Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Munich 2025 - Effectively incorporating...

Avatar for apidays apidays
PRO
July 09, 2025
0
0

apidays Munich 2025 - Effectively incorporating API Security into the overall security workflow, Josh Goldfarb (F5)

Effectively incorporating API Security into the overall security workflow
Josh Goldfarb, Field Chief Information Security Officer at F5

apidays Munich 2025 - Accelerate AI Use Cases with APIs
July 2 & 3, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Avatar for apidays

apidays
PRO

July 09, 2025
Tweet

More Decks by apidays

See All by apidays
apidays Munich 2025 - Building an AWS Serverless Application with Terraform, Andre Lopes (Tesla)
Avatar for apidays apidays
PRO
0
2
apidays Munich 2025 - Building Telco-Aware Apps with Open Gateway APIs, Subhranshu Dwivedi & Ricardo Serrano Gutiérrez (Telefonica)
Avatar for apidays apidays
PRO
0
0
apidays Munich 2025 - Streamline & Secure LLM Traffic with APISIX AI Gateway (API7)
Avatar for apidays apidays
PRO
0
0
apidays Munich 2025 - Geospatial Artificial Intelligence (GeoAI) with OGC APIs, Emmanuel Mondon (AdviceGEO)
Avatar for apidays apidays
PRO
0
0
apidays Munich 2025 - Agentic AI: A Friend or Foe?, Merja Kajava (Aavista Oy)
Avatar for apidays apidays
PRO
0
1
apidays Munich 2025 - Automating Operations Without Reinventing the Wheel, Maarten Raaijmakers (Raynmakers)
Avatar for apidays apidays
PRO
0
0
apidays Munich 2025 - The life-changing magic of great API docs, Jens Fischer & Birgit Bader
Avatar for apidays apidays
PRO
0
0
apidays Munich 2025 - Let’s build, debug and test a magic MCP server in Postman with a few clicks, Johannes Nicolai (Postman)
Avatar for apidays apidays
PRO
0
0
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Paraskakis (Level 250)
Avatar for apidays apidays
PRO
0
0

Featured

See All Featured
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.7k
Docker and Python
Avatar for Tania Allard trallard
44
3.5k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.9k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
35
6.7k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
233
17k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
138
34k
It's Worth the Effort
Avatar for 3n 3n
185
28k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k

Transcript

  1. Effectively incorporating API Security into the overall security workflow Josh

    Goldfarb Field CISO, F5

  2. ©2025 F5 2 •Complexity is the enemy of security •Effectively

    incorporating API Security into the overall security workflow •Key takeaways Agenda

  3. Complexity is the enemy of security

  4. None

  5. Exploit scanning increased 91% in 2024 Mar CVE-2017-9841 CVE-2020-11625 CVE-2022-24847

    CVE-2023-1389 CVE-2024-3721 Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Year CVEs 2024 40,077 2023 28,961 2022 25,059 2021 20,161 2020 18,375 2019 17,308 2018 16,512 2017 14,645 2016 6,457 Source: F5 Labs Evolving CVE Landscape report and ongoing research

  6. AI is increasing in bot activity Source: F5 Labs 5%

    of all traffic is from advanced persistent bots 50% of page content requests are from GenAI 10% of web logins were credential stuffing attacks 50M+ residential proxy IPs across 70+ countries

  7. 115% increase in API breaches since 2024 Source: F5 Labs

    68% caused by broken authorisation 50% caused by broken authentication 8% caused by misconfiguration 69% of API breaches were in the technology sector

  8. ©2025 F5 8 The growth in API use and accelerating

    pace of change makes it hard for security teams to keep up APIs represent an expanding attack surface, as new APIs and updates are being released all the time, and security is getting left behind 46% of respondents stated it takes a week or less to conceive, implement, test and deliver an API to a production environment Q: How long does it typically take to conceive, implement, test and deliver an API to a production environment? Postman state of API Report – 2023

  9. ©2025 F5 9 APIs create substantial security exposure for all

    organizations Unmonitored and unprotected APIs can expose organization to… • Unauthorized Access • Data Exfiltration • Denial of Service Attacks • Business Logic Exploitation • Injection Attacks These threats can lead to … • Exposure of sensitive information • Penalties for noncompliance • Brand reputation damage • Service outages & revenue loss • Intellectual property theft API Security Top 10

  10. Effectively incorporating API Security

  11. ©2025 F5 11 API Discovery/Visibility

  12. ©2025 F5 12 Preventive Controls Access Control

  13. ©2025 F5 13 Policy Enforcement

  14. ©2025 F5 14 Safeguarding Sensitive Data

  15. ©2025 F5 15 Abuse and DoS Protection

  16. ©2025 F5 16 Attack Protection

  17. ©2025 F5 17 Malicious User Detection

  18. ©2025 F5 18 Investigation and Response

  19. ©2025 F5 19 Lessons Learned

  20. Key takeaways

  21. ©2025 F5 21 •Complexity is the enemy of security •Be

    strategic and methodical •Cover all aspects of the security workflow •Iterate and incorporate lessons learned Key Takeaways
  22. None