Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Munich 2025 - Effectively incorporating...

Avatar for apidays apidays PRO
July 09, 2025
0
13

apidays Munich 2025 - Effectively incorporating API Security into the overall security workflow, Josh Goldfarb (F5)

Effectively incorporating API Security into the overall security workflow
Josh Goldfarb, Field Chief Information Security Officer at F5

apidays Munich 2025 - Accelerate AI Use Cases with APIs
July 2 & 3, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Avatar for apidays

apidays PRO

July 09, 2025
Tweet

More Decks by apidays

See All by apidays
apidays Munich 2025 - Building an AWS Serverless Application with Terraform, Andre Lopes (Tesla)
Avatar for apidays apidays
PRO
0
5
apidays Munich 2025 - Building Telco-Aware Apps with Open Gateway APIs, Subhranshu Dwivedi & Ricardo Serrano Gutiérrez (Telefonica)
Avatar for apidays apidays
PRO
0
6
apidays Munich 2025 - Streamline & Secure LLM Traffic with APISIX AI Gateway (API7)
Avatar for apidays apidays
PRO
0
7
apidays Munich 2025 - Geospatial Artificial Intelligence (GeoAI) with OGC APIs, Emmanuel Mondon (AdviceGEO)
Avatar for apidays apidays
PRO
0
3
apidays Munich 2025 - Agentic AI: A Friend or Foe?, Merja Kajava (Aavista Oy)
Avatar for apidays apidays
PRO
0
5
apidays Munich 2025 - Automating Operations Without Reinventing the Wheel, Maarten Raaijmakers (Raynmakers)
Avatar for apidays apidays
PRO
0
7
apidays Munich 2025 - The life-changing magic of great API docs, Jens Fischer & Birgit Bader
Avatar for apidays apidays
PRO
0
5
apidays Munich 2025 - Let’s build, debug and test a magic MCP server in Postman with a few clicks, Johannes Nicolai (Postman)
Avatar for apidays apidays
PRO
0
3
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Paraskakis (Level 250)
Avatar for apidays apidays
PRO
0
2

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
33
2.4k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
5.9k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
126
53k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
5.9k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.8k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.8k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
720

Transcript

  1. Effectively incorporating API Security into the overall security workflow Josh

    Goldfarb Field CISO, F5

  2. ©2025 F5 2 •Complexity is the enemy of security •Effectively

    incorporating API Security into the overall security workflow •Key takeaways Agenda

  3. Complexity is the enemy of security

  4. None

  5. Exploit scanning increased 91% in 2024 Mar CVE-2017-9841 CVE-2020-11625 CVE-2022-24847

    CVE-2023-1389 CVE-2024-3721 Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Year CVEs 2024 40,077 2023 28,961 2022 25,059 2021 20,161 2020 18,375 2019 17,308 2018 16,512 2017 14,645 2016 6,457 Source: F5 Labs Evolving CVE Landscape report and ongoing research

  6. AI is increasing in bot activity Source: F5 Labs 5%

    of all traffic is from advanced persistent bots 50% of page content requests are from GenAI 10% of web logins were credential stuffing attacks 50M+ residential proxy IPs across 70+ countries

  7. 115% increase in API breaches since 2024 Source: F5 Labs

    68% caused by broken authorisation 50% caused by broken authentication 8% caused by misconfiguration 69% of API breaches were in the technology sector

  8. ©2025 F5 8 The growth in API use and accelerating

    pace of change makes it hard for security teams to keep up APIs represent an expanding attack surface, as new APIs and updates are being released all the time, and security is getting left behind 46% of respondents stated it takes a week or less to conceive, implement, test and deliver an API to a production environment Q: How long does it typically take to conceive, implement, test and deliver an API to a production environment? Postman state of API Report – 2023

  9. ©2025 F5 9 APIs create substantial security exposure for all

    organizations Unmonitored and unprotected APIs can expose organization to… • Unauthorized Access • Data Exfiltration • Denial of Service Attacks • Business Logic Exploitation • Injection Attacks These threats can lead to … • Exposure of sensitive information • Penalties for noncompliance • Brand reputation damage • Service outages & revenue loss • Intellectual property theft API Security Top 10

  10. Effectively incorporating API Security

  11. ©2025 F5 11 API Discovery/Visibility

  12. ©2025 F5 12 Preventive Controls Access Control

  13. ©2025 F5 13 Policy Enforcement

  14. ©2025 F5 14 Safeguarding Sensitive Data

  15. ©2025 F5 15 Abuse and DoS Protection

  16. ©2025 F5 16 Attack Protection

  17. ©2025 F5 17 Malicious User Detection

  18. ©2025 F5 18 Investigation and Response

  19. ©2025 F5 19 Lessons Learned

  20. Key takeaways

  21. ©2025 F5 21 •Complexity is the enemy of security •Be

    strategic and methodical •Cover all aspects of the security workflow •Iterate and incorporate lessons learned Key Takeaways
  22. None