SlideShare uma empresa Scribd logo

API Security Webinar : Security Guidelines for Providing and Consuming APIs

DevOps Indonesia
DevOps Indonesia

1) The document provides guidelines for securing APIs when providing and consuming services. It outlines evaluating API risks, securing ingress API connectivity, and mapping the OWASP API security risks to the ingress API development lifecycle. 2) The guidelines include five phases for ingress API connectivity: design, development, testing, implementation, and logging/monitoring. Each OWASP API security risk is mapped to elements within these phases. 3) APIs have become critical to modern applications, but many organizations' security measures have not kept up with requirements. Robust API security policies that span the entire development lifecycle are needed to securely provide and consume services.

Tecnologia
1 de 43
Baixar para ler offline
Security Guidelines for Providing and Consuming APIs @faisaly FaisalYahya Faisal Yahya – Cloud Security Alliance – Chairman Indonesia Chapter 1
Faisal Yahya, Country Manager – PT. Vantage Point Security Indonesia CISO with 20+ exp, CIO with 15+ exp, ISO27001 IA/LA, AWS, CISSP, CND, CEH v10, ECSA, CTIA, CCISO, CCSK v3&4, CSX-P, CySA+, ITILF, PSM I, PSPO I, CEI Official Instructor for: EC-Council & Cloud Security Alliance Top 50 South East Asia CIOs Actively Engage on Social Media Twitter (7k+) – LinkedIn (11k+) – Instagram (2k+) AWS Community Builders Cloud Security Alliance – Indonesia Chapter Lead
Cloud-Native Threat - 2021 source: hackmageddon • Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page) • Actions on Objective (the cloud service is exploited to steal data, or launch other attacks) • Command and Control (the cloud service is exploited as a command and control infrastructure) • Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data). PAGE 3
API & DevOps New Paradigm • Organizations have become more reliant on software development, confirming the oft-repeated old saying that "all organizations currently are software companies.” • The DevOps new paradigm facilitated not only a business-side digital transformation. Digital transformation also altered the processes and activities associated with software deployment and development. • Gartner reports an increase in client inquiries about API security, noting a 30% year-over-year increase in client inquiries. By 2022, it predicts, API abuse will be the most common attack vector for enterprise web application breaches. PAGE 4
Security As a Service as Emerging Needs If you work in an Agile environment, I believe you need a continuous monitoring and security analysis system that is integrated into your DevOps process. This system should be able to quickly identify security issues and provide clear guidance and even auto-remediation functions to resolve them. The only way to harmoniously build security into the development pipeline is by providing security as a service model. The traditional security layering model just simply no longer work. PAGE 5
Related Facts • Application Programming Interface security models have fallen behind the requirements of a non-perimeter world. (Forrester) • The most frequently reported API security incident in 2020 was the discovery of a vulnerability in a production API. Organizations must complement their build and deploy security practices with runtime security. (Salt Security) • According to the company's customer data, the average number of API attacks per customer per month increased from 50 in June to nearly 80 in December. While the average monthly volume of API calls increased by 51%, the percentage of malicious traffic increased by 211% during the study period. (Michelle McLean, 2021) PAGE 6
