Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Strengthening Capabilities

Strengthening Capabilities

To Mitigate Threats
from External API Integration

Xavier Bruhiere

January 15, 2020
Tweet

More Decks by Xavier Bruhiere

Other Decks in Technology

Transcript

  1. Strengthening Capabilities
    1
    to Mitigate Threats
    from External API Integration

    View Slide

  2. 2
    Hello world
    Meet whatever application

    View Slide

  3. 3
    Hello world
    There’s an API for that, too.

    View Slide

  4. 4
    Introduction
    API Rise = f(micro-services, cloud, lambda, mobile, SaaS)
    Risk = x * API Rise + y

    View Slide

  5. 5
    Hello world
    Hey, I’m Xavier Bruhiere
    Head of Data Engineering at Lazada Logistics
    4 50 120 8000 pax
    Companies I wrote API for

    View Slide

  6. 6
    Introduction
    Mitigate 80% of the threats
    in 20% of the effort
    -- Vilfredo Pareto, maybe

    View Slide

  7. 7
    1. Emerging threats
    2. Monitoring API Activities
    3. Analysing API
    transactions
    AGENDA

    View Slide

  8. 01
    Emerging threats
    8

    View Slide

  9. 9
    Threats
    Poor implementation
    API side
    1. Broken Object level authorization
    2. Broken User authentication
    3. Excessive data exposure
    4. Lack of resources and rate limiting
    5. …
    OWASP Security top 10

    View Slide

  10. 10
    Threats
    Data leakage
    API side
    • Repurpose
    • Data breach
    • Access leakage
    • Inference
    • Misunderstanding

    View Slide

  11. 11
    Threats
    Negligence
    Client side
    Trust

    View Slide

  12. 12
    Threats
    Performance
    Business side
    Reliance/Lock-in
    Out of your control bottleneck
    Graceful downgrade

    View Slide

  13. 13
    If something can go wrong
    It will
    -- Murphy’s law
    Threats

    View Slide

  14. 14
    MVP strategy
    Threats

    View Slide

  15. 02
    Monitoring API activities
    in real-time
    15

    View Slide

  16. 16
    Real-time alerting
    1. What is business-as-usual
    # Status code
    # Signature
    # Rate limit
    # Volumes
    # API envelope
    # Response format
    # Latency
    # Headers
    # IP

    View Slide

  17. 17
    Real-time alerting
    2. An architecture
    Exporter
    Prometheus
    Airflow
    API
    Grafana
    Alertmanager

    View Slide

  18. 18
    On-duty recipe
    Real-time alerting
    About 50% culture / 50% technical
    Visibility: store everything, have context
    Trust: filter the noise
    Layers: have sound channels and fair escalation
    Iterate: blameless post-mortems

    View Slide

  19. 03
    Analysing API transactions
    and implementing smart alerts
    19

    View Slide

  20. 20
    Analysis
    More monitoring
    Rampant attack
    Gradual degradation
    Silent violation
    System glitches
    Single action with large impact

    View Slide

  21. 21
    Analysis
    Let’s build it!

    View Slide

  22. 22
    Requirements
    Development
    Storage Normalize Platform
    Offline storage
    For expensive analysis
    Relevant properties
    Known schema
    In-house/vendor?
    Analysis
    Users
    Scanning
    Exploration
    Debugging

    View Slide

  23. 23
    Real-time alerting
    An architecture
    Exporter
    Airflow
    API
    Prometheus

    View Slide

  24. 24
    Real-time alerting
    An architecture
    Exporter
    Airflow
    API
    Prometheus

    View Slide

  25. 25
    Smart Alerting
    Development
    Analysis
    Smart detection
    Anomalies detection algorithm
    Pattern detection, like bots or failures
    Database of known threats
    Critical data failure
    Smart notification
    First doubt: log
    Consistent issue: notify
    Known breach: wake up
    # Be transparent and cautious

    View Slide

  26. 26
    Keep up
    With threats
    Monitor
    Take action
    Wrapping Up

    View Slide

  27. 27
    Thanks
    Deal with it

    View Slide

  28. 28

    View Slide