The Inconvenient Truth About API Security

© Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
The Inconvenient Truth
About API Security
Presented by

© Information Security Media Group · www.ismgcorp.com
About Information Security Media Group
• Focused on providing information
security content, specifically for
unique vertical industries
• Publish articles, interviews, blogs,
regulation & guidance alerts, and
whitepapers
• Educational webinars offered daily
Global network of
25 SITES
Subscribers from over
175 COUNTRIES

Technical Support
(609) 356-1499 x115
Copyrighted Material
Used for individual study purposes only. If your institution is interested in
using this, or any of Information Security Media Group’s presentations, as
part of an overall information security program, please contact us at (800)
944-0401.

About Our Sponsor
Distil Networks is the first easy and accurate way to defend your
web applications against bad bots, API abuse and fraud.
To learn more, visit us at www.distilnetworks.com

Rami Essaid
CEO and Co-Founder, Distil Networks
Distil Networks is the first easy and accurate way to identify and
police malicious website traffic, blocking 99.9% of bad bots
without impacting legitimate users. With over 12 years in
telecommunications, network security, and cloud infrastructure
management experience, Essaid continues to advise enterprise
companies around the world, helping them embrace the cloud
to improve their scalability and reliability while maintaining a
high level of security.

Rik Turner
IT Security Analyst, Ovum Research
Rik is a senior analyst on the Infrastructure Solutions team,
focusing primarily IT Security. Rik joined Ovum in January 2005
as European Bureau Chief of its ComputerWire daily IT news
service. He covered fixed, wireless, and mobile networking and
security. In February 2007 he moved across to become an
analyst on the Financial Services Technology team, initially
covering retail banking and writing reports on online and branch
banking. He subsequently developed a specialization in capital
markets infrastructure. In mid-2008 his team was grouped
under the Ovum brand as part of its IT analyst arm. At the
beginning of 2014 Rik moved across to the Infrastructure
Solutions team, focusing on IT Security.

Shane Ward
Senior Director of Technology, GuideStar
As a nonprofit, GuideStar is committed to advancing
transparency and driving innovation in the social sector. Ward
leads a team that is responsible for data acquisition and
distribution as well as architecture and technology strategy.

Agenda
API Security Primer
Ovum Survey Results and Analysis
GuideStar’s Field Guide to API Security
Q & A

API Security Primer

APIs are fundamentally hard to protect
APIs are built to give developers a uniform
interface to applications
This allows for easy access to data
Returned in a standardized format
Generally self-documenting
Built to run at scale

This provides multiple vectors for abuse
API Malicious Usage
Third parties aggressively using the API to pull data
beyond their contracted limits
API Developer Errors
API endpoints get hammered by runaway scripts or
poorly designed interfaces
Web & Mobile API Hijacking
Hackers dissect how web and mobile apps interact with
their APIs
Automated API Scraping
Malicious bots pull down online content and data within
minutes directly from the API

Attackers distribute their attacks across multiple IP addresses
Bots which dynamically rotate IP addresses, or distribute attacks are
significantly harder to detect and mitigate

Unfortunately, most API security solutions track usage by IP
This makes them blind to a couple of key
use cases
Server sourced API clients are hosted by cloud
providers that can cycle IP’s at will
Mobile application sourced clients are behind
Wireless provider proxy networks (many
devices share an IP)
Web browser sourced clients can be behind a
consumer ISP NAT - shared IP for many
browsers

Modern API governance should include...
Country and organization fencing
Token spamming prevention
Token distribution prevention
Dynamic access control lists
Advanced rate limiting

Ovum Survey Results and Analysis

API Security: A Disjointed Affair
Ovum surveyed 100 midsize to
large companies across NA, EMEA
and APAC, and in a wide range of
verticals, about their use of APIs.

API usage is widespread

The majority were running public APIs
51% said they were running APIs
to enable an external developer
community or ecosystem
67% said their APIs were
designed to enable partner
connectivity

The majority are using an API management system
...and almost two thirds of those
with an API management platform
developed it in-house
Are you running an API management system?
Yes
87%
No
13%

Rate limiting was by no means universally available

Those with rate limiting were spending a lot of time on it

Now we asked what other API security features, namely protection from...
API malicious usage
API developer error
Automated API scraping
Web and mobile API hijacking

The results were not encouraging

Who is responsible for API security?

...and the stage at which IT security gets involved is frequently too late

So the final, troubling statistic is...
21% of APIs go live without any
input from security professionals
regarding the potential risks to the
organization that is publishing them

Key takeaway...

GuideStar’s Field Guide
to API Security

About GuideStar’s APIs
GuideStar is the world’s largest source of
information on nonprofit organizations
We collect, aggregate, and distribute data about
nonprofit results, financials, operations, and
more
Our data is made available through APIs that
power: workplace giving, donation disbursement,
grants management, and charity validation
applications

Why do we care so much about API security?
Integrated into payment processing
systems
Misuse can have serious consequences
Validation and verification services
Investment in curation and dissemination
of data
Ensure our data is being used in a manner
that is consistent with our values

GuideStar technology stack
APIs hosted in GuideStar’s private cloud
Traditional data warehouse and datamart
NoSQL data repositories
APIs built on REST principles
Built our own middleware using open source
XML and JSON returns
Load balancers
WAF
Distil Networks for Bot Mitigation and API Security

API security challenges
Only as secure as your least secure customer
“Node hopping” off load balancers
Round-robin vs. sticky session load balancing
Developer errors and runaway scripts
Data protection and security
API key mismanagement

Lessons learned
Understand the technical capabilities of your API
consumers
“Lightweight” approach vs. “heavy” API
management suites
Map your business strategy to your API controls
and segmentation strategy
Leverage machine learning and automation
Token-based over IP-based rate limiting

Questions
Please use the following form for any questions or comments:
http://www.bankinfosecurity.com/webinar-feedback.php
Or contact us at: (800) 944-0401

Thank You for Participating!
Please use the following form for any questions or comments:
http://www.bankinfosecurity.com/webinar-feedback.php
Or contact us at: (800) 944-0401

The Inconvenient Truth About API Security

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (19)

Semelhante a The Inconvenient Truth About API Security

Semelhante a The Inconvenient Truth About API Security (20)

Mais de Distil Networks

Mais de Distil Networks (14)

Último

Último (20)

The Inconvenient Truth About API Security