The Dev, Sec and Ops of API Security - API World

Oct 15, 20193 likes721 views

The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect. Downside: The more APIs, the higher the security risk! API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs. Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language. In this presentation you will learn: Security risks at each stage of the API lifecycle, and how to mitigate them. How to implement an end-to-end automated API security model that development, security and operations teams will love. How to think positive! Why a positive security model works.

SECURING AN API WORLD
THE DEV, SEC AND OPS
OF APIS
ISABELLE MAUNY
CHIEF EVANGELIST & CO-FOUNDER
ISABELLE@42CRUNCH.COM

2
363
AVERAGE NUMBER OF APIS IN THE ENTERPRISE

MANY APIS, MANY DEPLOYMENTS
3
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

INJECTING SECURITY AS EARLY
AS POSSIBLE IN THE API LIFECYCLE
8
DeploymentTestingDevelopmentDesign
SHIFTING SECURITY LEFT

9
Development
Security
Operations
Business
A CHANGE IN CULTURE: TEAMS COLLABORATING…

A DEV-SEC-OPS CYCLE FOR APIS
12From: https://jaxenter.com/exploration-devsecops-144849.html

KNOW YOUR APIS AND THE
RISK THEY BRING
14See: https://www.owasp.org/index.php/Application_Threat_Modeling

VALIDATE AND SANITIZE DATA 17
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
✓ Prefer Positive Security Model
Content-Type validation
✓ Don’t accept as-is!
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary

VALIDATE ACCESS TOKENS 18
Don’t blindly trust the incoming token contents!
Validate JWT algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.

IMPLEMENT A PROPER AUTHORIZATION
MODEL 19
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
✓ From where ?
What can they do ?
✓ Principles of least priviledge
✓ Do they own the data they want to access ?
OAuth scopes are often not enough !
✓ Limited to operations access
✓ You need to deal with data access!
✓ Need more fine-grained approach (XACML/OPA-
Open Policy Agent)

21
Dev QA/Testing Production Ops
Code Validation
Code reviews
API contract validation
Libraries/Components Validation
API Implementation Testing
API Contract Testing
Negative Testing: Hack yourselves!
Container Images Validation
Deployment Scripts Validation
Chaos Engineering
SSL/TLS Configuration
PenTesting

23
AUTOMATICALLY deploy security measures such as API Security
Gateways/Firewalls
Security As Code approach
Enforce Rate Limiting
Protect all APIs (Dev/QA/Prod)
Deploy at the edge and/or close to APIs (microservices architecture)
PROTECT ALL APIS

ADOPTING DEC SEC OPS
Start small and iterate
✓ Don’t try to address all issues at once!
Educate and help developers
✓ Don’t throw security at them as a new responsibility
✓ Help them by including feedback in their existing
development flow
✓ Add security people to development teams
Don’t through too many tools in the pipeline
✓ Evaluate and choose depending on your needs
25
API
Contract
Audit
Scan
Protect

CONTACT US:
INFO@42CRUNCH.COM
The API Security Company

WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

OWASP API Security Top 10 - Austin DevSecOps Days42Crunch

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: What makes API Security different from web application security The OWASP API Security Top 10 Real world breaches and mitigation strategies for each of the risks

Applying API Security at ScaleNordic APIs

By Isabelle Mauny, Chief Product Officer & Co-Founder at 42Crunch With the crazy rate at which APIs are developed, enterprises face a delicate situation to secure them. Data validation, input sanitization, security testing are tasks that require a lot of attention and time. When done very late in the API lifecycle, results are usually disastrous. API Security must be fully part of the API lifecycle, as transparent as possible, preventing developers from introducing vulnerabilities early on. A bug discovered in production can cost up to 30 times more effort to solve. Security vulnerabilities are no different.

Why you need API Security Automation42Crunch

Top API Security Issues Found During POCs42Crunch

WATCH WEBINAR: https://youtu.be/LLVOouA4pbs Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. "This is an eye opener" is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar. Through a mix of slides and demos, we will describe the top 5 issues our security audit reports, what they are and why they matter, including: - Potentials attacks linked to each issue - How they can be remediated - Example request/response and reports

Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman

The document summarizes API security topics presented by Erez Yalon at a Checkmarx Meetup event. Yalon discusses how API-based applications are different from traditional apps and deserve their own security focus. He outlines the OWASP API Security Project and the proposed API Security Top 10 risks, including broken object level authorization, excessive data exposure, lack of resources/rate limiting, and improper asset management. Yalon calls for community contributions to further develop the Top 10 and other API security resources.

Protecting Microservices APIs with 42Crunch API Firewall42Crunch

In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We’ll use a mix of slides and demos to present: (1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security) (2) Which threat protections must be put in place in a microservices architecture, and where (3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time (4) How to automate threat protection deployment

API Security: the full story42Crunch

API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy

The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.

REST API Security by Design with Azure Pipelines42Crunch

WATCH WEBINAR: https://42crunch.com/webinar-questions-azure-pipelines/ REST API Static Security Testing Extension for Microsoft Azure Pipelines: https://bit.ly/42azure Security is an important topic in software development. Unfortunately, security is usually considered too late in software development, and especially in the API lifecycle. Waiting until software and APIs are in production before addressing security concerns can be a severe risk to your organization. Did you know that vulnerabilities found in production cost up to 30x time and money more to fix? There is a solution: by engaging developers early, educating them on API threats and uncovering real actionable issues in your APIs, you can act swiftly and save a lot of effort downstream. In this webinar, we will - Explain the concepts behind “shifting left” and how it can benefit your organization, both at quality and security levels. - Explain how auditing your OpenAPI (aka Swagger) definitions gives early visibility to developers of potential security issues in APIs implementation. - Demonstrate the functionality of the audit and which issues it detects. - Describe how you can leverage audit at build time to ensure only contracts at the required level of security quality can be deployed. - Demonstrate our new Azure Pipelines plugin and its discovery mechanism. - We will be joined in the webinar by Steven Murawski from the Microsoft Azure Cloud Advocacy team.

