Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai

apidays
PRO
June 07, 2024
Video
Technology
0
9

Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai

From Chaos to Calm: Navigating Emerging API Security Challenges
Eli Arkush, Principal Solutions Engineer, API Security at Akamai

Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

June 07, 2024
Tweet

Video

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
6
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
6
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
8
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
7
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
6
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
11
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
9
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
6
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io
apidays
PRO
0
11

Other Decks in Technology

See All in Technology
Oracle Modern Data Platform Reference Architecture (MySQL HeatWave Lakehouse編)
oracle4engineer
PRO
1
260
OpenTelemetry Meetup 2024-06 - ABEMA と分散トレーシングのあゆみ
tetsuya28
0
190
Fintech事業部流・爆速開発
layerx
PRO
0
130
エンジニアとして成長するための持続可能なアウトプット戦略 / Sustainable Output Strategy
iselegant
3
610
Agentは楽しいぞ
tubone24
0
440
アプリケーションが 正しく動作するということ - 自動テスト編 / Automated Testing
soudai
4
760
State of Amazon Location Service
dayjournal
0
110
Data Processing in PHP - PHPers 2024 Poznań
norzechowicz
0
110
自動化と効率化のためにGitHub Actionsを使いこなそう
devops_vtj
4
470
20240619_今すぐ試せるCopilot
ponponmikankan
4
580
RubyKaigiのプロポーザルを通したい。 / rubykaigi-proposal
toshimaru
3
470
デジタルアイデンティティ技術 認可・ID連携・認証 基礎
oidfj
0
460

Featured

See All Featured
BBQ
matthewcrist
80
8.9k
Optimising Largest Contentful Paint
csswizardry
14
2.5k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
143
43k
YesSQL, Process and Tooling at Scale
rocio
165
14k
Creatively Recalculating Your Daily Design Routine
revolveconf
213
11k
KATA
mclloyd
18
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
228
130k
Practical Orchestrator
shlominoach
184
9.9k
Making Projects Easy
brettharned
110
5.6k
jQuery: Nuts, Bolts and Bling
dougneiner
60
7.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
10
3.6k
Robots, Beer and Maslow
schacon
PRO
155
8k

Transcript

  1. From Chaos to Calm: Navigating Emerging API Security Challenges Eli

    Arkush | Principal Solutions Engineer, API Security

  2. Traditional vs Modern Apps GET /dashboard.aspx Fetch messages/notifications/news Returns HTML

    view GET /api/v2/messages GET /api/v2/notifications GET /api/v2/news Returns RAW data Fetch messages/notifications/news User Service

  3. APIs are Oversharing image credit: NYTimes

  4. See the full report, which sheds more light on API

    attack trends and remedies. akamai.com/lp/soti/lurking-in-the-shadows

  5. API Attacks By Vertical - 2023 5

  6. API Focussed Attacks By Region - 2023 6

  7. We’re making all the same mistakes with API security that

    we made with web security 20 years ago. Chris Eng - Chief Research Officer - Veracode Akamai State of the Internet (SOTI) API - The Attack Surface that Connect Us All. 7

  8. API Common Attack Vectors DDoS Injection Logic Abuse

  9. DDoS Attacks - Global

  10. Availability helps create Trust 10 https://xkcd.com/932

  11. Daily Web Application Attacks (millions) 11

  12. Loyalty Program Fraud Travel | Airlines | Ecommerce Device Loyalty

    Account 1 Loyalty Account 2 Loyalty Account 3 Loyalty Account 4 Loyalty Account 5 Loyalty Account 6 2 1 See this behaviour in your APIs Investigate these accounts for fraud

  13. Loyalty Program Fraud Travel | Airlines | Ecommerce Device Loyalty

    Account 1 Loyalty Account 2 Loyalty Account 3 Loyalty Account 4 Loyalty Account 5 Loyalty Account 6 See this behaviour in your APIs Investigate these accounts for fraud 2 1

  14. Case Study - Ride Sharing Company 14 (1) POST /addDriver

    (1) Error message with UUID (2) POST /getConsentScreenDetails (2) PII and access token Ride Sharing Company

  15. Ride Sharing Company: Account Takeover (1) (2)

  16. Ride Sharing Company: Excessive Data Exposure API3:2023 — Broken Object

    Property Level Authorization The APIs exposed much more data than required to operate

  17. Ride Sharing Company: BOLA API1:2023 — Broken Object Level Authorization

    Users can access resources that are not owned by them

  18. BOLA Detection - Relationship Violation A violation of those relationships

    => BOLA UserID: 1337 UserID: 430 Account: 7331 Account: 835 Account: 908 UserID: 777

  19. © 2022 Akamai

  20. OWASP API Top 10

  21. Goal Is Quality Code In Production Write Code Commit Code

    Build Deploy Maintain Detect ALL APIs: Zombie / Shadow Classify ALL Exposed Data Triage Critical Issues Feedback into Mitigation Tooling Test Code Detect Common Security & Posture Issue

  22. DDoS attacks OWASP attacks CVE exploits Known API attacks Bot

    attacks 1 DDoS protection Rate Limiting Cloud -based Solutions Web Application Firewall Virtual patching of vulnerabilities Blocks known attack patterns Bot Protections Block known bots Built-in App protection Shadow API Auth. partner ! compromised Logic attacks Mitigation Behavioural Analysis Detect: Business Logic abuse Zombies Shadow API Corp Cloud On-prem

  23. API Security Maturity Levels Coverage across the entire enterprise API

    estate Discover shadow APIs and ensure each one is documented or decommissioned Organize your API inventory Look at common alert types and identify strategies and priorities to reduce risk Create response plans to address possible attacks from adversaries Establish a formal API threat hunting discipline 1 Shining a light on the shadows 2 Getting organized 3 Hardening the API posture 4 Sharpening threat detection and response 5 Developing a proactive approach

  24. Takeaways 1. APIs are a primary target 1. Ensure sufficient

    protections are in place for DDoS, Injection attacks and Business Logic abuse 1. Ensure you know where ALL your APIs are located 1. Ensure you know what ALL your APIs are exposing

  25. Come and meet the team! Marc Sandell Bergqvist Major Account

    Executive Akamai Technologies Anders Persson Regional Sales Leader EMEA North Akamai Technologies Sebastian Moradi Senior Major Account Executive Akamai Technologies Eli Arkush Principal Solutions Engineer, API Security Akamai Technologies