![Page 1: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/1.jpg)
18QUALYS SECURITY CONFERENCE 2018
Ignore APIs at Your Peril
Jacques Declas CEO, 42Crunch
Qualys and 42Crunch Partner to Deliver API Security
![Page 2: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/2.jpg)
Everyone loves containers
November 16, 2018 Qualys Security Conferennce, 2018 2
API Security Breaches are Mounting
“By 2022 API abuses will be the attack vector most responsible for data breaches within enterprise web applications” Gartner Research - G342236
![Page 3: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/3.jpg)
Current Solutions Don’t Work for API’s
Lack of API Security Tools and Standards
Proliferation of end points, internet facing APIs, virtual network, micro-services architecture, distributed security enforcement points
No API Security standards, Complexity of API Security (Integrity, Confidentiality, AAA, non-repudiation..), no proven reusable API Security policies
Web Application Security is not API Security, multiple solutions to cover part of API Security (CDN, WAF, API Gateway, Code…), API Developers often try to code Security into their APIs
Distributed, Unified, API Specific Security enforcement points
Enterprise Perimeter is Disappearing
Why is securing APIs so difficult today?
November 16, 2018 Qualys Security Conferennce, 2018 3
![Page 4: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/4.jpg)
Web App Security API Security
Qualys Security Conferennce, 2018
API request validation (OAS 2.0) XML & JSON schema validation
XML Threat Protection. JSON Threat Protection
JSON Path / JSON Pointer injections SQL Injection Vulnerability detection in encrypted OAuth Security ext. support PKCE, token binding
JOSE, draft-cavage-http-signatures Cross-Site Scripting attack detection
Traditional White list/Black, hard to maintain, False positives
In-line WAF single layer north-south only, DMZ only
Centralised or distributed. Support Microservices,
Serverless, East-West, Sidecar
Positive automatic security model, DevSecOps
Deployment
API Specific attacks
Operational Model
November 16, 2018 4
![Page 5: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/5.jpg)
Qualys Security Conferennce, 2018
Developers Must use the Standard
November 16, 2018 5
![Page 6: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/6.jpg)
SECURITY AS CODE
API Security as a commodity
Controlled by Security
Applied by Developers
EASY SECURITY
Pre-built, proven security policies
Standards Compliant Security Best
Practices
PROVEN SECURITY SECURITY AT SCALE
Bring Security into DevOps
Policies are applied
as part of API lifecycle
Microservices architecture compliant
Docker-based micro
API Firewall
Changing the API Security Model
November 16, 2018 Qualys Security Conferennce, 2018 6
![Page 7: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/7.jpg)
API Security DevSecOps approach
November 16, 2018 Qualys Security Conferennce, 2018 7 Qualys Security Conferennce, 2018
![Page 8: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/8.jpg)
Prebuilt Security Policies and Packages
Package Name
Transport Constraints
Request /Response Validation
Token Validation
Message Validation
Payload Crypto-
Operations Authentication Authorization Audit
TLS version and
CipherSuites
Data Validation & OWASP
Attacks Protection
OAuth/OpenID Attacks
Protection
OWASP Attacks
Protection
Message Confidentiality
& Integrity
Identity Validation
(Basic/OpenID)
Fine-grain Authorization
(Scopes/XACML)
Audit Trail and Non
Repudiation
OWASP
Open Banking
PCI-DSS
42C standard
November 16, 2018 Qualys Security Conferennce, 2018 8
![Page 9: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/9.jpg)
Qualys Security Conferennce, 2018
DEV SEC OPS
End to end API Security Process
November 16, 2018 9 Qualys Security Conferennce, 2018
![Page 10: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/10.jpg)
End-to-End API Security Platform
November 16, 2018 Qualys Security Conferennce, 2018 10
![Page 11: Ignore APIs at Your Peril - Qualys · 2019. 8. 29. · Current Solutions Don’t Work for API’s Lack of API Security Tools and Standards Proliferation of end points, internet facing](https://reader033.vdocument.in/reader033/viewer/2022052016/602ef6a9c5a7e24d851c5538/html5/thumbnails/11.jpg)
18QUALYS SECURITY CONFERENCE 2018
Thank You
Jacques Declas CEO, 42Crunch