apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity

Transcript

1. Overengineering weakens your API security David Vazquez Cortizo Managing Director

2. 2 • Two truisms (?) ◦ The importance of API

   security ◦ The energy (budget) of your organization is limited for security • Treat security waste (over engineering and bureaucracy) as a security threat • Take a natural and energy-efficient approach to security through ◦ A simple framework ◦ Tooling ◦ Mindset Preamble

3. Agenda • A simple framework to address API security •

   Governance - Architecture and Development • Transparency • API Operations • Mindset • Closing

4. 4 A simple framework to address API security OAUTH2 OAUTH2

   scopes ACL RBAC TLS1.2 Mutual TLS TLS1.3 end2end encryption Fine-grained authorization

5. 5 • Understand and challenge your needs - remove waste

   ◦ Consider getting rid of your IP whitelisting • What do you do with your API Gateways? ◦ Consider your options: ▪ SaaS ▪ Managed service from your cloud provider ▪ APIM vendor ◦ Bring together API Gateway & Identity & Access Management solution ◦ Separate domains - Security & Operations layer vs Accessibility layer Governance - Architecture

6. Marketplace & Platform Features Publish your APIs and Digital Products

   (Applications) into the catalog Control the visibility of your services through private, public and internal plans Organise your products into services within workspaces. Enrich them with marketing details and business insights Invite external companies to consume your services with their own workspace that they control and manage Provide a multi-branded and multi-catalog experience. Business units have their own organisation & workspaces External companies manage their own subscriptions and applications in a secure and compliant way Manage your APIs across the full API lifecycle from Design to Sunset Visualize analytics of your API traffic down to each individual request and obtain performance and use insights Use standard policies to control usage in a secure and compliant way Highly available infrastructure in APIM with 99.99% availability across 4 global regions Standards, Governance and Expertise centralised around the platform to provide a one-stop CoE for APIs Define Rate limits, transactions and pricing for Metering and Monetization and promote new revenue streams and innovation Marketplace Platform

7. 7 • Layered approach to security for Zero Trust ◦

   Three doors : Web layer / API Gateway / Destination server ◦ External token replacement mechanism before the API Gateway Governance - Architecture

8. 8 • Leverage ISO 27001 Certification - shift security left

   ◦ Identify security-related tickets during product refinement ◦ Establish security roles inside the teams and early approval processes • Standardize API development ◦ Authentication and Access control ◦ Input validation libraries, error handling, CORS policies, μservice templates • Integrate tools in your Continuous Integration pipeline ◦ Verification of 3rd party libraries (versions, security threats) ◦ Code quality checks & API quality Governance - Secure development life cycle

9. 9 • Impossible to secure APIs you do not know

   exist and whether or not are in use ◦ You need to know your API state • APIs as Digital Products ◦ Opportunities - Monetization ◦ Risks - Security and Operations • Use API Risk assessment to prioritize security measures ◦ Level of use of the API, who and how Transparency and Discoverability What the eyes don't see the heart doesn't grieve

10. 10 • Alarms and Monitoring • Robust API logging and

    smart processing of these logs API Operations Source: Antonio Damasio - Descartes´ error Is anybody abusing my API state? How would I know? Follow Nature´s algorithm to develop brains- Detect, defend, prevent • Rate limiting • Ingress / Egress control • Periodic security assessments • Security posture - tooling for SIEM

11. 11 • Your security budget is limited - Act responsibly

    ◦ Be bold: Eliminate waste from your security and compliance processes • Understand and challenge needs and requirements ◦ Need a self-managed API Gateway? • Stay rational - Avoid over engineering & Make decisions - Go for tooling! ◦ Consider your core business and possible competitive advantage ◦ Consider the capabilities of the organization ◦ Remember the lifetime obligation to maintain and evolve the code you own Mindset

12. 12 • Addressed API security with a mix of security

    framework, tooling and mindset • Presented a simple framework to address API security in five dimensions • Gave a few examples of tooling • Mindset Summary

13. The API Marketplace company E-Commerce Journey | Gateway agnostic |

    Regulated Industries