Traditional vs Modern Application Source: DarkReading • Exposing sensitive data • Intercepted communications Launching denial-of-service (DoS) attacks against back-end servers PAGE 7
API Security Concerns Access Control Runtime Protection Security Testing Integration Visibility Main Barrier IMVISION, Industry Report, 2021 PAGE 8
OWASP API Security • API1:2019 Broken Object Level Authorization • API2:2019 Broken User Authentication • API3:2019 Excessive Data Exposure • API4:2019 Lack of Resources & Rate Limiting • API5:2019 Broken Function Level Authorization • API6:2019 Mass Assignment • API7:2019 Security Misconfiguration • API8:2019 Injection • API9:2019 Improper Assets Management • API10:2019 Insufficient Logging & Monitoring PAGE 9
CSA Research Paper Important: Use this document if the answer to any of these questions is YES: • Does the new service/system require long-term integration with the company’s internal systems? • Does the new service/system require exchange of data with a third party? • Will the APIs be exposed to external parties, including the public (i.e., open APIs)? These guidelines are also highly recommended for non- public APIs (i.e., APIs are used internally or only exposed to restricted parties, such as in a B2B environment). PAGE 10
CSA Research Paper Section 1: API Risk Evaluation Section 2: Ingress API Connectivity Section 3: Mapping OWASP Top Ten to Ingress API Connectivity Target: 1. Platform 2. Service Owner 3. Security team 4. DevOps PAGE 11
API Risk Evaluation (1/5) PAGE 12
API Risk Evaluation (2/5) PAGE 13
API Risk Evaluation (3/5) PAGE 14
API Risk Evaluation (4/5) PAGE 15
API Risk Evaluation (5/5) PAGE 16
Ingress API Connectivity • Phase 1: Design • Phase 2: Development • Phase 3: Testing • Phase 4: Implementation • Phase 5: Logging and Monitoring PAGE 17
Ingress API Connectivity PAGE 18
Ingress API Connectivity PAGE 19
Ingress API Connectivity PAGE 20
Ingress API Connectivity PAGE 21
Ingress API Connectivity PAGE 22
Ingress API Connectivity PAGE 23
Ingress API Connectivity PAGE 24
Ingress API Connectivity PAGE 25
Ingress API Connectivity PAGE 26
Ingress API Connectivity PAGE 27
Ingress API Connectivity PAGE 28
Ingress API Connectivity PAGE 29
Ingress API Connectivity PAGE 30
Ingress API Connectivity PAGE 31
Ingress API Connectivity PAGE 32
Ingress API Connectivity PAGE 33
Ingress API Connectivity PAGE 34
Ingress API Connectivity PAGE 35
Ingress API Connectivity PAGE 36
Ingress API Connectivity PAGE 37
Ingress API Connectivity PAGE 38
Ingress API Connectivity PAGE 39
Ingress API Connectivity PAGE 40
Ingress API Connectivity PAGE 41
Mapping OWASP API Top Ten to Ingress API Connectivity Design Development Testing Implementation Logging & Monitoring API1:2019 Broken Object Level Authorization 1, 3, 5 10 17, 18, 19 31 API1:2019 Broken User Authentication 1, 2, 3 8, 9, 11 17, 18 23, 26 API1:2019 Excessive Data Exposure 1, 2, 3 7, 10, 14 17 22 API1:2019 Lack of Resources and Rate Limiting 1, 3, 5 7, 10, 13, 14, 15, 16 22 API1:2019 Broken Function Level Authorization 1, 5 8, 10, 16 17, 18, 19 30, 31 API1:2019 Mass Assignment 1, 2, 3, 5 7, 10, 12, 14, 15 17, 18, 19 31 API1:2019 Security Misconfiguration 1 8 , 9, 14, 16 17 29, 30 API1:2019 Injection 1, 6 8, 12, 14, 15, 16 17, 18, 19 24 31 API1:2019 Improper Assets Management 1 8, 15, 16 17 20, 21, 24, 27 29, 30, 31 API1:2019 Insufficient Logging and Monitoring 1 15 17 29, 30, 31 PAGE 42
Wrap Up APIs, particularly for mobile and Internet of Things (IoT) devices, have arguably become the preferred method for developing modern applications. The majority of organizations have already implemented measures to defend against well-known attacks such as cross-site scripting, injection, and distributed denial-of- service. Regardless of the number of APIs your organization chooses to make publicly available, your ultimate goal should be to establish robust API security policies. PAGE 43

