SlideShare a Scribd company logo

Enhancing your Security APIs

Apigee | Google Cloud
Apigee | Google Cloud

Presentation from Apigee's Open Banking & PSD2 Summit in London on 19th May 2016. This presentation covers Apigee's innovative data driven security approach that detects intelligent bots, transaction anomalies, and helps protect your APIs from cyberthreats.

Technology
1 of 39
Download to read offline
Secure APIs for Finance Lessons from API security successes and failures Greg Brail Apigee May 2016
Agenda What Happens to Insecure APIs API Security Fundamentals Why APIs are less risky The Result: Effective API Security
No API Security Bad things happen
I have an API!
©2015 Apigee Corp. All Rights Reserved. But I Don’t Have an API!
Of Course You Have an API! 6 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16 Everything with a URI has an API
Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
Nissan Leaf •  http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html •  No authentication on some APIs •  Climate control, battery status •  Only VIN number required •  User ID leaked by some of those APIs
•  No rate limit on request to get friends by phone number •  Hard-coded encryption key •  Weak cipher •  http://gibsonsec.org/snapchat/ Snapchat
Mobile Banking Apps •  Security researcher Ariel Sanchez examined 20 iOS banking apps from banks around the world •  More than 30% used non-TLS-encrypted links for at least part of the app •  Down from 90% two years ago •  Demonstrated JavaScript interception of some apps’ “login” page to gather passwords 10 Ariel Sanchez, blog.ioactive.com
A South Asian Bank •  Security researcher Sathya Prakash tested the security of the app he used for one of his bank accounts •  Found many major flaws and one huge one •  All validation of account numbers for funds transfers was performed in the mobile app only – not on the server 11
SWIFT •  Over $900 million in fraudulent transfer requests due to compromise at a member bank •  Became $81 million due to a typo BAE Systems Applied Intelligence
APIs for Finance Applying security lessons
APIs for Controlled Access •  APIs provide a controlled way for third parties to access a service •  Not having an API means that third parties will find another way •  That’s why JPMC is considering this:
Federated Security is a Must Systems like OAuth and OpenID exist for the purpose of managing secure access without sharing passwords -- JPMorgan Chase, 2015 letter to shareholders
Trusted Endpoints Aren’t •  API security must assume untrusted endpoints •  User authentication •  Fraud detection •  Application-level authentication
Fundamental API Security What every developer should know
©2015 Apigee Corp. All Rights Reserved. You Have an API
What You Need to Do •  Prevent unauthorized applications •  Prevent unauthorized users •  Prevent excessive traffic •  Prevent content attacks •  Watch for trouble •  React to trouble
What Do Apigee Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
What do Others Do? •  A wide variety of solutions out there •  87% percent have “API management” •  83% are “concerned” about API security
Prevent Unauthorized Applications •  Application Authorization is a fundamental part of API security •  Best way to stop runaway applications •  Only options for certain types of apps (anonymous API access) •  Requirement for all forms of OAuth •  Best practices •  Use different credentials for each version of each app •  Makes it easier to pull a bad version •  Hide the app credentials as best you can •  Realize that they still can be stolen •  Have an approval process for apps
Prevent Unauthorized Users •  Authenticate all end users for critical apps •  Only way to keep security credentials outside the app •  Use OAuth carefully •  Use caution around “password” grant type •  Only as good as identity management •  For instance, dodgy password reset practices •  Can you get identity a service?
Don’t Make It Up •  OAuth 1.0: Bug •  OAuth 1.0a: Better •  OAuth 2.0 authorization code grant type: Attack identified •  RFC 7636 (PKCE) fixes it •  Would you have discovered this on your own?
Prevent Excessive Traffic •  Protect APIs that are vulnerable to brute force •  Validating password •  Validating anything •  Anything where the only ID is in a small space •  Protect from runaway applications •  Denial of service is also an attack •  Excessive usage may mean data is being harvested •  Not always an attack – developers make mistakes
Prevent Content Attacks •  Accepting JSON over the Internet? •  Excessive identifier length •  Excessive nesting •  Large arrays and elements •  Accepting XML over the Internet? •  All that and more •  Are you sure there can’t be SQL injection? •  Regular expression checks
Watch for Trouble •  Monitor the API •  Usage patterns •  Usage patterns by application •  Latency •  Error rate •  Monitor the world too •  Unusual tweets? •  Other social media?
Example: Bot Detection •  Traffic comes from unusual places: •  iPads in Amazon data centers •  US-only retailers with many “customers” in Eastern Europe •  Or unusual patterns: •  Sequential scans of identifiers •  API traffic faster than a human can generate •  Identify suspected “bots” •  Heuristics, machine learning •  Block them by IP or otherwise
React to Trouble •  Do you have application-level authentication? •  Revoke app credentials •  Change rate limit •  Redirect app to another URL •  No application-level authentication? •  Insert additional logic •  Worst cast: shut down the API until it’s fixed
API Management Can Help
Effective API Security API == Contract == Security
An API is a Contract What is an API, really?
The “API Stack” is Small •  Simple •  Ubiquitous •  Widely-understood •  Universally implemented
API Contracts are Simple •  Since API technology is simple, •  So is the contract: •  URIs •  JSON schemas •  Query parameters •  Authentication •  Simpler contracts are: •  simpler to validate •  simpler to test •  simpler to prove
Simpler Means More Secure •  Don’t agree? Let’s look at web apps: •  Cross-site scripting •  Insecure URIs in links •  Cross-site request forgery •  Insecure redirects •  Insecure third-party pages •  Insecure and malicious JavaScript
Simpler is Better •  Well-known URI pattern •  Documented schemas •  Well-known authentication model •  Well-known authorization model •  One way to secure all API calls •  Totally dynamic URI pattern is harder to test •  Specified inputs and outputs can be tested •  Haphazard authentication hard to test •  Haphazard authorization hard to test •  Multiple implementations hard to test
Summing it Up APIs are essentail for security’ Security is essential to APIs’ APIs risk is well-understood.
Conclusion •  We saw lots of places where APIs were compromised •  Many of these had nothing to do with an “API” •  Biggest vulnerability is having an API and not realizing it •  Everything with a URL has an API •  Well-defined APIs can be secured •  Lots of widely-known techniques and technology •  A properly-secured API is verifiable •  Use it!
Thank You

