule meetup 25thjan
 
Meetup slide 1st june
Meetup slide 1st juneMeetup slide 1st june
Meetup slide 1st june
 
Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01Chandigarh MuleSoft Meetup #01
Chandigarh MuleSoft Meetup #01
 
Warsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime FabricWarsaw MuleSoft Meetup - Runtime Fabric
Warsaw MuleSoft Meetup - Runtime Fabric
 
MuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_CharlotteMuleSoft Meetup Virtual_ 2_Charlotte
MuleSoft Meetup Virtual_ 2_Charlotte
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
 

Similar a What Hackers Don’t Want You To Know: How to Maximize Your API Security

Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
Manish Kumar Yadav
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
Akana
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
Theodore Kim
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 

Similar a What Hackers Don’t Want You To Know: How to Maximize Your API Security (20)

Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
Mule soft riyadh virtual meetup_30_aug
Mule soft riyadh virtual meetup_30_augMule soft riyadh virtual meetup_30_aug
Mule soft riyadh virtual meetup_30_aug
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
Mule soft meetup_indonesia_june2020
Mule soft meetup_indonesia_june2020Mule soft meetup_indonesia_june2020
Mule soft meetup_indonesia_june2020
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 

Más de AaronLieberman5

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B Connectivity
AaronLieberman5
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With Salesforce
AaronLieberman5
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and Boomi
AaronLieberman5
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling Together
AaronLieberman5
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with Confluent
AaronLieberman5
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
AaronLieberman5
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
AaronLieberman5
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
AaronLieberman5
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
AaronLieberman5
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
AaronLieberman5
 

Más de AaronLieberman5 (11)

Innovating on B2B Connectivity
Innovating on B2B ConnectivityInnovating on B2B Connectivity
Innovating on B2B Connectivity
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
The Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With SalesforceThe Integrations Behind Connecting With Salesforce
The Integrations Behind Connecting With Salesforce
 
Integration Success with AWS and Boomi
Integration Success with AWS and BoomiIntegration Success with AWS and Boomi
Integration Success with AWS and Boomi
 
Serverless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling TogetherServerless & Serverless Devops: Scaling Together
Serverless & Serverless Devops: Scaling Together
 
Unlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with ConfluentUnlocking the Power of Salesforce Integrations with Confluent
Unlocking the Power of Salesforce Integrations with Confluent
 
Deep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed MicroservicesDeep Visibility: Logging From Distributed Microservices
Deep Visibility: Logging From Distributed Microservices
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
 
Serverless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path ForwardServerless Cloud Integrations Meetup: The Path Forward
Serverless Cloud Integrations Meetup: The Path Forward
 
Accelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and ServerlessAccelerate Your Development: CI/CD using AWS and Serverless
Accelerate Your Development: CI/CD using AWS and Serverless
 
Serverless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path ForwardServerless Cloud Integrations: The Path Forward
Serverless Cloud Integrations: The Path Forward
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

