Download - The Inconvenient Truth About API Security
© Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
The Inconvenient Truth About API Security
Presented by
© Information Security Media Group · www.ismgcorp.com
About Information Security Media Group
• Focused on providing information security content, specifically for unique vertical industries
• Publish articles, interviews, blogs, regulation & guidance alerts, and whitepapers
• Educational webinars offered daily
Global network of
25 SITESSubscribers from over
175 COUNTRIES
© Information Security Media Group · www.ismgcorp.com
Technical Support
(609) 356-1499 x115
Copyrighted MaterialUsed for individual study purposes only. If your institution is interested in
using this, or any of Information Security Media Group’s presentations, as part of an overall information security program, please contact us at (800)
944-0401.
© Information Security Media Group · www.ismgcorp.com
About Our Sponsor
Distil Networks is the first easy and accurate way to defend your web applications against bad bots, API abuse and fraud.
To learn more, visit us at www.distilnetworks.com
© Information Security Media Group · www.ismgcorp.com
Rami EssaidCEO and Co-Founder, Distil NetworksDistil Networks is the first easy and accurate way to identify and police malicious website traffic, blocking 99.9% of bad bots without impacting legitimate users. With over 12 years in telecommunications, network security, and cloud infrastructure management experience, Essaid continues to advise enterprise companies around the world, helping them embrace the cloud to improve their scalability and reliability while maintaining a high level of security.
© Information Security Media Group · www.ismgcorp.com
Rik TurnerIT Security Analyst, Ovum ResearchRik is a senior analyst on the Infrastructure Solutions team, focusing primarily IT Security. Rik joined Ovum in January 2005 as European Bureau Chief of its ComputerWire daily IT news service. He covered fixed, wireless, and mobile networking and security. In February 2007 he moved across to become an analyst on the Financial Services Technology team, initially covering retail banking and writing reports on online and branch banking. He subsequently developed a specialization in capital markets infrastructure. In mid-2008 his team was grouped under the Ovum brand as part of its IT analyst arm. At the beginning of 2014 Rik moved across to the Infrastructure Solutions team, focusing on IT Security.
© Information Security Media Group · www.ismgcorp.com
Shane WardSenior Director of Technology, GuideStarAs a nonprofit, GuideStar is committed to advancing transparency and driving innovation in the social sector. Ward leads a team that is responsible for data acquisition and distribution as well as architecture and technology strategy.
© Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
The Inconvenient Truth About API Security
Presented by
© Information Security Media Group · www.ismgcorp.com
Agenda
API Security Primer
Ovum Survey Results and Analysis
GuideStar’s Field Guide to API Security
Q & A
© Information Security Media Group · www.ismgcorp.com
API Security Primer
© Information Security Media Group · www.ismgcorp.com
APIs are fundamentally hard to protect
APIs are built to give developers a uniform interface to applications
This allows for easy access to data
Returned in a standardized format
Generally self-documenting
Built to run at scale
© Information Security Media Group · www.ismgcorp.com
This provides multiple vectors for abuse
API Malicious UsageThird parties aggressively using the API to pull data beyond their contracted limits
API Developer ErrorsAPI endpoints get hammered by runaway scripts or poorly designed interfaces
Web & Mobile API HijackingHackers dissect how web and mobile apps interact with their APIs
Automated API ScrapingMalicious bots pull down online content and data within minutes directly from the API
© Information Security Media Group · www.ismgcorp.com
Attackers distribute their attacks across multiple IP addresses
Bots which dynamically rotate IP addresses, or distribute attacks are significantly harder to detect and mitigate
© Information Security Media Group · www.ismgcorp.com
Unfortunately, most API security solutions track usage by IP
This makes them blind to a couple of key use cases
Server sourced API clients are hosted by cloud providers that can cycle IP’s at will
Mobile application sourced clients are behind Wireless provider proxy networks (many devices share an IP)
Web browser sourced clients can be behind a consumer ISP NAT - shared IP for many browsers
© Information Security Media Group · www.ismgcorp.com
Modern API governance should include...
Country and organization fencing
Token spamming prevention
Token distribution prevention
Dynamic access control lists
Advanced rate limiting
© Information Security Media Group · www.ismgcorp.com
Ovum Survey Results and Analysis
© Information Security Media Group · www.ismgcorp.com
API Security: A Disjointed Affair
Ovum surveyed 100 midsize tolarge companies across NA, EMEA and APAC, and in a wide range ofverticals, about their use of APIs.
© Information Security Media Group · www.ismgcorp.com
API usage is widespread
© Information Security Media Group · www.ismgcorp.com
The majority were running public APIs
51% said they were running APIs to enable an external developer community or ecosystem
67% said their APIs were designed to enable partner connectivity
© Information Security Media Group · www.ismgcorp.com
The majority are using an API management system
...and almost two thirds of those with an API management platform developed it in-house
Are you running an API management system?
Yes87%
No13%
© Information Security Media Group · www.ismgcorp.com
Rate limiting was by no means universally available
© Information Security Media Group · www.ismgcorp.com
Those with rate limiting were spending a lot of time on it
© Information Security Media Group · www.ismgcorp.com
Now we asked what other API security features, namely protection from...
API malicious usage
API developer error
Automated API scraping
Web and mobile API hijacking
© Information Security Media Group · www.ismgcorp.com
The results were not encouraging
© Information Security Media Group · www.ismgcorp.com
Who is responsible for API security?
© Information Security Media Group · www.ismgcorp.com
...and the stage at which IT security gets involved is frequently too late
© Information Security Media Group · www.ismgcorp.com
So the final, troubling statistic is...
21% of APIs go live without any input from security professionals regarding the potential risks to the organization that is publishing them
© Information Security Media Group · www.ismgcorp.com
Key takeaway...
© Information Security Media Group · www.ismgcorp.com
GuideStar’s Field Guide to API Security
© Information Security Media Group · www.ismgcorp.com
About GuideStar’s APIs
GuideStar is the world’s largest source of information on nonprofit organizations
We collect, aggregate, and distribute data about nonprofit results, financials, operations, and more
Our data is made available through APIs that power: workplace giving, donation disbursement, grants management, and charity validation applications
© Information Security Media Group · www.ismgcorp.com
Why do we care so much about API security?
Integrated into payment processing systems
Misuse can have serious consequences
Validation and verification services
Investment in curation and dissemination of data
Ensure our data is being used in a manner that is consistent with our values
© Information Security Media Group · www.ismgcorp.com
GuideStar technology stack
APIs hosted in GuideStar’s private cloud
Traditional data warehouse and datamart
NoSQL data repositories
APIs built on REST principles
Built our own middleware using open source
XML and JSON returns
Load balancers
WAF
Distil Networks for Bot Mitigation and API Security
© Information Security Media Group · www.ismgcorp.com
API security challenges
Only as secure as your least secure customer
“Node hopping” off load balancers
Round-robin vs. sticky session load balancing
Developer errors and runaway scripts
Data protection and security
API key mismanagement
© Information Security Media Group · www.ismgcorp.com
Lessons learned
Understand the technical capabilities of your API consumers
“Lightweight” approach vs. “heavy” API management suites
Map your business strategy to your API controls and segmentation strategy
Leverage machine learning and automation
Token-based over IP-based rate limiting
© Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
Questions
Please use the following form for any questions or comments:
http://www.bankinfosecurity.com/webinar-feedback.php
Or contact us at: (800) 944-0401
© Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com
Thank You for Participating!Please use the following form for any questions or comments:
http://www.bankinfosecurity.com/webinar-feedback.php
Or contact us at: (800) 944-0401