Recommended

Mesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageMesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynotePlatforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynoteApigee | Google Cloud
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsApigee | Google Cloud
 
Monitoring Solutions for APIs
Monitoring Solutions for APIsMonitoring Solutions for APIs
Monitoring Solutions for APIsApigee | Google Cloud
 

Recommended

Mesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageMesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynotePlatforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynoteApigee | Google Cloud
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsApigee | Google Cloud
 
Monitoring Solutions for APIs
Monitoring Solutions for APIsMonitoring Solutions for APIs
Monitoring Solutions for APIsApigee | Google Cloud
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API SecurityApigee | Google Cloud
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationApigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Is Microservices SOA Done Right?
Is Microservices SOA Done Right?Is Microservices SOA Done Right?
Is Microservices SOA Done Right?Apigee | Google Cloud
 
Demo: New open banking platform
Demo: New open banking platformDemo: New open banking platform
Demo: New open banking platformApigee | Google Cloud
 
APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned Apigee | Google Cloud
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven SecurityApigee | Google Cloud
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformApigee | Google Cloud
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityApigee | Google Cloud
 
The Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowThe Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowApigee | Google Cloud
 
Bringing Partners, Teams & Systems Together through APIs
Bringing Partners, Teams & Systems Together through APIsBringing Partners, Teams & Systems Together through APIs
Bringing Partners, Teams & Systems Together through APIsApigee | Google Cloud
 
