Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Paris 2024 - Layered Approach of API Se...

apidays
December 22, 2024

apidays Paris 2024 - Layered Approach of API Security Strategies and its Business Impact, Akansha Shukla, ABN AMRO NL

Layered Approach of API Security Strategies and its Business Impact
Akansha Shukla, Security Domain Expert at ABN AMRO NL

apidays Paris 2024 - The Future API Stack for Mass Innovation
December 3 - 5, 2024

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

December 22, 2024
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. API SECURITY PROTECTING YOUR BUSINESS IN THE API -DRIVEN WORLD

    A Business Imperative for the Digital Age In 2021, a single API vulnerability at Experian exposed the personal data of over 100 million users, costing them an estimated $700 million in fines and lost business. Could your organization be next?
  2. Akansha Shukla ABN AMRO Amsterdam, NL • Security Domain Expert

    • 10 Years of experience in Security (Application security, Code Security, API security, DevSecOps , TM, VAPT) • Certifications: CISM, CEH, CASE, Az-500 • Article Writer • Worked with TCS, Infosys, IBM , DevONNL • Yoga and meditation, listening to music, Singing, Traveling India, The Netherlands
  3. APIs: The Double -Edged Sword of Innovation APIs are the

    engines powering the digital economy, driving innovation in every sector: mobile apps, fintech, e -commerce, the Internet of Things, and more. This exponential growth in API adoption has created an expansive attack surface, making APIs prime targets for cybercriminals. Gartner correctly predicted that API attacks would be the most frequent attack vector by 2022, resulting in data breaches for enterprise web applications, and by 2024, API abuses and related data breaches would double.
  4. In 2019, a Facebook API vulnerability exposed the phone numbers

    of millions of users, triggering a wave of privacy concerns and regulatory scrutiny. In 2021, a misconfigured API at AX A allowed unauthorized access to customer financial data, resulting in millions in losses and a significant drop in their stock price. In 2023, a vulnerability in Paypal API enabled attackers to make fraudulent transactions, impacting the financial security of countless users. API BREACHES High-Profile Lessons Learned
  5. ARE YOU AN API SECURITY PRO? Let's see how your

    API security knowledge stacks up! Which API OWASP Top 10 was the most reported in 2024? Injection A Security Misconfiguration C Broken Object Level Authorization B Sensitive Data Exposure D Put your QR here Broken Object Level Authorization B
  6. THE OWASP API TOP 10: Know Your Enemy Broken Object

    Level Authorization (BOLA) Think of a hacker easily changing an account number in an API request to access someone else’s bank account BrokenAuthentication Weak authentication is like leaving your front door wide open, allowing anyone to enter your systems Excessive DataExposure Overly permissive APIs leak sensitive information, like a dripping faucet , slowly draining your valuable data Lack of Resources & Rate Limiting Without proper controls, attackers can flood your API with requests, causing a Denial of Service (DoS) attack and bringing your business to a standstill
  7. ARE YOU AN API SECURITY PRO? Let's see how your

    API security knowledge stacks up! Which of these is a common sign of a potential API attack? Unusual spikes in API traffic A Stable and predictable API response times C Consistent and regular API requests B Decreased API usage over time D Put your QR here Unusual spikes in API traffic A
  8. YOUR API SECURITY BLUEPRINT: A Layered Defen Protecting your APIs

    requires a multi -layered strategy that addresses security at every stage Governance and Insights Enabling Enforce Guardrail Standards FSCP policies API Security Checklist Guidelines Trainings and Resources Capabilities Building Capabilities building for Security Testing, Continuous Discovery, Security monitoring, Identity and Access management
  9. YOUR API SECURITY BLUEPRINT: A Layered Defen Protecting your APIs

    requires a multi -layered strategy that addresses security at every stage
  10. YOUR API SECURITY BLUEPRINT: A Layered Defen Integrate security testing

    into your development workflow to catch and fix vulnerabilities before they reach production Protecting your APIs requires a multi -layered strategy that addresses security at every stage Start with secure -by-design principles, building security into the foundation of your APIs Deploy active defenses to block attacks and protect your APIs in real -time
  11. API DISCOVERY Shining a Light on Hidden Risks You can’t

    secure what you can’t see . ComprehensiveAPI discoveryis the crucial first step, revealingyour full attack surface . Example A major financial institution discovered over 100 undocumented (shadow) APIs during a routine network analysis. These hidden APIs were a significant security blind spot, potentially exposing sensitive data. Key Discovery Methods  Analyze your network traffic to identify all API calls, including those from undocumented or forgotten APIs.  Examine your gateway logs for unusual traffic patterns or requests to endpoints that shouldn't be accessible.  Scan your code repositories for hardcoded API keys, credentials, or insecure coding practices
  12. Runtime protection is your always -on security guard, proactively protecting

    your APIs from attacks in real-time. RUNTIME PROTECTION Defending Your APIs 24/7 Web Application Firewalls (WAFs) Example Agaming company used AI-powered anomaly detection to thwart a sophisticated bot attack that was exploiting a business logic flaw in their API, preventing millions in fraudulent in-game currency transactions. Rate Limiting Behavioral Analysis AI-Driven Anomaly Detection KEY RUNTIME PROTECTION TECHNIQUES
  13. SHIFT -LEFT SECURITY: Empowering Developers to Build Secure APIs Example

    A software company significantly reduced API vulnerabilities by providing their developers with secure coding training, demonstrating the impact of proactive security education.  Static Analysis Tools: Automatically scan code for security flaws.  Secure Coding Guidelines: Provide clear standards and best practices.  API Security Testing Frameworks: Enable developers to test their APIs for vulnerabilities throughout development. Integrate security into every stage of the API lifecycle. DON’T TREAT IT AS AN AFTERTHOUGHT! Empower your developers with the right tools and knowledge.
  14. Secure Your APIs, Protect Your Future. ACT NOW! Don't wait

    for a breach to happen. Take control of your API security today  Start with API discovery: Know your attack surface.  Build a robust roadmap to address the OWASP API Top 10 risks.  Empower your developers: Make security a shared responsibility.  Invest in the right tools, training, and expertise. Ready to take the next step? Connect with me to discuss how we can build a robust API security program https://www.linkedin.com/in/akansha-s