Recomendados

Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Ravi Tamada
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays
 
INTERFACE, by apidays - A cloud-native approach for open banking in action b...
INTERFACE, by apidays - A cloud-native approach for open banking in action b...INTERFACE, by apidays - A cloud-native approach for open banking in action b...
INTERFACE, by apidays - A cloud-native approach for open banking in action b...apidays
 
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...apidays
 
apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...
apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...
apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...apidays
 
API Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureAPI Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureWSO2
 

Recomendados

Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Ravi Tamada
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays
 
INTERFACE, by apidays - A cloud-native approach for open banking in action b...
INTERFACE, by apidays - A cloud-native approach for open banking in action b...INTERFACE, by apidays - A cloud-native approach for open banking in action b...
INTERFACE, by apidays - A cloud-native approach for open banking in action b...apidays
 
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...apidays
 
apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...
apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...
apidays LIVE Australia - The Evolution of APIs: Events and the AsyncAPI speci...apidays
 
API Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureAPI Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureWSO2
 
Guide to an API-first Strategy
Guide to an API-first StrategyGuide to an API-first Strategy
Guide to an API-first StrategyKellton Tech Solutions Ltd
 
Crossing the low-code and pro-code chasm: a platform approach
Crossing the low-code and pro-code chasm: a platform approachCrossing the low-code and pro-code chasm: a platform approach
Crossing the low-code and pro-code chasm: a platform approachAsanka Abeysinghe
 
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoffapidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoffapidays
 
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...apidays
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience SmartBear
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...apidays
 
apidays LIVE India - The link between technical documentation and developer e...
apidays LIVE India - The link between technical documentation and developer e...apidays LIVE India - The link between technical documentation and developer e...
apidays LIVE India - The link between technical documentation and developer e...apidays
 
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...MuleSoft
 
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...apidays
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays
 
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...apidays
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with dockerDocker, Inc.
 
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladinoapidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladinoapidays
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native EraNuwan Dias
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays
 
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...apidays
 
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official
 
The Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionThe Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionTreblle
 

Mais conteúdo relacionado

Mais procurados

Crossing the low-code and pro-code chasm: a platform approach
Crossing the low-code and pro-code chasm: a platform approachCrossing the low-code and pro-code chasm: a platform approach
Crossing the low-code and pro-code chasm: a platform approachAsanka Abeysinghe
 
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoffapidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoffapidays
 
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...apidays
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience SmartBear
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...apidays
 
apidays LIVE India - The link between technical documentation and developer e...
apidays LIVE India - The link between technical documentation and developer e...apidays LIVE India - The link between technical documentation and developer e...
apidays LIVE India - The link between technical documentation and developer e...apidays
 
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...MuleSoft
 
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...apidays
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays
 
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...apidays
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with dockerDocker, Inc.
 
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladinoapidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladinoapidays
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native EraNuwan Dias
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays
 
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...apidays
 
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays
 

Mais procurados (20)

Guide to an API-first Strategy
Guide to an API-first StrategyGuide to an API-first Strategy
Guide to an API-first Strategy
 
Crossing the low-code and pro-code chasm: a platform approach
Crossing the low-code and pro-code chasm: a platform approachCrossing the low-code and pro-code chasm: a platform approach
Crossing the low-code and pro-code chasm: a platform approach
 
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoffapidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
apidays LIVE Australia - Growing an API Culture by Liz Douglass & Saul Caganoff
 
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
apidays LIVE New York 2021 - APIOps: automating API operations for speed and ...
 
apidays LIVE India - The link between technical documentation and developer e...
apidays LIVE India - The link between technical documentation and developer e...apidays LIVE India - The link between technical documentation and developer e...
apidays LIVE India - The link between technical documentation and developer e...
 
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
How Cisco is Leveraging MuleSoft to Drive Continuous Innovation​ at Enterpris...
 
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
APIdays Zurich 2019 - API management for event driven microservices, Fran Men...
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
 
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with docker
 
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladinoapidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
apidays LIVE Paris - Connectivity rules everything around us by Marco Palladino
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native Era
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
 
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
apidays LIVE Paris 2021 - Deliver real-time data to customer using Streaming ...
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
 
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nali...
 

Semelhante a API Security Webinar : Security Guidelines for Providing and Consuming APIs

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official
 
The Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionThe Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionTreblle
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays
 
eb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdfeb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdfSajid Ali
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfFahmiDzikrullah
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXNGINX, Inc.
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
API Security Needs AI Now More Than Ever
API Security Needs AI Now More Than EverAPI Security Needs AI Now More Than Ever
API Security Needs AI Now More Than EverPing Identity
 
apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...
apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...
apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...apidays
 
[WSO2Con EU 2018] Keynote - The API Driven World
[WSO2Con EU 2018] Keynote - The API Driven World[WSO2Con EU 2018] Keynote - The API Driven World
[WSO2Con EU 2018] Keynote - The API Driven WorldWSO2
 
apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...
apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...
apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...apidays
 