Bringing Partners, Teams and Systems Together through APIs
Bringing Partners, Teams and Systems Together through APIsBringing Partners, Teams and Systems Together through APIs
Bringing Partners, Teams and Systems Together through APIsApigee | Google Cloud
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product DemoApigee | Google Cloud
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsApigee | Google Cloud
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotApigee | Google Cloud
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud
 
Unlocking Value From the Internet of Things (IoT) with APIs
Unlocking Value From the Internet of Things (IoT) with APIsUnlocking Value From the Internet of Things (IoT) with APIs
Unlocking Value From the Internet of Things (IoT) with APIsApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 
Banking and Mobile Identity
Banking and Mobile IdentityBanking and Mobile Identity
Banking and Mobile IdentityApigee | Google Cloud
 
CPI Summit Europe Presentation
CPI Summit Europe PresentationCPI Summit Europe Presentation
CPI Summit Europe PresentationScott Songer
 

More Related Content

What's hot

API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationApigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned Apigee | Google Cloud
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformApigee | Google Cloud
 
The Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowThe Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowApigee | Google Cloud
 
Bringing Partners, Teams & Systems Together through APIs
Bringing Partners, Teams & Systems Together through APIsBringing Partners, Teams & Systems Together through APIs
Bringing Partners, Teams & Systems Together through APIsApigee | Google Cloud
 
Bringing Partners, Teams and Systems Together through APIs
Bringing Partners, Teams and Systems Together through APIsBringing Partners, Teams and Systems Together through APIs
Bringing Partners, Teams and Systems Together through APIsApigee | Google Cloud
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsApigee | Google Cloud
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee | Google Cloud
 
Unlocking Value From the Internet of Things (IoT) with APIs
Unlocking Value From the Internet of Things (IoT) with APIsUnlocking Value From the Internet of Things (IoT) with APIs
Unlocking Value From the Internet of Things (IoT) with APIsApigee | Google Cloud
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Apigee | Google Cloud
 

What's hot (20)

How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Is Microservices SOA Done Right?
Is Microservices SOA Done Right?Is Microservices SOA Done Right?
Is Microservices SOA Done Right?
 
Demo: New open banking platform
Demo: New open banking platformDemo: New open banking platform
Demo: New open banking platform
 
APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned APIs in the Enterprise - Lessons Learned
APIs in the Enterprise - Lessons Learned
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven Security
 
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile PlatformI Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
The Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to KnowThe Internet of Things and Developers: What the Enterprise Needs to Know
The Internet of Things and Developers: What the Enterprise Needs to Know
 
Bringing Partners, Teams & Systems Together through APIs
Bringing Partners, Teams & Systems Together through APIsBringing Partners, Teams & Systems Together through APIs
Bringing Partners, Teams & Systems Together through APIs
 
Bringing Partners, Teams and Systems Together through APIs
Bringing Partners, Teams and Systems Together through APIsBringing Partners, Teams and Systems Together through APIs
Bringing Partners, Teams and Systems Together through APIs
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered Backends
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
 
Unlocking Value From the Internet of Things (IoT) with APIs
Unlocking Value From the Internet of Things (IoT) with APIsUnlocking Value From the Internet of Things (IoT) with APIs
Unlocking Value From the Internet of Things (IoT) with APIs
 
Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016Adapt or Die DevJam: San Francisco, Sept 27 2016
Adapt or Die DevJam: San Francisco, Sept 27 2016
 

Viewers also liked

CPI Summit Europe Presentation
CPI Summit Europe PresentationCPI Summit Europe Presentation
CPI Summit Europe PresentationScott Songer
 
What's better than Microservices? Serverless Microservices
What's better than Microservices? Serverless MicroservicesWhat's better than Microservices? Serverless Microservices
What's better than Microservices? Serverless MicroservicesAlan Williams
 
