INTERFACE by apidays 2023 - API Security: Approaching Protection At Code-Level Goodness Okpani, Ethnos

Transcript

1. API Security Approaching Protection at Code Level

2. None

3. API Usage over the Years According to Gartner, 98% of

   organizations use or plan to use APIs. There are more than 2.4 million API-related repositories on Github as at now.

4. There are about 1097.9M API Requests from 2015 to 2021

   compiled by numbers of Postman request API Usage over the Years

5. Traditional Approaches to protecting APIs Developers WAF Services Web Servers

   Hacker WAAP API Gateway Developed API in Production

6. Limitations of WAF, API Gateways and WAAPs in API Security

   • Attack Surface Increase(Monolithic vs Microservices) • Business Logic Based Attacks • Need to have traffic routed through them in order to block ( • Need to register APIs to enable API-level protections • Does not address shadow or zombie APIs WAF WAAP API Gateway Enterprise Network Registered API Unregistered API Vulnerable Unregistered API Web Servers/ Database

7. Bypassing WAF in API Security Client-side API threat/vulnerabilities • Business

   Logic Flaws • Insecure Direct Object References • Client-side attacks • Encrypted Traffic • Zero-day Exploits • Client Authorization and Access Control Client-side Code Server Side Code Protected by WAF Not protected by WAF

8. Protecting API at the Source code level Shifting-Left Approach Shifting

   left empowers developers to build more secure APIs in the first place rather than finding security vulnerabilities after going into production Train Design Code Check-in Build Deploy Test Implementing Modern API SDLC

9. Discussion and Questions

10. Thank you