API Security with Postman and Qualys

TALK | Integration to perform API security scans with nothing more than uploading a file

Software

API Security with Postman
and Qualys
Security Solution Architect, Application Security
Qualys, Inc.

2
APIs Are
Everywhere Highly exposed
Greater likelihood of attack
Constantly being probed
Internet-facing APIs
Custom / domain-speciﬁc
For employees or contractors
Often built without security
considered
Internal APIs
Unknown risk posture
No access to source code
Often process critical data
Vendor APIs
Cloud provider not
responsible for security of
your apps and APIs
APIs in public clouds

3
https://owasp.org/www-project-api-sec
urity/
OWASP API
Security Top 10
API1 Broken Object Level Authorization
API2 Broken User Authentication
API3 Excessive Data Exposure
API4 Lack of Resources & Rate Limiting
API5 Broken Function Level Authorization
API6 Mass Assignment
API7 Security Misconﬁguration
API8 Injection
API9 Improper Assets Management
API10 Insuﬃcient Logging & Monitoring

OWASP API
Security Top 10 -
Highlights
API1 Broken Object Level Authorization
API2 Broken User Authentication
API5 Broken Function Level Authorization

API1 Broken Object Level Authorization
API1 Broken
Object Level
Authorization
(BOLA)

API5 Broken Function Level Authorization
API5 Broken
Function Level
Authorization

API2 Broken
User
Authentication
API2 Broken User Authentication
SolarWinds CVE-2020-10148
Administration bypass
Lack of authentication
Request processed before authentication
is veriﬁed

Note on API8
Injection
Frequently, practitioners feel that XSS
attacks are not valid for APIs due to
JSON responses
If JSON is written into an application
with a UI, the attack may execute
Microservices - Be aware of all areas
the responses are used

Qualys WAS Highlights
Unlimited scans
Unlimited users
Cloud based
Not a point solution
Massive scalability
Flexible licensing
Scheduled scans
Ad-hoc, targeted
scans
Multi-site scanning
Scanner pooling
API scanning
Out-of-Band
detections
Comprehensive API
Splunk TA
Integrations with:
- Qualys WAF
- CI/CD tools
- Burp Suite
- Bugcrowd
RBAC
Tagging
Detection history
Scheduled reports
Customizable reports
Retest ﬁndings
Ignore ﬁndings
Low TCO Scanning
Flexibility
Integrations
Features

Wrap-up
Qualys can utilize existing Postman collections
Quickly scan APIs for vulnerabilities
API Security is important
The OWASP API Security Top 10 is an
excellent resource

Thank You!
earnold@qualys.com
Security Solution Architect, Application Security
Qualys, Inc.

What's hot

Postman Webinar: How Ping Identity Uses Postman across the API Lifecycle

Note: This webinar is the second in Postman's three-part webinar series on implementing an API-first strategy in enterprise e-commerce. The series, hosted by Postman Chief Evangelist Kin Lane, will walk you through key topics and how-to content via a hypothetical e-commerce enterprise, Union Fashion (see it on GitHub). Continuing with our series, the second webinar will dive into actually deploying and monitoring an API using the Postman platform. We will take the API we developed as part of our previous API-first webinar, and actually bring it to life by focusing on the following areas: - Versions - Monitors - Mocks - Environment - Documentation - Feedback Loops The full video for this session can be found at: https://www.youtube.com/watch?v=jO2M_kqb-jo&t=1659s

Enterprise E-commerce Webinar Series, Episode 2: Deploying and Monitoring You...

Kin Lane

API Lifecycle Management

Postman: An Introduction for API Ops Professionals

Postman Public Workspaces: The First Massively Multiplayer API Experience | W...

Those on the front lines during this pandemic need quick, easy access to real-time critical data. This type of information exchange is what APIs do best, and the API community has been stepping up to meet the challenge throughout the crisis. But there's always more to do. If you'd like to join the fight, this webinar is for you regardless of whether you're new to APIs or a knowledgeable Postman expert. In this webinar led by Postman Chief Evangelist Kin Lane, you'll learn: How APIs aid pandemic response measures How you can publish new APIs related to COVID-19 How Open Referral data standards make it easier for you to share, find and use information about health, human, and social services How you can contribute to the COVID-19 Testing Locations website, and how APIs power that website What reputable information and tools are currently available for the COVID-19 efforts

Postman covid-webinar

Webinar: “Introduction to the Postman API Network”

Why You Need a Developer Relations Team for Your API

If you want to get up and running quickly with Postman, this one’s for you. In this webinar, we will show you: - How to get started with Postman - Key tips and tricks - Where to find documentation and help The webinar will start off with an overview of the Postman API Platform and its capabilities, then we'll dive straight into easy-to-follow demonstrations of how you can query an API, test it, and share it within your team or externally. Finally, we’ll wrap it up with a live Q&A with Arlemi, Sowmya and a few additional Postman brains.

