how secure are your apis?
TRANSCRIPT
![Page 1: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/1.jpg)
How Secure Are Your APIs?Kevin FordApigee | Google Cloud
![Page 2: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/2.jpg)
Today’s Presenter
![Page 3: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/3.jpg)
APIs Are Under Attack3
• Standard Interface• Consistent Resource
model • Easy Programmability• Published Documentation• Mobile App Proliferation
![Page 4: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/4.jpg)
Proprietary and confidential
API Attacks That Made the News
“An Instagram Hack Hit Millions of Accounts, and Victims’ Phone Numbers are Now for Sale.”
“No Butts About It, Some Pinterest Users Have Been Hacked.”
“Three Million Moonpig Accounts Exposed by Flaw.”
“Nissan Leaf Hackable Through Insecure APIs.”
“Thieves Stole Taxpayer Data from IRS ‘Get Transcript’ Service.”
![Page 5: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/5.jpg)
Layered Security and Governance
Backend
RBAC managementIDM IntegrationGlobal Policies
User ProvisioningAD / LDAP
Groups
Quota/Spike ArrestSQL threat protection
JSON bomb protectionIP based restrictions
Bot Detection (public today)
Data SecurityTwo-way TLS
API keyOAuth2
Threat Protection
Identity Mgmt & Governance
Management ServerPortal Analytics
API MANAGEMENT
Data SecurityTwo-way TLS
IP Access ControlLogging & Auditing
Data SecurityOrg Boundaries
EncryptionSOC 2, PCI-DSS, HIPAA
Access ControlOAuth2
API Key VerificationIP Access ControlLogging & Auditing
Partners/ Apps
![Page 6: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/6.jpg)
Signs of Attack on APIs• Persistent attempts from same IP• Unusual error rates• Suspicious client requests• Data crawling• Key harvesting• Activity bursts• Geographical patterns• Brute force attacks • Bots probing for API security weakness • Competitors scraping price data• Credential stuffing • Abuse of guest accounts• Bot traffic skewing analytics and KPIs• Using compromised API keys to access
private APIs• Dictionary-type attacks• Man-in-the-Middle attacks
![Page 7: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/7.jpg)
BackendSystems
Apigee
7
WAF
API Key
Access Token
User Agent
ContextualVolume
x
x
x
xx
xxx * Other
Attributes Data Warehouse
CRM, ERP, etc.
SOA
Microservices
Why Traditional Approaches Fail
![Page 8: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/8.jpg)
Solution: Dedicated API Security Infrastructure
APIs need a dedicated security infrastructure to protect against the increasing threat of malicious behavior.
Once is happenstance. Twice is coincidence. The third time it’s enemy action.
Ian Fleming
![Page 9: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/9.jpg)
Intelligent behavior detection to protect APIs from attack.
9
Apigee Sense
![Page 10: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/10.jpg)
How does Apigee Sense Protect your APIs?
● Purpose built for APIs● Uses behavior-based rules
and algorithms● Detects anomalous
behavior patterns at the API layer
● Complete closed-loop system Takes actions based on rules specified by administrators
![Page 11: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/11.jpg)
Intelligent
Apigee Sense • Studies call patterns from API
metadata • Algorithms detect anomalies• Analyzes customer traffic over
time
![Page 12: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/12.jpg)
Behavior DetectionApigee Sense • Detects behavior • Finds anomalies • Proactively identifies threats• Examines metadata• Characterizes requests• Flags suspicious requests• Administrators apply desired
action for a given behavior
Hackers
Brute Force Attacks
![Page 13: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/13.jpg)
Protect APIs
Apigee Sense• Alerts teams• Tags or blocks• Takes Action based on admin
policies• Closed-loop system
![Page 14: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/14.jpg)
Closed Loop Protection:
![Page 15: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/15.jpg)
Handle Flagged Requests via Configuration Handle Flagged Requests via Code
Honeypot, Conditional Routing, Callouts, Logging
Flexible Protection
![Page 16: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/16.jpg)
A Secure Solution
![Page 17: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/17.jpg)
A Secure Solution… With Extreme Visibility
![Page 18: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/18.jpg)
The Best Defense Is A Good Offense
![Page 19: How Secure Are Your APIs?](https://reader034.vdocument.in/reader034/viewer/2022050613/5a64950f7f8b9a63568b4c09/html5/thumbnails/19.jpg)
Questions?