Enough talking - it's time to start doing
Enough talking - it's time to start doingEnough talking - it's time to start doing
Enough talking - it's time to start doingApigee | Google Cloud
 
Putting order to your API ecosystem
Putting order to your API ecosystemPutting order to your API ecosystem
Putting order to your API ecosystemToni Tassani
 
HXR 2016: Free the Data Access & Integration -Aashima Gupta, Apigee
HXR 2016: Free the Data Access & Integration -Aashima Gupta, ApigeeHXR 2016: Free the Data Access & Integration -Aashima Gupta, Apigee
HXR 2016: Free the Data Access & Integration -Aashima Gupta, ApigeeHxRefactored
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? VMware Tanzu
 
Orchestrating microservices like a ninja
Orchestrating microservices like a ninjaOrchestrating microservices like a ninja
Orchestrating microservices like a ninjaApigee | Google Cloud
 
EMF-REST: Generation of RESTful APIs from Models
EMF-REST: Generation of RESTful APIs from ModelsEMF-REST: Generation of RESTful APIs from Models
EMF-REST: Generation of RESTful APIs from ModelsHamza ED-DOUIBI
 
How to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructureHow to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructureApigee | Google Cloud
 
Ultimate Guide to 30+ API Documentation Solutions
Ultimate Guide to 30+ API Documentation SolutionsUltimate Guide to 30+ API Documentation Solutions
Ultimate Guide to 30+ API Documentation SolutionsBill Doerrfeld
 
The Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business PlanThe Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business PlanApigee | Google Cloud
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
L.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightL.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightApigee | Google Cloud
 
API Best Practices
API Best PracticesAPI Best Practices
API Best PracticesSai Koppala
 
Adapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleAdapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleApigee | Google Cloud
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquareApigee | Google Cloud
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Apigee | Google Cloud
 
Adapt or Die: Serverless Microservices
Adapt or Die: Serverless MicroservicesAdapt or Die: Serverless Microservices
Adapt or Die: Serverless MicroservicesApigee | Google Cloud
 

Viewers also liked (20)

Banking and Mobile Identity
Banking and Mobile IdentityBanking and Mobile Identity
Banking and Mobile Identity
 
CPI Summit Europe Presentation
CPI Summit Europe PresentationCPI Summit Europe Presentation
CPI Summit Europe Presentation
 
What's better than Microservices? Serverless Microservices
What's better than Microservices? Serverless MicroservicesWhat's better than Microservices? Serverless Microservices
What's better than Microservices? Serverless Microservices
 
Enough talking - it's time to start doing
Enough talking - it's time to start doingEnough talking - it's time to start doing
Enough talking - it's time to start doing
 
Putting order to your API ecosystem
Putting order to your API ecosystemPutting order to your API ecosystem
Putting order to your API ecosystem
 
HXR 2016: Free the Data Access & Integration -Aashima Gupta, Apigee
HXR 2016: Free the Data Access & Integration -Aashima Gupta, ApigeeHXR 2016: Free the Data Access & Integration -Aashima Gupta, Apigee
HXR 2016: Free the Data Access & Integration -Aashima Gupta, Apigee
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid?
 
Orchestrating microservices like a ninja
Orchestrating microservices like a ninjaOrchestrating microservices like a ninja
Orchestrating microservices like a ninja
 
EMF-REST: Generation of RESTful APIs from Models
EMF-REST: Generation of RESTful APIs from ModelsEMF-REST: Generation of RESTful APIs from Models
EMF-REST: Generation of RESTful APIs from Models
 
How to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructureHow to (almost certainly) fail: Building vs. buying your API infrastructure
How to (almost certainly) fail: Building vs. buying your API infrastructure
 
Ultimate Guide to 30+ API Documentation Solutions
Ultimate Guide to 30+ API Documentation SolutionsUltimate Guide to 30+ API Documentation Solutions
Ultimate Guide to 30+ API Documentation Solutions
 
The Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business PlanThe Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business Plan
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
L.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done RightL.L.Bean’s API Journey: Digital Commerce Done Right
L.L.Bean’s API Journey: Digital Commerce Done Right
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
 
Adapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at GoogleAdapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at Google
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at Square
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?
 