What Hackers Don’t Want You To Know: How to Maximize Your API Security

  • 1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY June 20, 2019 Denver MuleSoft Meetup Group
  • 2. All contents © MuleSoft Inc. Agenda 2 • 6:00PM – Doors open • 6:00PM - 6:30PM – Network, Eat, and Socialize • 6:30PM - 6:35PM – Introductions • 6:35PM - 7:30PM – Presentation/Demo • 7:30PM - 7:45PM – Q&A • 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and Speakers
  • 3. All contents © MuleSoft Inc. Introductions 3 • About the organizer: – Big Compass • About the presenters: – Aaron Lieberman – Tyler Reynolds
  • 4. • MuleSoft API Lifecycle • MuleSoft API Management • Securing a MuleSoft API • PingIntelligence with MuleSoft APIs MuleSoft API Management and Security
  • 5. All contents © MuleSoft Inc. API Lifecycle 5 • Design • Build • Test • Deploy • Manage
  • 7. With MuleSoft API Manager security policies, what is the difference between rate limiting and request throttling? Giveaway!
  • 8. All contents © MuleSoft Inc. MuleSoft API Management 8 • API Manager – Creating an API – SLA Tiers – Contracts – Alerts – Policies • Out of the box policies • Custom Policy from API Manager • Develop Custom Policy in Anypoint Studio • Secure your APIs! – Monitoring
  • 9. All contents © MuleSoft Inc. Securing APIs in MuleSoft With API Manager 9 • Specific to one API – New feature of automated policies to apply same set of policies to many APIs • Common Policies in API Manager – Basic authentication – IP whitelist/blacklist – Client ID Enforcement – OAuth 2.0 – SLA based rate limiting and throttling
  • 10. Demo MuleSoft API Management/Security and Attacking a MuleSoft API
  • 11. All contents © MuleSoft Inc. MuleSoft Anypoint Security 11 • Secure all applications deployed to your Runtime Fabric with Edge Policies • Implement a Web Application Firewall (WAF) • Other policies – IP whitelist – Denial of service – HTTP limits
  • 12. All contents © MuleSoft Inc. MuleSoft + WAF Security 12 • Protects against many common attacks – SQL Injection – Cross Site Scripting – Body scanning – OWASP Top 10 attacks – These are known vulnerabilities!
  • 13. All contents © MuleSoft Inc. Security Policies + WAF Protection 13 • What do security policies + WAF actually protect against? – Basic attacks (authentication, rate limiting, SQL injection, etc.) • What are the vulnerabilities? – Advanced API attacks from authenticated hackers – No way to detect authenticated attacks • Google took 2.5 years to detect a breach • How do we protect against these vulnerabilities?
  • 14. All contents © MuleSoft Inc. MuleSoft + WAF Security Demo Architecture 14
  • 15. Demo MuleSoft API + WAF Security and Attacking an API Behind a WAF
  • 16. How long did it take Google to detect an ongoing breach on their API? A.0-6 Months B.6-12 Months C.12-24 Months D.2+ Years Giveaway!
  • 17. All contents © MuleSoft Inc. Current API Landscape 17 • APIs steadily increasing • Attacks steadily increasing
  • 18. All contents © MuleSoft Inc. Current API Security Landscape 18 Reactive -> Proactive Average Time to Detect First Breach 2018 Verizon DBIR • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all APIs API Security Survey:
  • 19. All contents © MuleSoft Inc. API Security – A Difficult Problem! 19 IP Geolocation Time /Day Session Length ... API 1 API 2 API 3 API 4 • High number of sessions across many APIs • High velocity connections • Large mix of inbound client types and activity – Legitimate clients – High velocity attackers disrupt services, access content, etc. – Hackers with valid credentials blend in while maliciously accessing API services • Looking for a needle in a haystack
  • 20. All contents © MuleSoft Inc. 20 API Login and API DDoS Attacks •Brute force login attacks •Stolen identifiers: cookies and tokens •API specific DoS and API DDoS attacks Compromised Account / Insider Attacks •Account take over •Data theft •Application control Hackers using Machine Learning •Every attack looks different •Every blocked attack leads to a new attack … How vulnerable are APIs to attacks?
  • 21. All contents © MuleSoft Inc. Answer: Leverage AI MODEL • Learn from API traffic • Build model for legit apps DETECT • Inspect runtime traffic • Look for deviations from model BLOCK • Block compromised tokens • Notify/alert
  • 22. All contents © MuleSoft Inc. PingIntelligence For APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs • Deep API Visibility – Dynamically discover APIs across all environments – Monitor all API activity including every command and method used throughout a session • Automated threat detection and blocking – Detect and stop attacks that use APIs to compromise data and applications – Use API honeypots to instantly detect probing hackers and prevent access to production APIs • Self Learning – Use AI to discover expected behavior for each API in API gateway and app server environment – Eliminate the need to write and manage policies and update API attack signatures
  • 23. All contents © MuleSoft Inc. • You can’t fully trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level – Client app, user, 3rd party identities Phishing +token Stolen token User data <api> >collections _ GitHub leaking client secrets Password reuse Zero Trust
  • 24. All contents © MuleSoft Inc. Comprehensive Security: MuleSoft + PingIntelligence Foundational API Security Content Injection JSON, XML, SQL injection protection, XSS Flow Control Throttling, Metering, Quota Management, Circuit- breakers Access Control AuthN, AuthZ, Token Management, Microgateway AI-Powered Cyberattacks Detection Automated Cyber Attack Blocking Blocks stolen tokens/cookies, Bad IP’s & API keys API Deception & Honeypot Instant hacking detection and blocking Deep API Traffic Visibility & Reporting Monitor & report on all API activity Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs PingIntelligence for APIs
  • 25. All contents © MuleSoft Inc. PingIntelligence Augments API Security Web Application FirewallsPingIntelligence for APIsAPI Gateways Complementary to API Gateways and WAFs OWASP Top 10 Protection + + Authenticated users Advanced attacks API Management Security Policies
  • 26. All contents © MuleSoft Inc. 26 Hacker Deception
  • 27. All contents © MuleSoft Inc. • API Breaches go undetected for months or years • Enterprises need incorporate zero-trust for API Strategy • Gartner: “by 2022, API abuses will be the most frequent attack vector that result in breaches” • Many attacks can’t be detected with traditional API security • Help is here from MuleSoft and PingIntelligence your customer your org Attack Landscape Summary
  • 28. All contents © MuleSoft Inc. MuleSoft + WAF + PingIntelligence Architecture Full Lifecycle API Mgmt. Design, Create, Publish APIs Content Inspection Content Validation Session Management Policy Based Security enforcement Rate Limiting API Visibility & Protection Deep Visibility & Reporting Unique API Behavioral models Automated Attack Blocking API Discovery API Deception Self Learning – no rules or Policies Web Application Security WAF Positive Security Model OWASP Top 10 Protection DDoS Prevention RASP Content Filtering Rate Limiting Signature Based Detection
  • 29. Demo Attacking a MuleSoft Security+ WAF + PingIntelligence Protected API
  • 30. All contents © MuleSoft Inc. References and Documentation 30 • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_ Guide_pingintel_32/page/pingintelligence_product_deployment.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white- papers/2018/evolving-api-security-landscape.html
  • 31. All contents © MuleSoft Inc. References and Documentation 31 • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
  • 33. All contents © MuleSoft Inc. What’s Next? 33 • Share: – Tweet your pictures with the hashtag #MuleMeetup – Invite your network to join: https://meetups.mulesoft.com/denver/ • Feedback: – Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com to suggest topics – Contact MuleSoft at meetup@mulesoft.com for ways to improve the program • Our next meetup: – Date: August 2019 – Location: TBD – Topic: TBD
  • 34. See you next time Please send topic suggestions to the organizer