O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Droid Wars: Protect your APIs from
cyber threats
1©2015 Apigee. All Rights Reserved.
youtube.com/apigee
slideshare.net/apigee
@Subrak
Subra Kumaraswamy
@Davidandrz
David Andrzejek
5https://en.wikipedia.org/wiki/C-3PO
•Search engine indexing
•Health monitoring
•Performance testing
6http://ideas.wikia.com/http://starwars.wikia.com/
•Scrapers: Content, price data, inventory data
•Reconnaissance: probe f...
7http://ideas.wikia.com/http://starwars.wikia.com/
•Theft of data and business
•Promotion abuse
•Bot traffic skews analyti...
There is also reputational risk!
8
What’s different about APIs?
9
10http://starwars..com/
API Security is Unique
• Your APIs are vulnerable to the typical OWASP Top 10 attacks
• IN ADDITION, you have to worry abo...
Secure Your APIs
12
Users Apps APIs Backend
Mutual TLS
IP access
control
Spike arrest
Rate limits
Threat protection
Intrus...
Am I Secure Now?
13
Security Policies Configured
14
Need to rethink the “known known” security approach
15
15
Backend
Service
Legitimate Traffic
API Bots
IP Blacklist
Apps
16
Data-driven approach to security
17
Vol
URI
+
many other kinds…
VS.
Vol
URI
Password guessers Screen scrapers
Data-driven approach to security
API Security: Data-Driven Approach
Closed Loop Protection: Analyze, Detect, Protect
API clients
Target Services
API
Dashboard
Machine learning
models and rul...
Key Takeaways
21
• If you have valuable data, you will be targeted.
• APIs bring unique challenges. Old approaches don’t w...
Securing APIs: End-to-End
22
Thank you
Próximos SlideShares
Carregando em…5
×

Protect your APIs from Cyber Threats

7.976 visualizações

Publicada em

Protecting your pricing strategy from bad bots employed by your competitors, requires a data-driven approach to identify and stop bad bots—automatically.

In this webcast, we'll explore ways to stop bad bots from impacting your enterprise applications, including:

- understanding the nature of bot attacks and typical use cases

- techniques to detect and stop bad bots, while allowing good bots in

- implementing technologies in your security stack to protect against bots

Publicada em: Tecnologia
  • Secrets To Working Online, Hundreds of online opportunites you can profit with today!  http://ishbv.com/ezpayjobs/pdf
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Protect your APIs from Cyber Threats

  1. 1. Droid Wars: Protect your APIs from cyber threats 1©2015 Apigee. All Rights Reserved.
  2. 2. youtube.com/apigee
  3. 3. slideshare.net/apigee
  4. 4. @Subrak Subra Kumaraswamy @Davidandrz David Andrzejek
  5. 5. 5https://en.wikipedia.org/wiki/C-3PO •Search engine indexing •Health monitoring •Performance testing
  6. 6. 6http://ideas.wikia.com/http://starwars.wikia.com/ •Scrapers: Content, price data, inventory data •Reconnaissance: probe for API security weakness •Bruteforce bots: DDoS attacks, etc.
  7. 7. 7http://ideas.wikia.com/http://starwars.wikia.com/ •Theft of data and business •Promotion abuse •Bot traffic skews analytics and KPIs •Create performance overhead on Web Operations
  8. 8. There is also reputational risk! 8
  9. 9. What’s different about APIs? 9
  10. 10. 10http://starwars..com/
  11. 11. API Security is Unique • Your APIs are vulnerable to the typical OWASP Top 10 attacks • IN ADDITION, you have to worry about: – Hackers reverse engineering apps to access private APIs – API key theft—looks like legit usage! – Traffic spike protection by way of bots or DoS attacks – Identity tracking across API sessions – XML/JSON injection-type attacks – Token harvesting due to insecure communication or storage 11
  12. 12. Secure Your APIs 12 Users Apps APIs Backend Mutual TLS IP access control Spike arrest Rate limits Threat protection Intrusion detection DDoS API key OAuth2 TLS IP access control OAuth2 MFA Federated login
  13. 13. Am I Secure Now? 13 Security Policies Configured
  14. 14. 14
  15. 15. Need to rethink the “known known” security approach 15 15 Backend Service Legitimate Traffic API Bots IP Blacklist Apps
  16. 16. 16
  17. 17. Data-driven approach to security 17
  18. 18. Vol URI + many other kinds… VS. Vol URI Password guessers Screen scrapers Data-driven approach to security
  19. 19. API Security: Data-Driven Approach
  20. 20. Closed Loop Protection: Analyze, Detect, Protect API clients Target Services API Dashboard Machine learning models and rules Action (Block/Throttle/Alert) Blacklist Your traffic System-wide purchased
  21. 21. Key Takeaways 21 • If you have valuable data, you will be targeted. • APIs bring unique challenges. Old approaches don’t work. • Sophisticated rules and machine learning algorithms are the only way to discern bots from real traffic. • An automated system is needed, to capture, analyze, report, and act.
  22. 22. Securing APIs: End-to-End 22
  23. 23. Thank you

×