42Crunch, profile picture
Uploaded by42Crunch
PDF, PPTX262 views

SecDevOps for API Security

The document discusses the importance of API security and presents the OWASP Top 10 security risks from 2010 to 2017. It emphasizes automated approaches to API security, including input validation, monitoring, and protecting APIs through security measures like API gateways. Key recommendations include ongoing vulnerability scanning, proper JWT token validation, and implementing a DevSecOps cycle for continuous improvement of API security.

Software
Related topics:
API Security Insights

Embed presentation

Download as PDF, PPTX
The API Security Platform for the Enterprise ISABELLE MAUNY - CTO & CO-FOUNDER ISABELLE@42CRUNCH.COM SEC-DEV-OPS AN AUTOMATED APPROACH TO API SECURITY
OWASP : FROM 2010 THROUGH 2017 2 For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are: • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards • For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are: • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards • • Top 10 2017 • A1:2017-Injection • A2:2017-Broken Authentication • A3:2017-Sensitive Data Exposure • A4:2017-XML External Entities (XXE) • A5:2017-Broken Access Control • A6:2017-Security Misconfiguration • A7:2017-Cross-Site Scripting (XSS) • A8:2017-Insecure Deserialization • A9:2017-Using Components with Known Vulnerabilities • A10:2017-Insufficient Logging&Monitoring
A FEW EXAMPLES 3
CONTENT INJECTION: WORDPRESS API 4https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 5
6 https://www.talosintelligence.com/reports/TALOS-2018-0539/
7 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
N26 CONTINUED… 8
9 Failed to properly validate that you can’t input any other number than yours!
UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 10
AND OF COURSE …. EQUIFAX FOR A9 11
JWT TOKEN VALIDATION 12 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
HOW DID WE GET THERE? 13
WE ARE HUMANS! 14
15
COVERING THE BASICS 16
17
KNOW YOUR APIS 18 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
VALIDATE AND SANITIZE INPUT 19 URL validation Verb validation ✓ Reject if not valid ✓ Reject if user not-authorized Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPEN API to the RESCUE !
VALIDATE JWT TOKENS 20 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ? ✓ RS256 (recommended) Reject None Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims Add your own claims 3 OPEN API to the RESCUE !
EXTERNAL TOKEN VS. INTERNAL JWT 21 Token Server Validate/ Issue token
FINE-GRAIN AUTHORIZATION 22 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution ✓ SAML ! 4
FINDING VULNERABILITIES 23
START EARLY: SHIFT LEFT ! 24 DeploymentTestingDevelopmentDesign
COVER THE BASICS 25 Automated Analysis Static code analysis 3rd party libraries validation (CVEs) NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
HACK YOURSELVES! 26 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (alpha) Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
PROTECTION 27
28 PROTECT YOUR APIS 1 Deploy security measures such as API Security Gateways/Firewalls ✓ Introduce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Security Policies automatically applied and enforced ✓ Serves as Virtual Patching for protection ✓ Deploy at the edge and/or close to APIs (microservices architecture)
Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 29 MONITOR AND ANALYZE 2
42CRUNCH DEV-SEC-OPS CYCLE FOR APIS 30 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
TITLE TEXTHOW SECURITY PEOPLE FEEL ABOUT APIS 31
CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The API Security Platform for the Enterprise
RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 33
RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 34

More Related Content

PDF
42crunch-API-security-workshop
by42Crunch
 
PDF
API Security: the full story
by42Crunch
 
PDF
Advanced API Security Patterns
by42Crunch
 
PDF
APIDays Paris Security Workshop
by42Crunch
 
PDF
Why you need API Security Automation
by42Crunch
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PDF
Top API Security Issues Found During POCs
by42Crunch
 
PDF
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
42crunch-API-security-workshop
by42Crunch
 
API Security: the full story
by42Crunch
 
Advanced API Security Patterns
by42Crunch
 
APIDays Paris Security Workshop
by42Crunch
 
Why you need API Security Automation
by42Crunch
 
OWASP API Security Top 10 Examples
by42Crunch
 
Top API Security Issues Found During POCs
by42Crunch
 
Guidelines to protect your APIs from threats
byIsabelle Mauny
 

What's hot

PDF
API Security in a Microservices World
by42Crunch
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PDF
Applying API Security at Scale
byNordic APIs
 
PDF
API Security Guidelines: Beyond SSL and OAuth.
byIsabelle Mauny
 
PDF
Protecting Microservices APIs with 42Crunch API Firewall
by42Crunch
 
PDF
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
PDF
Better API Security with Automation
by42Crunch
 
PDF
OWASP API Security TOP 10 - 2019
byMiguel Angel Falcón Muñoz
 
PDF
APISecurity_OWASP_MitigationGuide
byIsabelle Mauny
 
PDF
Five Principles to API Security
byIsabelle Mauny
 
PDF
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PDF
WEBINAR: OWASP API Security Top 10
by42Crunch
 
PDF
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
PDF
REST API Security by Design with Azure Pipelines
by42Crunch
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
PPTX
API Security and Management Best Practices
byCA API Management
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
API Security in a Microservices World
by42Crunch
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
Applying API Security at Scale
byNordic APIs
 
API Security Guidelines: Beyond SSL and OAuth.
byIsabelle Mauny
 
Protecting Microservices APIs with 42Crunch API Firewall
by42Crunch
 
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
Better API Security with Automation
by42Crunch
 
OWASP API Security TOP 10 - 2019
byMiguel Angel Falcón Muñoz
 
APISecurity_OWASP_MitigationGuide
byIsabelle Mauny
 
Five Principles to API Security
byIsabelle Mauny
 
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
WEBINAR: OWASP API Security Top 10
by42Crunch
 
