WHY YOU NEED TO AUTOMATE API SECURITY ISABELLE MAUNY - CTO [email protected] The API Security Platform for the Enterprise 

2 Source: https:/ /blog.appdynamics.com/product/the-importance-of-monitoring-containers-infographic/ MULTIPLICATION OF ENDPOINTS 

TITLE TEXT 3 App icon made by https://www.flaticon.com/authors/pixel-buddha Internal Partner Public RISE OF VIRTUAL APPLICATION NETWORKS 

TITLE TEXT EVER FASTER PACE OF APP DELIVERY 4 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY 

API SECURITY NEEDS TO 5 EVOLVE 

6 DEFINING “PROPER” SECURITY 

7 Authentication Integrity (transport & message) Audit Confidentiality (transport & message) Availability (Rate Limiting) Access Control Non Repudiation Data Validity (attacks protection) 

8 YES. You need to consider all of this… … AND you need to configure all aspects in the right way 

9 EASY TO GET THOSE WRONG! 

10 AND you need the right infrastructure… 

“Security experts are going to have to figure out how to deliver ‘security as code’. Essentially, they have to translate every security requirement, every coding guideline, every ‘best practice,’ every threat model, and every security architecture into code that can run during the development, build, test, and deployment process. Even in operations, it’s critical that attack detection and response is fully automated.” Jeff Williams OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10. https://sdtimes.com/owasp-adds-unprotected-apis-insufficient-attack-protection-top-ten-2017-release/ 11 

12 THE SOLUTION ? DEVOPS, BUT WITH SECURITY ON! 

LET’S SHIFT SECURITY LEFT! 13 Deployment Testing Development Design Security vulnerabilities are bugs. The later you find them, the more costly it is to fix them. 

HACK YOURSELF ! Automated Scans ✓ Code Scans ✓ Infrastructure Scans Automated Hacking ✓ OWASP ZAP, BURP Chaos Engineering ✓ DDOS Attacks Test Security ✓ Authentication ✓ Authorization Complementary Initiatives ✓ Pen-Testing ✓ Bug Bounty ✓ Secure Code Reviews 14 1 Choose scanning platforms/tools where 
 functionality is exposed as APIs/CLI. 

IT’S ILLEGAL TO ATTACK SYSTEMS! UNLESS ALLOWED TO… 15 

1. Use Threat Modelling to eval the APIs risk 2. Define security profiles by risk level 3. Apply security profiles automatically based on risk. 4. Avoid policies in code and API-specific 16 IMPLEMENT ‘POLICY AS CODE’ 2 

1. Easy to deploy even on developer’s laptops 2. Can be deployed hundreds of times 3. Immutable 17 USE A CONTAINERIZED PEP 3 VERIFY IMAGE INTEGRITY ! 

1. Constant monitoring at all stages 2. Automated Response when possible. 3. Leverage Machine Learning (but be careful of false positives!) 18 MONITOR AND ANALYZE 4 

FULL DEV-SEC-OPS CYCLE FOR APIS 19 Develop Assess Secure Test Document Deploy API is developed on platform of choice Continuous API testing including security testing Deploy to containerized PEP Configure and apply security policy from assessed risk Assess API description and evaluate risk level Document and annotate API with OpenAPI/Swagger 

20 RELIES ON STRONG COLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND BUSINESS TEAMS PROPER SECURITY 

21 BUILD A SECURITY CHAMPIONS TEAM 

IT’S NOT ABOUT IF, IT’S ABOUT WHEN. BE PREPARED. 22 

23 www.42crunch.com/whitepaper 

CONTACT: [email protected] WWW.42CRUNCH.COM The API Security Platform for the Enterprise 

RESOURCES Chaos Engineering ✓ http:/ /principlesofchaos.org ✓ https:/ /github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https:/ /www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https:/ /www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https:/ /www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https:/ /www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 25 

RESOURCES SSL Setup Scan ✓ https:/ /hardenize.com ✓ https:/ /securityheaders.io ✓ https:/ /www.ssllabs.com/ssltest/ 26