Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Strengthening Capabilities

Xavier Bruhiere
January 15, 2020
Technology
0
17

Strengthening Capabilities

To Mitigate Threats
from External API Integration

Xavier Bruhiere

January 15, 2020
Tweet

More Decks by Xavier Bruhiere

See All by Xavier Bruhiere
Going Big With DevOps
xavierbruhiere
0
26
Dataops - The WAT, The Pain, The How
xavierbruhiere
0
20

Other Decks in Technology

See All in Technology
FaaS における Java 起動時間の比較 (AWS / Azure / GCP) #jjug_ccc #jjug_ccc_d
tacck
2
830
Oracle Exadata Database Service on [email protected] X9M ([email protected]) 技術詳細
oracle4engineer
PRO
0
1.5k
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2.8k
WOFFの紹介
mmclsntr
0
120
Data-Centric AIのためのベンチマーク
x_ttyszk
1
630
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
2.3k
時系列データをChatGPTで読み解いてみる【IoT-Tech Meetup】
soracom
PRO
0
820
ChatGPTを活用した 便利ツールの紹介
hankehly
1
500
エンジニアのキャリアパスはどう描く? まつもとりーさんと考える後悔しないキャリア選択
matsumoto_r
PRO
2
280
IaCのCI/CDを考えよう / JAWS-UG_Okayama_IaC_CICD
taishin
1
180
k6による負荷試験 入門から実践まで
fujiwara3
2
150
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k

Featured

See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
374
45k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
Writing Fast Ruby
sferik
613
58k
Unsuck your backbone
ammeep
660
56k
Design by the Numbers
sachag
272
18k
What the flash - Photography Introduction
edds
64
10k
Being A Developer After 40
akosma
50
580k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Producing Creativity
orderedlist
PRO
335
38k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Designing with Data
zakiwarfel
92
4.3k

Transcript

  1. Strengthening Capabilities
    1
    to Mitigate Threats
    from External API Integration

    View Slide

  2. 2
    Hello world
    Meet whatever application

    View Slide

  3. 3
    Hello world
    There’s an API for that, too.

    View Slide

  4. 4
    Introduction
    API Rise = f(micro-services, cloud, lambda, mobile, SaaS)
    Risk = x * API Rise + y

    View Slide

  5. 5
    Hello world
    Hey, I’m Xavier Bruhiere
    Head of Data Engineering at Lazada Logistics
    4 50 120 8000 pax
    Companies I wrote API for

    View Slide

  6. 6
    Introduction
    Mitigate 80% of the threats
    in 20% of the effort
    -- Vilfredo Pareto, maybe

    View Slide

  7. 7
    1. Emerging threats
    2. Monitoring API Activities
    3. Analysing API
    transactions
    AGENDA

    View Slide

  8. 01
    Emerging threats
    8

    View Slide

  9. 9
    Threats
    Poor implementation
    API side
    1. Broken Object level authorization
    2. Broken User authentication
    3. Excessive data exposure
    4. Lack of resources and rate limiting
    5. …
    OWASP Security top 10

    View Slide

  10. 10
    Threats
    Data leakage
    API side
    • Repurpose
    • Data breach
    • Access leakage
    • Inference
    • Misunderstanding

    View Slide

  11. 11
    Threats
    Negligence
    Client side
    Trust

    View Slide

  12. 12
    Threats
    Performance
    Business side
    Reliance/Lock-in
    Out of your control bottleneck
    Graceful downgrade

    View Slide

  13. 13
    If something can go wrong
    It will
    -- Murphy’s law
    Threats

    View Slide

  14. 14
    MVP strategy
    Threats

    View Slide

  15. 02
    Monitoring API activities
    in real-time
    15

    View Slide

  16. 16
    Real-time alerting
    1. What is business-as-usual
    # Status code
    # Signature
    # Rate limit
    # Volumes
    # API envelope
    # Response format
    # Latency
    # Headers
    # IP

    View Slide

  17. 17
    Real-time alerting
    2. An architecture
    Exporter
    Prometheus
    Airflow
    API
    Grafana
    Alertmanager

    View Slide

  18. 18
    On-duty recipe
    Real-time alerting
    About 50% culture / 50% technical
    Visibility: store everything, have context
    Trust: filter the noise
    Layers: have sound channels and fair escalation
    Iterate: blameless post-mortems

    View Slide

  19. 03
    Analysing API transactions
    and implementing smart alerts
    19

    View Slide

  20. 20
    Analysis
    More monitoring
    Rampant attack
    Gradual degradation
    Silent violation
    System glitches
    Single action with large impact

    View Slide

  21. 21
    Analysis
    Let’s build it!

    View Slide

  22. 22
    Requirements
    Development
    Storage Normalize Platform
    Offline storage
    For expensive analysis
    Relevant properties
    Known schema
    In-house/vendor?
    Analysis
    Users
    Scanning
    Exploration
    Debugging

    View Slide

  23. 23
    Real-time alerting
    An architecture
    Exporter
    Airflow
    API
    Prometheus

    View Slide

  24. 24
    Real-time alerting
    An architecture
    Exporter
    Airflow
    API
    Prometheus

    View Slide

  25. 25
    Smart Alerting
    Development
    Analysis
    Smart detection
    Anomalies detection algorithm
    Pattern detection, like bots or failures
    Database of known threats
    Critical data failure
    Smart notification
    First doubt: log
    Consistent issue: notify
    Known breach: wake up
    # Be transparent and cautious

    View Slide

  26. 26
    Keep up
    With threats
    Monitor
    Take action
    Wrapping Up

    View Slide

  27. 27
    Thanks
    Deal with it

    View Slide

  28. 28

    View Slide