Adapt or Die: Serverless Microservices
Adapt or Die: Serverless MicroservicesAdapt or Die: Serverless Microservices
Adapt or Die: Serverless Microservices
 

Similar to Enhancing your Security APIs

2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid CredentialsAPIsecure_ Official
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...apidays
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!Apigee | Google Cloud
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityAaronLieberman5
 
Combining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIsCombining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIsBrad Genereaux
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy IntroductionDoug Gregory
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityAkana
 
Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Quý Nguyễn Minh
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API EcosystemsAPIsecure_ Official
 

Similar to Enhancing your Security APIs (20)

2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
Combining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIsCombining Healthcare Standards with Other RESTful APIs
Combining Healthcare Standards with Other RESTful APIs
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy Introduction
 
Api security-present
Api security-presentApi security-present
Api security-present
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
 
Secure rest api on microservices vws2016
Secure rest api on microservices vws2016Secure rest api on microservices vws2016
Secure rest api on microservices vws2016
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
 

More from Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryApigee | Google Cloud
 

More from Apigee | Google Cloud (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Enhancing your Security APIs

  • 1. Secure APIs for Finance Lessons from API security successes and failures Greg Brail Apigee May 2016
  • 2. Agenda What Happens to Insecure APIs API Security Fundamentals Why APIs are less risky The Result: Effective API Security
  • 3. No API Security Bad things happen
  • 4. I have an API!
  • 5. ©2015 Apigee Corp. All Rights Reserved. But I Don’t Have an API!
  • 6. Of Course You Have an API! 6 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16 Everything with a URI has an API
  • 7. Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
  • 8. Nissan Leaf •  http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html •  No authentication on some APIs •  Climate control, battery status •  Only VIN number required •  User ID leaked by some of those APIs
  • 9. •  No rate limit on request to get friends by phone number •  Hard-coded encryption key •  Weak cipher •  http://gibsonsec.org/snapchat/ Snapchat
  • 10. Mobile Banking Apps •  Security researcher Ariel Sanchez examined 20 iOS banking apps from banks around the world •  More than 30% used non-TLS-encrypted links for at least part of the app •  Down from 90% two years ago •  Demonstrated JavaScript interception of some apps’ “login” page to gather passwords 10 Ariel Sanchez, blog.ioactive.com
  • 11. A South Asian Bank •  Security researcher Sathya Prakash tested the security of the app he used for one of his bank accounts •  Found many major flaws and one huge one •  All validation of account numbers for funds transfers was performed in the mobile app only – not on the server 11
  • 12. SWIFT •  Over $900 million in fraudulent transfer requests due to compromise at a member bank •  Became $81 million due to a typo BAE Systems Applied Intelligence
  • 13. APIs for Finance Applying security lessons
  • 14. APIs for Controlled Access •  APIs provide a controlled way for third parties to access a service •  Not having an API means that third parties will find another way •  That’s why JPMC is considering this:
  • 15. Federated Security is a Must Systems like OAuth and OpenID exist for the purpose of managing secure access without sharing passwords -- JPMorgan Chase, 2015 letter to shareholders
  • 16. Trusted Endpoints Aren’t •  API security must assume untrusted endpoints •  User authentication •  Fraud detection •  Application-level authentication
  • 17. Fundamental API Security What every developer should know
  • 18. ©2015 Apigee Corp. All Rights Reserved. You Have an API
