Strengthening Capabilities

Strengthening Capabilities

To Mitigate Threats
from External API Integration

21f588b59e5b0a7d92be27f14405747a?s=128

Xavier Bruhiere

January 15, 2020
Tweet

Transcript

  1. Strengthening Capabilities 1 to Mitigate Threats from External API Integration

  2. 2 Hello world Meet whatever application

  3. 3 Hello world There’s an API for that, too.

  4. 4 Introduction API Rise = f(micro-services, cloud, lambda, mobile, SaaS)

    Risk = x * API Rise + y
  5. 5 Hello world Hey, I’m Xavier Bruhiere Head of Data

    Engineering at Lazada Logistics 4 50 120 8000 pax Companies I wrote API for
  6. 6 Introduction Mitigate 80% of the threats in 20% of

    the effort -- Vilfredo Pareto, maybe
  7. 7 1. Emerging threats 2. Monitoring API Activities 3. Analysing

    API transactions AGENDA
  8. 01 Emerging threats 8

  9. 9 Threats Poor implementation API side 1. Broken Object level

    authorization 2. Broken User authentication 3. Excessive data exposure 4. Lack of resources and rate limiting 5. … OWASP Security top 10
  10. 10 Threats Data leakage API side • Repurpose • Data

    breach • Access leakage • Inference • Misunderstanding
  11. 11 Threats Negligence Client side Trust

  12. 12 Threats Performance Business side Reliance/Lock-in Out of your control

    bottleneck Graceful downgrade
  13. 13 If something can go wrong It will -- Murphy’s

    law Threats
  14. 14 MVP strategy Threats

  15. 02 Monitoring API activities in real-time 15

  16. 16 Real-time alerting 1. What is business-as-usual # Status code

    # Signature # Rate limit # Volumes # API envelope # Response format # Latency # Headers # IP
  17. 17 Real-time alerting 2. An architecture Exporter Prometheus Airflow API

    Grafana Alertmanager
  18. 18 On-duty recipe Real-time alerting About 50% culture / 50%

    technical Visibility: store everything, have context Trust: filter the noise Layers: have sound channels and fair escalation Iterate: blameless post-mortems
  19. 03 Analysing API transactions and implementing smart alerts 19

  20. 20 Analysis More monitoring Rampant attack Gradual degradation Silent violation

    System glitches Single action with large impact
  21. 21 Analysis Let’s build it!

  22. 22 Requirements Development Storage Normalize Platform Offline storage For expensive

    analysis Relevant properties Known schema In-house/vendor? Analysis Users Scanning Exploration Debugging
  23. 23 Real-time alerting An architecture Exporter Airflow API Prometheus

  24. 24 Real-time alerting An architecture Exporter Airflow API Prometheus

  25. 25 Smart Alerting Development Analysis Smart detection Anomalies detection algorithm

    Pattern detection, like bots or failures Database of known threats Critical data failure Smart notification First doubt: log Consistent issue: notify Known breach: wake up # Be transparent and cautious
  26. 26 Keep up With threats Monitor Take action Wrapping Up

  27. 27 Thanks Deal with it

  28. 28