It's my API security presentation at Beer, Biryani and Bytes help at Apisero office where I discussed how API can be threats and if not protected how vulnerable are our APIs will be especially to hackers. And has Mulesoft in its box to save your APIs from 'n' number of threats.
To know more about API security using Mulesoft. Contact me on LinkedIn.
4. In this meet-up we are gonna discuss about:
1. API Breaches: Who Will Be Next?
2. Understanding API Vulnerabilities
3. Security Auditing
4. What Mulesoft serve for API Security.
5. Securing Your APIs with Mulesoft
6. What we can do about it as developers, testers,
architects and security officers.
9. API VULNERABILITIES
1. Man in the Middle
2. CSRF Attack(Cross Site Request Forgery attacks)
3. SQL Injection
4. Distributed Denial of Services(Rate Limiting)
5. HTTPS and SSL Certificates
6. Firewall Optimizations
7. Logs
And much more……………………...
10. How can your RAML or OSA/Swagger can be targeted?
11.
12. SQL Injections
How you thought it to be-:
How attackers find a way-:
What you not thought to be it was:
13. Whats a Secure API?
A secure API is one that can guarantee the confidentiality of the
information it processes by making it visible only to the Users,
Apps, and Servers that are authorized to consume it.
17. What Mulesoft serve for API Security.
1. API Gateways -Proxy and Policy Implementation
(Policy for every need)
1. Identity Access Management(federated identity standard)
2. Mule Security Manager
3. SSH
4. PGP Security
5. Secrets Manager
18.
19. Policy Category Fulfills
Basic Authentication - LDAP and Simple Security Authentication
Client ID Enforcement Compliance Client ID Required
CORS Compliance CORS-enabled
Header Injection and Removal Transformation Header Injection/Header Removal
HTTP Caching Quality of Service HTTP Caching
IP Blacklist/IP Whitelist Security IP Filtered
JSON Threat Protection Security JSON Threat Protected
OAuth 2.0 Access Token Enforcement Using External Provider Policy Security OAuth 2.0 protected
OpenAM Access Token Enforcement Security OAuth 2.0 Protected
PingFederate Access Token Enforcement Security OAuth 2.0 Protected
Rate Limiting Quality of Service Rate Limited
Rate Limiting, SLA-Based Quality of Service Rate Limited, Client ID required
Spike Control Quality of Service Throttled, Rate Limited
XML Threat Protection Security XML Threat Protected
Tokenization/Detokenization Security Security
JWT Security Security
20.
21. Analysis at Conclusion
● Discover Your APIs Before Attackers Discover Them
● Use a Combination of API Management and Web Application
Firewalls to Protect APIs, in Conjunction With Identity Infrastructure
● Adopt a Continuous Approach to API Security
● Use a Distributed Enforcement Model to Protect APIs Across Your
Entire Architecture, Not Just at the Perimeter