Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays London 2023 - Overengineering Weakens y...

apidays
September 21, 2023

apidays London 2023 - Overengineering Weakens your API Security, Dr. David Vazquez Cortizo, APInity

apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023

Overengineering Weakens your API Security
Dr. David Vazquez Cortizo at APInity
------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

September 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. 2 • Two truisms (?) ◦ The importance of API

    security ◦ The energy (budget) of your organization is limited for security • Treat security waste (over engineering and bureaucracy) as a security threat • Take a natural and energy-efficient approach to security through ◦ A simple framework ◦ Tooling ◦ Mindset Preamble
  2. Agenda • A simple framework to address API security •

    Governance - Architecture and Development • Transparency • API Operations • Mindset • Closing
  3. 4 A simple framework to address API security OAUTH2 OAUTH2

    scopes ACL RBAC TLS1.2 Mutual TLS TLS1.3 end2end encryption Fine-grained authorization
  4. 5 • Understand and challenge your needs - remove waste

    ◦ Consider getting rid of your IP whitelisting • What do you do with your API Gateways? ◦ Consider your options: ▪ SaaS ▪ Managed service from your cloud provider ▪ APIM vendor ◦ Bring together API Gateway & Identity & Access Management solution ◦ Separate domains - Security & Operations layer vs Accessibility layer Governance - Architecture
  5. Marketplace & Platform Features Publish your APIs and Digital Products

    (Applications) into the catalog Control the visibility of your services through private, public and internal plans Organise your products into services within workspaces. Enrich them with marketing details and business insights Invite external companies to consume your services with their own workspace that they control and manage Provide a multi-branded and multi-catalog experience. Business units have their own organisation & workspaces External companies manage their own subscriptions and applications in a secure and compliant way Manage your APIs across the full API lifecycle from Design to Sunset Visualize analytics of your API traffic down to each individual request and obtain performance and use insights Use standard policies to control usage in a secure and compliant way Highly available infrastructure in APIM with 99.99% availability across 4 global regions Standards, Governance and Expertise centralised around the platform to provide a one-stop CoE for APIs Define Rate limits, transactions and pricing for Metering and Monetization and promote new revenue streams and innovation Marketplace Platform
  6. 7 • Layered approach to security for Zero Trust ◦

    Three doors : Web layer / API Gateway / Destination server ◦ External token replacement mechanism before the API Gateway Governance - Architecture
  7. 8 • Leverage ISO 27001 Certification - shift security left

    ◦ Identify security-related tickets during product refinement ◦ Establish security roles inside the teams and early approval processes • Standardize API development ◦ Authentication and Access control ◦ Input validation libraries, error handling, CORS policies, μservice templates • Integrate tools in your Continuous Integration pipeline ◦ Verification of 3rd party libraries (versions, security threats) ◦ Code quality checks & API quality Governance - Secure development life cycle
  8. 9 • Impossible to secure APIs you do not know

    exist and whether or not are in use ◦ You need to know your API state • APIs as Digital Products ◦ Opportunities - Monetization ◦ Risks - Security and Operations • Use API Risk assessment to prioritize security measures ◦ Level of use of the API, who and how Transparency and Discoverability What the eyes don't see the heart doesn't grieve
  9. 10 • Alarms and Monitoring • Robust API logging and

    smart processing of these logs API Operations Source: Antonio Damasio - Descartes´ error Is anybody abusing my API state? How would I know? Follow Nature´s algorithm to develop brains- Detect, defend, prevent • Rate limiting • Ingress / Egress control • Periodic security assessments • Security posture - tooling for SIEM
  10. 11 • Your security budget is limited - Act responsibly

    ◦ Be bold: Eliminate waste from your security and compliance processes • Understand and challenge needs and requirements ◦ Need a self-managed API Gateway? • Stay rational - Avoid over engineering & Make decisions - Go for tooling! ◦ Consider your core business and possible competitive advantage ◦ Consider the capabilities of the organization ◦ Remember the lifetime obligation to maintain and evolve the code you own Mindset
  11. 12 • Addressed API security with a mix of security

    framework, tooling and mindset • Presented a simple framework to address API security in five dimensions • Gave a few examples of tooling • Mindset Summary