Slide 1

Slide 1 text

Strengthening Capabilities 1 to Mitigate Threats from External API Integration

Slide 2

Slide 2 text

2 Hello world Meet whatever application

Slide 3

Slide 3 text

3 Hello world There’s an API for that, too.

Slide 4

Slide 4 text

4 Introduction API Rise = f(micro-services, cloud, lambda, mobile, SaaS) Risk = x * API Rise + y

Slide 5

Slide 5 text

5 Hello world Hey, I’m Xavier Bruhiere Head of Data Engineering at Lazada Logistics 4 50 120 8000 pax Companies I wrote API for

Slide 6

Slide 6 text

6 Introduction Mitigate 80% of the threats in 20% of the effort -- Vilfredo Pareto, maybe

Slide 7

Slide 7 text

7 1. Emerging threats 2. Monitoring API Activities 3. Analysing API transactions AGENDA

Slide 8

Slide 8 text

01 Emerging threats 8

Slide 9

Slide 9 text

9 Threats Poor implementation API side 1. Broken Object level authorization 2. Broken User authentication 3. Excessive data exposure 4. Lack of resources and rate limiting 5. … OWASP Security top 10

Slide 10

Slide 10 text

10 Threats Data leakage API side • Repurpose • Data breach • Access leakage • Inference • Misunderstanding

Slide 11

Slide 11 text

11 Threats Negligence Client side Trust

Slide 12

Slide 12 text

12 Threats Performance Business side Reliance/Lock-in Out of your control bottleneck Graceful downgrade

Slide 13

Slide 13 text

13 If something can go wrong It will -- Murphy’s law Threats

Slide 14

Slide 14 text

14 MVP strategy Threats

Slide 15

Slide 15 text

02 Monitoring API activities in real-time 15

Slide 16

Slide 16 text

16 Real-time alerting 1. What is business-as-usual # Status code # Signature # Rate limit # Volumes # API envelope # Response format # Latency # Headers # IP

Slide 17

Slide 17 text

17 Real-time alerting 2. An architecture Exporter Prometheus Airflow API Grafana Alertmanager

Slide 18

Slide 18 text

18 On-duty recipe Real-time alerting About 50% culture / 50% technical Visibility: store everything, have context Trust: filter the noise Layers: have sound channels and fair escalation Iterate: blameless post-mortems

Slide 19

Slide 19 text

03 Analysing API transactions and implementing smart alerts 19

Slide 20

Slide 20 text

20 Analysis More monitoring Rampant attack Gradual degradation Silent violation System glitches Single action with large impact

Slide 21

Slide 21 text

21 Analysis Let’s build it!

Slide 22

Slide 22 text

22 Requirements Development Storage Normalize Platform Offline storage For expensive analysis Relevant properties Known schema In-house/vendor? Analysis Users Scanning Exploration Debugging

Slide 23

Slide 23 text

23 Real-time alerting An architecture Exporter Airflow API Prometheus

Slide 24

Slide 24 text

24 Real-time alerting An architecture Exporter Airflow API Prometheus

Slide 25

Slide 25 text

25 Smart Alerting Development Analysis Smart detection Anomalies detection algorithm Pattern detection, like bots or failures Database of known threats Critical data failure Smart notification First doubt: log Consistent issue: notify Known breach: wake up # Be transparent and cautious

Slide 26

Slide 26 text

26 Keep up With threats Monitor Take action Wrapping Up

Slide 27

Slide 27 text

27 Thanks Deal with it

Slide 28

Slide 28 text

28