Innovation at scale - key drivers and pitfalls to building API driven agile b...
Innovation at scale - key drivers and pitfalls to building API driven agile b...Innovation at scale - key drivers and pitfalls to building API driven agile b...
Innovation at scale - key drivers and pitfalls to building API driven agile b...All Things Open
 
Innovation and scale - drivers and pitfalls to building API driven business p...
Innovation and scale - drivers and pitfalls to building API driven business p...Innovation and scale - drivers and pitfalls to building API driven business p...
Innovation and scale - drivers and pitfalls to building API driven business p...Mifan Careem
 

Semelhante a API Security Webinar : Security Guidelines for Providing and Consuming APIs (20)

2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
The Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionThe Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 Edition
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
eb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdfeb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdf
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
 
API Security Needs AI Now More Than Ever
API Security Needs AI Now More Than EverAPI Security Needs AI Now More Than Ever
API Security Needs AI Now More Than Ever
 
apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...
apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...
apidays LIVE Paris 2021 - APIs - How did we get here and where are we going n...
 
[WSO2Con EU 2018] Keynote - The API Driven World
[WSO2Con EU 2018] Keynote - The API Driven World[WSO2Con EU 2018] Keynote - The API Driven World
[WSO2Con EU 2018] Keynote - The API Driven World
 
apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...
apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...
apidays LIVE Hong Kong 2021 - The API Trends for 2022 and beyond by Jimmy Tsa...
 
Innovation at scale - key drivers and pitfalls to building API driven agile b...
Innovation at scale - key drivers and pitfalls to building API driven agile b...Innovation at scale - key drivers and pitfalls to building API driven agile b...
Innovation at scale - key drivers and pitfalls to building API driven agile b...
 
Innovation and scale - drivers and pitfalls to building API driven business p...
Innovation and scale - drivers and pitfalls to building API driven business p...Innovation and scale - drivers and pitfalls to building API driven business p...
Innovation and scale - drivers and pitfalls to building API driven business p...
 

Mais de DevOps Indonesia

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Indonesia
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS CopilotDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsDevOps Indonesia
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsDevOps Indonesia
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoDevOps Indonesia
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingDevOps Indonesia
 

Mais de DevOps Indonesia (20)

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systems
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcement
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - Announcement
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS Copilot
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barus
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - Announcement
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOps
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra Tanto
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
 

