Strengthening Capabilities

Transcript

1. Strengthening Capabilities 1 to Mitigate Threats from External API Integration

2. 2 Hello world Meet whatever application

3. 3 Hello world There’s an API for that, too.

4. 4 Introduction API Rise = f(micro-services, cloud, lambda, mobile, SaaS)

   Risk = x * API Rise + y

5. 5 Hello world Hey, I’m Xavier Bruhiere Head of Data

   Engineering at Lazada Logistics 4 50 120 8000 pax Companies I wrote API for

6. 6 Introduction Mitigate 80% of the threats in 20% of

   the effort -- Vilfredo Pareto, maybe

7. 7 1. Emerging threats 2. Monitoring API Activities 3. Analysing

   API transactions AGENDA

8. 01 Emerging threats 8

9. 9 Threats Poor implementation API side 1. Broken Object level

   authorization 2. Broken User authentication 3. Excessive data exposure 4. Lack of resources and rate limiting 5. … OWASP Security top 10

10. 10 Threats Data leakage API side • Repurpose • Data

    breach • Access leakage • Inference • Misunderstanding

11. 11 Threats Negligence Client side Trust

12. 12 Threats Performance Business side Reliance/Lock-in Out of your control

    bottleneck Graceful downgrade

13. 13 If something can go wrong It will -- Murphy’s

    law Threats

14. 14 MVP strategy Threats

15. 02 Monitoring API activities in real-time 15

16. 16 Real-time alerting 1. What is business-as-usual # Status code

    # Signature # Rate limit # Volumes # API envelope # Response format # Latency # Headers # IP

17. 17 Real-time alerting 2. An architecture Exporter Prometheus Airflow API

    Grafana Alertmanager

18. 18 On-duty recipe Real-time alerting About 50% culture / 50%

    technical Visibility: store everything, have context Trust: filter the noise Layers: have sound channels and fair escalation Iterate: blameless post-mortems

19. 03 Analysing API transactions and implementing smart alerts 19

20. 20 Analysis More monitoring Rampant attack Gradual degradation Silent violation

    System glitches Single action with large impact

21. 21 Analysis Let’s build it!

22. 22 Requirements Development Storage Normalize Platform Offline storage For expensive

    analysis Relevant properties Known schema In-house/vendor? Analysis Users Scanning Exploration Debugging

23. 23 Real-time alerting An architecture Exporter Airflow API Prometheus

24. 24 Real-time alerting An architecture Exporter Airflow API Prometheus

25. 25 Smart Alerting Development Analysis Smart detection Anomalies detection algorithm

    Pattern detection, like bots or failures Database of known threats Critical data failure Smart notification First doubt: log Consistent issue: notify Known breach: wake up # Be transparent and cautious

26. 26 Keep up With threats Monitor Take action Wrapping Up

27. 27 Thanks Deal with it

28. 28