Postman 101 for developers

Postman Visualizer lets you render a custom view of the data returned from your APIs. You can turn complex API responses into beautiful, interactive visualizations, right within the Postman app. These can then be easily shared with collaborators via Postman collections. In this webinar, you will learn how to: - Import a Visualizer template - Map your data to a graph or chart - Create and share Visualizer templates

Postman Visualizer Webinar Slides

Consumer-Driven Contract Testing With Postman

Automation, Integration, and Orchestration for Better Engineering Operations

Postman Webinar: "From APIs to Serverless Cloud Applications in Minutes"

In this webinar, Postman Developer Advocate Joyce Lin and Engineering Manager Trent McCann discuss automating your tests with Postman while walking you through some advanced testing workflows. Topics include: - Run tests locally using Postman’s Collection Runner - Automate testing as part of your continuous integration (CI) pipeline using Postman’s Newman (a command-line collection runner for Postman) - Run health and security checks using Postman monitors

Postman Webinar: “Continuous Testing with Postman”

Upgrade Your Collections

[GDSC-ADYPU] APIs 101 with Postman

PranayNarang1

Webinar: Postman 101 for Developers

Why APIs Call for 2xs the DevOps

Postman Galaxy Tour - Keynote Presentation

Learn how to collaboratively plan and design APIs to establish a single source of truth for your API lifecycle. This workshop will focus on building Collections to represent APIs from the point of view of both producers and consumers of an API. We will show how you can use API schemas (OpenAPI/RAML/GraphQL) in Postman, manage versions of collections, and document them. We will also deep-dive into Mock Servers, and show how you can use them in your development.

POST/CON 2019 Workshop: Design, Develop, and Mock APIs with Postman

What's hot (20)

Postman Webinar: How Ping Identity Uses Postman across the API Lifecycle

Enterprise E-commerce Webinar Series, Episode 2: Deploying and Monitoring You...

API Lifecycle Management

Postman: An Introduction for API Ops Professionals

Postman Public Workspaces: The First Massively Multiplayer API Experience | W...

Postman covid-webinar

Webinar: “Introduction to the Postman API Network”

Why You Need a Developer Relations Team for Your API

Postman 101 for developers

Postman Visualizer Webinar Slides

Consumer-Driven Contract Testing With Postman

Automation, Integration, and Orchestration for Better Engineering Operations

Postman Webinar: "From APIs to Serverless Cloud Applications in Minutes"

Postman Webinar: “Continuous Testing with Postman”

Upgrade Your Collections

[GDSC-ADYPU] APIs 101 with Postman

Webinar: Postman 101 for Developers

Why APIs Call for 2xs the DevOps

Postman Galaxy Tour - Keynote Presentation

POST/CON 2019 Workshop: Design, Develop, and Mock APIs with Postman

Recently uploaded

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...

Artyushina_Guest lecture_YorkU CS May 2024.pptx

AnnaArtyushina1

WSO2CON 2024 Slides - Open Source to SaaS

WSO2CON 2024 - Does Open Source Still Matter?

WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...

Modeling languages are generally applied for developing systems and software – both internally, with domain-specific languages, and with standardized languages targeting a general purpose and a wide audience. Way too often these languages are weakly created and defined leading to poor quality: Language definitions tend to contain errors and inconsistencies; notations do not recognize the communication and problem-solving needs of humans; standardization organizations push exchange formats that do not fully work and offer certificates that do not measure mastery of the language. We describe common problems in language development and point them out with examples from known cases. To overcome these problems, we suggest several solutions to improve language development, including using modeling languages specifically designed to define modeling languages, continuous testing and prototyping, and keeping language users in the loop.

What Goes Wrong with Language Definitions and How to Improve the Situation

Juha-Pekka Tolvanen

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pretoria ● Abortion Pills For Sale In Pretoria ● Pretoria 🏥🚑!! Abortion Clinic Near Me Cost, Price, Women's Clinic Near Me, Abortion Clinic Near, Abortion Doctors Near me, Abortion Services Near Me, Abortion Pills Over The Counter, Abortion Pill Doctors' Offices, Abortion Clinics, Abortion Places Near Me, Cheap Abortion Places Near Me, Medical Abortion & Surgical Abortion, approved cyctotec pills and womb cleaning pills too plus all the instructions needed This Discrete women’s Termination Clinic offers same day services that are safe and pain free, we use approved pills and we clean the womb so that no side effects are present. Our main goal is that of preventing unintended pregnancies and unwanted births every day to enable more women to have children by choice, not chance. We offer Terminations by Pill and The Morning After Pill.” Our Private VIP Abortion Service offers the ultimate in privacy, efficiency and discretion. we do safe and same day termination and we do also womb cleaning as well its done from 1 week up to 28 weeks. We do delivery of our services world wide SAFE ABORTION CLINICS/PILLS ON SALE WE DO DELIVERY OF PILLS ALSO Abortion clinic at very low costs, 100% Guaranteed and it’s safe, pain free and a same day service. It Is A 45 Minutes Procedure, we use tested abortion pills and we do womb cleaning as well. Alternatively the medical abortion pill and womb cleansing !!!

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

WSO2CON2024 - It's time to go Platformless

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

tonesoftg

lanshi9

%in Midrand+277-882-255-28 abortion pills for sale in midrand

WSO2CON 2024 - How to Run a Security Program

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...