Último

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

API Security Webinar : Security Guidelines for Providing and Consuming APIs

  • 1. Security Guidelines for Providing and Consuming APIs @faisaly FaisalYahya Faisal Yahya – Cloud Security Alliance – Chairman Indonesia Chapter 1
  • 2. Faisal Yahya, Country Manager – PT. Vantage Point Security Indonesia CISO with 20+ exp, CIO with 15+ exp, ISO27001 IA/LA, AWS, CISSP, CND, CEH v10, ECSA, CTIA, CCISO, CCSK v3&4, CSX-P, CySA+, ITILF, PSM I, PSPO I, CEI Official Instructor for: EC-Council & Cloud Security Alliance Top 50 South East Asia CIOs Actively Engage on Social Media Twitter (7k+) – LinkedIn (11k+) – Instagram (2k+) AWS Community Builders Cloud Security Alliance – Indonesia Chapter Lead
  • 3. Cloud-Native Threat - 2021 source: hackmageddon • Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page) • Actions on Objective (the cloud service is exploited to steal data, or launch other attacks) • Command and Control (the cloud service is exploited as a command and control infrastructure) • Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data). PAGE 3
  • 4. API & DevOps New Paradigm • Organizations have become more reliant on software development, confirming the oft-repeated old saying that "all organizations currently are software companies.” • The DevOps new paradigm facilitated not only a business-side digital transformation. Digital transformation also altered the processes and activities associated with software deployment and development. • Gartner reports an increase in client inquiries about API security, noting a 30% year-over-year increase in client inquiries. By 2022, it predicts, API abuse will be the most common attack vector for enterprise web application breaches. PAGE 4
  • 5. Security As a Service as Emerging Needs If you work in an Agile environment, I believe you need a continuous monitoring and security analysis system that is integrated into your DevOps process. This system should be able to quickly identify security issues and provide clear guidance and even auto-remediation functions to resolve them. The only way to harmoniously build security into the development pipeline is by providing security as a service model. The traditional security layering model just simply no longer work. PAGE 5
  • 6. Related Facts • Application Programming Interface security models have fallen behind the requirements of a non-perimeter world. (Forrester) • The most frequently reported API security incident in 2020 was the discovery of a vulnerability in a production API. Organizations must complement their build and deploy security practices with runtime security. (Salt Security) • According to the company's customer data, the average number of API attacks per customer per month increased from 50 in June to nearly 80 in December. While the average monthly volume of API calls increased by 51%, the percentage of malicious traffic increased by 211% during the study period. (Michelle McLean, 2021) PAGE 6
  • 7. Traditional vs Modern Application Source: DarkReading • Exposing sensitive data • Intercepted communications Launching denial-of-service (DoS) attacks against back-end servers PAGE 7
  • 8. API Security Concerns Access Control Runtime Protection Security Testing Integration Visibility Main Barrier IMVISION, Industry Report, 2021 PAGE 8
  • 9. OWASP API Security • API1:2019 Broken Object Level Authorization • API2:2019 Broken User Authentication • API3:2019 Excessive Data Exposure • API4:2019 Lack of Resources & Rate Limiting • API5:2019 Broken Function Level Authorization • API6:2019 Mass Assignment • API7:2019 Security Misconfiguration • API8:2019 Injection • API9:2019 Improper Assets Management • API10:2019 Insufficient Logging & Monitoring PAGE 9
  • 10. CSA Research Paper Important: Use this document if the answer to any of these questions is YES: • Does the new service/system require long-term integration with the company’s internal systems? • Does the new service/system require exchange of data with a third party? • Will the APIs be exposed to external parties, including the public (i.e., open APIs)? These guidelines are also highly recommended for non- public APIs (i.e., APIs are used internally or only exposed to restricted parties, such as in a B2B environment). PAGE 10
  • 11. CSA Research Paper Section 1: API Risk Evaluation Section 2: Ingress API Connectivity Section 3: Mapping OWASP Top Ten to Ingress API Connectivity Target: 1. Platform 2. Service Owner 3. Security team 4. DevOps PAGE 11
  • 12. API Risk Evaluation (1/5) PAGE 12
  • 13. API Risk Evaluation (2/5) PAGE 13
  • 14. API Risk Evaluation (3/5) PAGE 14
  • 15. API Risk Evaluation (4/5) PAGE 15
  • 16. API Risk Evaluation (5/5) PAGE 16
  • 17. Ingress API Connectivity • Phase 1: Design • Phase 2: Development • Phase 3: Testing • Phase 4: Implementation • Phase 5: Logging and Monitoring PAGE 17
  • 42. Mapping OWASP API Top Ten to Ingress API Connectivity Design Development Testing Implementation Logging & Monitoring API1:2019 Broken Object Level Authorization 1, 3, 5 10 17, 18, 19 31 API1:2019 Broken User Authentication 1, 2, 3 8, 9, 11 17, 18 23, 26 API1:2019 Excessive Data Exposure 1, 2, 3 7, 10, 14 17 22 API1:2019 Lack of Resources and Rate Limiting 1, 3, 5 7, 10, 13, 14, 15, 16 22 API1:2019 Broken Function Level Authorization 1, 5 8, 10, 16 17, 18, 19 30, 31 API1:2019 Mass Assignment 1, 2, 3, 5 7, 10, 12, 14, 15 17, 18, 19 31 API1:2019 Security Misconfiguration 1 8 , 9, 14, 16 17 29, 30 API1:2019 Injection 1, 6 8, 12, 14, 15, 16 17, 18, 19 24 31 API1:2019 Improper Assets Management 1 8, 15, 16 17 20, 21, 24, 27 29, 30, 31 API1:2019 Insufficient Logging and Monitoring 1 15 17 29, 30, 31 PAGE 42
  • 43. Wrap Up APIs, particularly for mobile and Internet of Things (IoT) devices, have arguably become the preferred method for developing modern applications. The majority of organizations have already implemented measures to defend against well-known attacks such as cross-site scripting, injection, and distributed denial-of- service. Regardless of the number of APIs your organization chooses to make publicly available, your ultimate goal should be to establish robust API security policies. PAGE 43