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
REST API Security by Design with Azure Pipelines
by42Crunch
 
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
API Security and Management Best Practices
byCA API Management
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 

Similar to SecDevOps for API Security

PDF
Better API Security With A SecDevOps Approach
byNordic APIs
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
PDF
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
PDF
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PPTX
2022 APIsecure_Are your APIs Rugged Enough?
byAPIsecure_ Official
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
PDF
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
byAdar Weidman
 
PDF
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
PDF
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
byapidays
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
Better API Security With A SecDevOps Approach
byNordic APIs
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
byapidays
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
2022 APIsecure_Are your APIs Rugged Enough?
byAPIsecure_ Official
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 
API Security Best Practices and Guidelines
byWSO2
 
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
OWASP API Security Top 10 - API World
by42Crunch
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
byAdar Weidman
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
byapidays
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 

Recently uploaded

PDF
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PDF
Data Integration with Salesforce Bootcamp
byDele Amefo
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PDF
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
PDF
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PDF
Internship Project Training Report-3.pdf
byPawank36
 
PDF
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
PDF
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
PDF
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
7 Levels of a Web Performance Journey @ Google DevFest Brooklyn 2025
bySergeyChernyshev
 
PDF
DSD-INT 2025 Coupling GeoClaw and SFINCS for Rapid Far-Field Tsunami Inundati...
byDeltares
 
PPTX
Spec-driven Development with Kiro - AWS User Group Melbourne
byMalinda Kapuruge
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
Data Integration with Salesforce Bootcamp
byDele Amefo
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
Internship Project Training Report-3.pdf
byPawank36
 
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
7 Levels of a Web Performance Journey @ Google DevFest Brooklyn 2025
bySergeyChernyshev
 
DSD-INT 2025 Coupling GeoClaw and SFINCS for Rapid Far-Field Tsunami Inundati...
byDeltares
 
Spec-driven Development with Kiro - AWS User Group Melbourne
byMalinda Kapuruge
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 

SecDevOps for API Security

  • 1.
    The API SecurityPlatform for the Enterprise ISABELLE MAUNY - CTO & CO-FOUNDER ISABELLE@42CRUNCH.COM SEC-DEV-OPS AN AUTOMATED APPROACH TO API SECURITY
  • 2.
    OWASP : FROM2010 THROUGH 2017 2 For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are: • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards • For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are: • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards • • Top 10 2017 • A1:2017-Injection • A2:2017-Broken Authentication • A3:2017-Sensitive Data Exposure • A4:2017-XML External Entities (XXE) • A5:2017-Broken Access Control • A6:2017-Security Misconfiguration • A7:2017-Cross-Site Scripting (XSS) • A8:2017-Insecure Deserialization • A9:2017-Using Components with Known Vulnerabilities • A10:2017-Insufficient Logging&Monitoring
  • 3.
  • 4.
    CONTENT INJECTION: WORDPRESSAPI 4https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  • 5.
    TITLE TEXT Remote CommandExecution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 5
  • 6.
  • 7.
    7 Information Leakage (A3) BrokenAccess Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
  • 8.
  • 9.
    9 Failed to properlyvalidate that you can’t input any other number than yours!
  • 10.
    UNPROTECTED API !(A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 10
  • 11.
    AND OF COURSE…. EQUIFAX FOR A9 11
  • 12.
    JWT TOKEN VALIDATION 12 Failedto properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
  • 13.
    HOW DID WE GETTHERE? 13
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
    VALIDATE AND SANITIZE INPUT 19 URLvalidation Verb validation ✓ Reject if not valid ✓ Reject if user not-authorized Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPEN API to the RESCUE !
  • 20.
    VALIDATE JWT TOKENS 20 Don’t trustthe incoming token! Validate algorithm (the one you chose!) ✓ HS256 ? ✓ RS256 (recommended) Reject None Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims Add your own claims 3 OPEN API to the RESCUE !
  • 21.
    EXTERNAL TOKEN VS.INTERNAL JWT 21 Token Server Validate/ Issue token
  • 22.
    FINE-GRAIN AUTHORIZATION 22 Who is calling? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution ✓ SAML ! 4
  • 23.
  • 24.
    START EARLY: SHIFTLEFT ! 24 DeploymentTestingDevelopmentDesign
  • 25.
    COVER THE BASICS 25 Automated Analysis Staticcode analysis 3rd party libraries validation (CVEs) NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
  • 26.
    HACK YOURSELVES! 26 API Scanning/Fuzzing ✓ Veracode,Coverity ✓ 42Crunch (alpha) Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
  • 27.
  • 28.
    28 PROTECT YOUR APIS 1 Deploy securitymeasures such as API Security Gateways/Firewalls ✓ Introduce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Security Policies automatically applied and enforced ✓ Serves as Virtual Patching for protection ✓ Deploy at the edge and/or close to APIs (microservices architecture)
  • 29.
    Use Development ticketingsystem for tracking issues Analyse runtime behaviour and raise issues automatically 29 MONITOR AND ANALYZE 2
  • 30.
    42CRUNCH DEV-SEC-OPS CYCLEFOR APIS 30 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
  • 31.
    TITLE TEXTHOW SECURITYPEOPLE FEEL ABOUT APIS 31
  • 32.
    CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The APISecurity Platform for the Enterprise
  • 33.
    RESOURCES OWASP Top 10 ✓https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 33
  • 34.
    RESOURCES SSL Setup Scan ✓https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 34