  • 19. What You Need to Do •  Prevent unauthorized applications •  Prevent unauthorized users •  Prevent excessive traffic •  Prevent content attacks •  Watch for trouble •  React to trouble
  • 20. What Do Apigee Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
  • 21. What do Others Do? •  A wide variety of solutions out there •  87% percent have “API management” •  83% are “concerned” about API security
  • 22. Prevent Unauthorized Applications •  Application Authorization is a fundamental part of API security •  Best way to stop runaway applications •  Only options for certain types of apps (anonymous API access) •  Requirement for all forms of OAuth •  Best practices •  Use different credentials for each version of each app •  Makes it easier to pull a bad version •  Hide the app credentials as best you can •  Realize that they still can be stolen •  Have an approval process for apps
  • 23. Prevent Unauthorized Users •  Authenticate all end users for critical apps •  Only way to keep security credentials outside the app •  Use OAuth carefully •  Use caution around “password” grant type •  Only as good as identity management •  For instance, dodgy password reset practices •  Can you get identity a service?
  • 24. Don’t Make It Up •  OAuth 1.0: Bug •  OAuth 1.0a: Better •  OAuth 2.0 authorization code grant type: Attack identified •  RFC 7636 (PKCE) fixes it •  Would you have discovered this on your own?
  • 25. Prevent Excessive Traffic •  Protect APIs that are vulnerable to brute force •  Validating password •  Validating anything •  Anything where the only ID is in a small space •  Protect from runaway applications •  Denial of service is also an attack •  Excessive usage may mean data is being harvested •  Not always an attack – developers make mistakes
  • 26. Prevent Content Attacks •  Accepting JSON over the Internet? •  Excessive identifier length •  Excessive nesting •  Large arrays and elements •  Accepting XML over the Internet? •  All that and more •  Are you sure there can’t be SQL injection? •  Regular expression checks
  • 27. Watch for Trouble •  Monitor the API •  Usage patterns •  Usage patterns by application •  Latency •  Error rate •  Monitor the world too •  Unusual tweets? •  Other social media?
  • 28. Example: Bot Detection •  Traffic comes from unusual places: •  iPads in Amazon data centers •  US-only retailers with many “customers” in Eastern Europe •  Or unusual patterns: •  Sequential scans of identifiers •  API traffic faster than a human can generate •  Identify suspected “bots” •  Heuristics, machine learning •  Block them by IP or otherwise
  • 29. React to Trouble •  Do you have application-level authentication? •  Revoke app credentials •  Change rate limit •  Redirect app to another URL •  No application-level authentication? •  Insert additional logic •  Worst cast: shut down the API until it’s fixed
  • 31. Effective API Security API == Contract == Security
  • 32. An API is a Contract What is an API, really?
  • 33. The “API Stack” is Small •  Simple •  Ubiquitous •  Widely-understood •  Universally implemented
  • 34. API Contracts are Simple •  Since API technology is simple, •  So is the contract: •  URIs •  JSON schemas •  Query parameters •  Authentication •  Simpler contracts are: •  simpler to validate •  simpler to test •  simpler to prove
  • 35. Simpler Means More Secure •  Don’t agree? Let’s look at web apps: •  Cross-site scripting •  Insecure URIs in links •  Cross-site request forgery •  Insecure redirects •  Insecure third-party pages •  Insecure and malicious JavaScript
  • 36. Simpler is Better •  Well-known URI pattern •  Documented schemas •  Well-known authentication model •  Well-known authorization model •  One way to secure all API calls •  Totally dynamic URI pattern is harder to test •  Specified inputs and outputs can be tested •  Haphazard authentication hard to test •  Haphazard authorization hard to test •  Multiple implementations hard to test
  • 37. Summing it Up APIs are essentail for security’ Security is essential to APIs’ APIs risk is well-understood.
  • 38. Conclusion •  We saw lots of places where APIs were compromised •  Many of these had nothing to do with an “API” •  Biggest vulnerability is having an API and not realizing it •  Everything with a URL has an API •  Well-defined APIs can be secured •  Lots of widely-known techniques and technology •  A properly-secured API is verifiable •  Use it!