Strengthening Capabilities
1
to Mitigate Threats
from External API Integration
Slide 2
Slide 2 text
2
Hello world
Meet whatever application
Slide 3
Slide 3 text
3
Hello world
There’s an API for that, too.
Slide 4
Slide 4 text
4
Introduction
API Rise = f(micro-services, cloud, lambda, mobile, SaaS)
Risk = x * API Rise + y
Slide 5
Slide 5 text
5
Hello world
Hey, I’m Xavier Bruhiere
Head of Data Engineering at Lazada Logistics
4 50 120 8000 pax
Companies I wrote API for
Slide 6
Slide 6 text
6
Introduction
Mitigate 80% of the threats
in 20% of the effort
-- Vilfredo Pareto, maybe
Slide 7
Slide 7 text
7
1. Emerging threats
2. Monitoring API Activities
3. Analysing API
transactions
AGENDA
Slide 8
Slide 8 text
01
Emerging threats
8
Slide 9
Slide 9 text
9
Threats
Poor implementation
API side
1. Broken Object level authorization
2. Broken User authentication
3. Excessive data exposure
4. Lack of resources and rate limiting
5. …
OWASP Security top 10
Slide 10
Slide 10 text
10
Threats
Data leakage
API side
• Repurpose
• Data breach
• Access leakage
• Inference
• Misunderstanding
Slide 11
Slide 11 text
11
Threats
Negligence
Client side
Trust
Slide 12
Slide 12 text
12
Threats
Performance
Business side
Reliance/Lock-in
Out of your control bottleneck
Graceful downgrade
Slide 13
Slide 13 text
13
If something can go wrong
It will
-- Murphy’s law
Threats
Slide 14
Slide 14 text
14
MVP strategy
Threats
Slide 15
Slide 15 text
02
Monitoring API activities
in real-time
15
Slide 16
Slide 16 text
16
Real-time alerting
1. What is business-as-usual
# Status code
# Signature
# Rate limit
# Volumes
# API envelope
# Response format
# Latency
# Headers
# IP
Slide 17
Slide 17 text
17
Real-time alerting
2. An architecture
Exporter
Prometheus
Airflow
API
Grafana
Alertmanager
Slide 18
Slide 18 text
18
On-duty recipe
Real-time alerting
About 50% culture / 50% technical
Visibility: store everything, have context
Trust: filter the noise
Layers: have sound channels and fair escalation
Iterate: blameless post-mortems
Slide 19
Slide 19 text
03
Analysing API transactions
and implementing smart alerts
19
Slide 20
Slide 20 text
20
Analysis
More monitoring
Rampant attack
Gradual degradation
Silent violation
System glitches
Single action with large impact
Slide 21
Slide 21 text
21
Analysis
Let’s build it!
Slide 22
Slide 22 text
22
Requirements
Development
Storage Normalize Platform
Offline storage
For expensive analysis
Relevant properties
Known schema
In-house/vendor?
Analysis
Users
Scanning
Exploration
Debugging
Slide 23
Slide 23 text
23
Real-time alerting
An architecture
Exporter
Airflow
API
Prometheus
Slide 24
Slide 24 text
24
Real-time alerting
An architecture
Exporter
Airflow
API
Prometheus
Slide 25
Slide 25 text
25
Smart Alerting
Development
Analysis
Smart detection
Anomalies detection algorithm
Pattern detection, like bots or failures
Database of known threats
Critical data failure
Smart notification
First doubt: log
Consistent issue: notify
Known breach: wake up
# Be transparent and cautious
Slide 26
Slide 26 text
26
Keep up
With threats
Monitor
Take action
Wrapping Up