apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM) & Filip Verloy (Noname Security)

Transcript

1. Advanced API Security Filip Verloy Field CTO, Noname Security Ricky

   Moorhouse Cloud Architect, API Connect, IBM

2. API Security is a superhuman problem. It requires Machine Learning

   to solve. Learn more 15,564 76% 37 days The 2022 API Security Trends Report Whitepaper Average number of Production Enterprise APIs of organizations experienced a security breach in the past year 27 days for discovery 10 days for remediation per incident 2

3. 3 Development Secure at Runtime Analyze Behavior Manage Design Test

   Discover unmanaged Control Access Protect Endpt Validate content Limit rate Detect Notify Mediate / Stop attack Predict Continuous Monitor Security capabilities across the API lifecycle © 2023 IBM Corporation API Lifecycle Security policy

4. IBM API Connect powers digital applications by unlocking business data

   and assets as APIs IBM API Connect Socialize Empower application developers to explore and consume your APIs using branded self-service portals Secure Easily apply built-in and extensible policies to secure, control and mediate the delivery of APIs protecting data and business assets Create Automatically create APIs to expose data, microservices, enterprise applications, and SaaS services using open standards Manage Rapidly organize, publish and analyze any API through the full lifecycle from design to retire

5. Gateway 5 IBM DataPower Gateway is an industry leading, high

   security gateway for modern, traditional and hybrid cloud workloads Secure Easily apply built-in and extensible policies to secure access to a full range of API, Mobile, Web, SOA, B2B, and Cloud workloads at all stages. Integrate Combine modern event-based and API workloads with traditional services with advanced protocol bridging and message transformation support. Control Protect applications from over utilization with traffic control and quota enforcements. Optimize Improve response times and throughput by controlling message traffic with application caching and advanced routing.

6. IBM DataPower 6 Provide security, control, integration and optimized access

   to enterprise business process TLS Termination AAA Token exchange Message protection Message transform, rate limit & many others Harden capabilities in Gateway to make it an excellent Policy Enforcement Point

7. IBM DataPower 7 Provide security, control, integration and optimized access

   to enterprise business process TLS Termination AAA Token exchange Message protection Message transform, rate limit & many others Harden capabilities in Gateway to make it an excellent Policy Enforcement Point Record ML Policy Decision Point Rules IP Cookie Header Query

8. Detect and block API attacks with real-time traffic analysis powered

   by machine learning Uncover vulnerabilities and misconfigurations to speed remediation and ensure compliance Runtime API Security Posture Management Augment IBM API Connect & DataPower with Advanced API Security powered by Machine Learning Locate and inventory all of your APIs regardless of configuration Discovery Extend API Connect and DataPower (API Gateway)’s already powerful enterprise-grade performance and security with new Discovery, Posture Management and runtime Behavioral Threat Detection, powered by Noname Security. 8

9. It is as easy as dropping a policy at the

   API assembly step 9

10. Gateway Noname Advanced API Security Policy Noname Advanced API Security

    Policy How it Works – High Level Architecture API Consumers Protection Rules Analytics Records API definitions & Application Details API Call Information ML Policy Decision Point

11. Records

12. Rules

13. OOTB OWASP TOP 10

14. Categorize Data (e.g. PII)

15. | © Noname Security. All rights reserved 15 Deployment -

    SaaS SaaS Deployment

16. | © Noname Security. All rights reserved 16 OnPrem Deployment

17. 17 Noname Advanced API Security for IBM

18. Learn more 01 Explore the product 02 Explore the partnership

    03 Visit the IBM booth Talk to an SME, see a demo, or check out a 10-minute SmartTalk 18 ibm.biz/api-security nonamesecurity.com/ibm

19. Backup 19

20. IBM DataPower Interne t Consumer Mobile Consumer Cloud Apps &

    Services Firewall / Load Balancer Application Application System z Mobile Application Server Application Provide security, control, integration and optimized access to enterprise business process TLS Termination AAA Token exchange Message protection Message transform, rate limit & many others Harden capabilities in Gateway to make it an excellent Policy Enforcement Point

21. IBM DataPower Interne t Consumer Mobile Consumer Cloud Apps &

    Services Firewall / Load Balancer Application Application System z Mobile Application Server Application Record ML Policy Decision Point Rules IP Cookie Header Query Provide security, control, integration and optimized access to enterprise business process TLS Termination AAA Token exchange Message protection Message transform, rate limit & many others

22. IBM API Connect powers digital applications by unlocking business data

    and assets as APIs IBM API Connect Socialize Empower application developers to explore and consume your APIs using branded self-service portals Secure Easily apply built-in and extensible policies to secure, control and mediate the delivery of APIs protecting data and business assets Create Automatically create APIs to expose data, microservices, enterprise applications, and SaaS services using open standards Manage Rapidly organize, publish and analyze any API through the full lifecycle from design to retire

23. IBM API Connect Interne t Consumer Mobile Consumer Cloud Apps

    & Services Firewall / Load Balancer Application Application System z Mobile Application Server Application Runtime api information API Definition(security, schema ..) Application information (credential ..) Provide a full life cycle API management solution

24. IBM API Connect Interne t Consumer Mobile Consumer Cloud Apps

    & Services Firewall / Load Balancer Application Application System z Mobile Application Server Application Runtime api information API Definition(security, schema ..) Application information (credential ..) Provide a full life cycle API management solution ML Policy Decision Point IP Cookie Header Query Record Noname API Advanced Security Policy Noname API Advanced Security Policy Rules

25. IBM API Connect powers digital applications by unlocking business data

    and assets as APIs API Management Socialize Empower application developers to explore and consume your APIs using branded self-service portals Secure Easily apply built-in and extensible policies to secure, control and mediate the delivery of APIs protecting data and business assets Create Automatically create APIs to expose data, microservices, enterprise applications, and SaaS services using open standards Manage Rapidly organize, publish and analyze any API through the full lifecycle from design to retire 2 © 2023 IBM Corporation

26. Gateway 26 IBM DataPower Gateway is an industry leading, high

    security gateway for modern, traditional and hybrid cloud workloads Secure Easily apply built-in and extensible policies to secure access to a full range of API, Mobile, Web, SOA, B2B, and Cloud workloads at all stages. Integrate Combine modern event-based and API workloads with traditional services with advanced protocol bridging and message transformation support. Control Protect applications from over utilization with traffic control and quota enforcements. Optimize Improve response times and throughput by controlling message traffic with application caching and advanced routing.

27. Noname Security extends the capabilities of IBM DataPower and IBM

    API Connect to enable organizations to provide advanced security of APIs throughout their lifecycle. Find API security issues faster Intelligently identify and prioritize potential vulnerabilities. Remediate manually, semi- automatically or fully- automatically. Discover the unmanaged Catch vulnerabilities and issues earlier, and prioritize based on impact to reduce remediation costs. Ensure compliance Continuously monitor for compliance with regulatory requirements, industry standards and internal policies. See through the noise Conduct real-time traffic analysis with automated AI and machine learning detection, and use automated remediation to stop attacks in real time. Intelligent asset management