OWASP API Security Top 10 - API World42Crunch

This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.

API Security in a Microservices World42Crunch

A microservice architecture brings new challenges to API Security and careful design needs to be applied at operations and development level to ensure corporate data is properly protected from unwanted access. In this session we explain what API security encompasses, why API security needs to be considered as early as possible in the lifecycle of the microservices, how known standards such as OAuth and OpenID Connect can be leveraged to authenticate and authorize access to microservices and give practical examples and recommendations for the design and deployment of microservice architectures.

Owasp top 10 2017 (en)PrashantDhakol

OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz

The document summarizes the OWASP API Security Top 10 - 2019, which outlines the top 10 most critical API security risks. It includes an introduction to the OWASP API Security Top 10 project, release notes on the first edition, a description of the risk rating methodology used, and summaries of the top 10 risks which are: 1) Broken Object Level Authorization, 2) Broken Authentication, 3) Excessive Data Exposure, 4) Lack of Resources & Rate Limiting, 5) Broken Function Level Authorization.

WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch

WATCH WEBINAR: https://youtu.be/SywcVCvgXP0 Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or o¬utput validation. Here are a few illustrative real-life examples on this: • Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated. • Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email. • CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value. • Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication. To protect APIs from such issues, an API-native, positive security approach is required: we create a whitelist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above? What you’ll learn: • Why WAFs fail in protecting APIs • How a whitelist protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples) • How to build a proper whitelist for API security

Are You Properly Using JWTs?42Crunch

WATCH WEBINAR: https://youtu.be/558MFgH1t9g JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation. This session focuses on best practices and real world examples of JWT usage, where we cover: - Typical scenarios where using JWT is a good idea - Typical scenarios where using JWT is a bad idea! - Principles of Zero trust architecture and why you should always validate - Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t. - Use cases when encryption may be required for JWT

42crunch-API-security-workshop42Crunch

If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as: - Transport and message encryption. - Digital Signatures - Auditing and non-repudiation - SecDevOps and security as code - Coding best practices and how to enforce them - Infrastructure Best Practices

SecDevOps for API Security42Crunch

Guidelines to protect your APIs from threatsIsabelle Mauny

1) The document discusses securing APIs and provides guidance on a layered approach including application level security, guiding principles like zero trust architecture, and protecting against specific API threats outlined in the OWASP API Security Top 10. 2) It summarizes real stories of API vulnerabilities from companies like Uber, Facebook, and Equifax and provides mitigations for each. 3) The key recommendations are to incorporate API security at design time, conduct security testing of APIs, and automate security through practices like DevSecOps.

OWASP API Security Top 10 Examples42Crunch

Data-driven API SecurityApigee | Google Cloud

Standard API security approaches and best practices that harden your API security can ensure safe and secure operations. However, these approaches may not be enough to protect your backend from sophisticated data extrusion through API key attacks, low and slow data scrapping that blend with your legitimate traffic. Enter data driven security. This session at I Love APIs 2014 covered how your API data can help you gain insights to traffic anomalies and security/privacy abuse. And how you can mitigate risks using data driven API security controls.

API Security Guidelines: Beyond SSL and OAuth.Isabelle Mauny

This document provides guidelines for proper API security. It discusses evolving API security from established perimeters to blurry perimeters. It emphasizes that API security needs to consider authentication, authorization, integrity, confidentiality, availability, audit, and other aspects. It recommends implementing governance, evaluating coverage, establishing risk-based policies, and automating security through the full development cycle.

APISecurity_OWASP_MitigationGuide Isabelle Mauny

Five Principles to API SecurityIsabelle Mauny

This document discusses the need for API security as APIs increasingly expose enterprise data and processes both internally and externally. It notes that while APIs may seem invisible without a GUI, they can be easily discovered and are vulnerable to the same threats as web applications if not properly secured. The document advocates for a holistic approach to API security that considers authentication, authorization, integrity, confidentiality and other aspects. It also emphasizes that the right security measures depend on the type of API and calls for collaboration between operations, development, security and business teams to implement proper API security.

Advanced API Security Patterns42Crunch

Managing Identities in the World of APIsApigee | Google Cloud

Better API Security with Automation 42Crunch

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays

API breaches are increasing, with over 350 reported publicly since October 2018. The top causes are lack of input validation, rate limiting, data/exception leakage, and authorization and authentication issues. These map to the OWASP API Security Top 10 risks. API-centric architectures expand the attack surface. To address this, security needs to be considered at design time through the API contract, which defines data constraints, authorization policies, logging, and rate limiting. Following best practices like this helps avoid vulnerabilities that are costly to fix later.

apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays

apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 Putting yourself out there - how to secure your public APIs Dan Erez, Architecture Team Lead at AT&T ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

More Related Content

What's hot (20)

API Security: the full story42Crunch

API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy

REST API Security by Design with Azure Pipelines42Crunch

OWASP API Security Top 10 - API World42Crunch

API Security in a Microservices World42Crunch

Owasp top 10 2017 (en)PrashantDhakol

OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz

WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch

Are You Properly Using JWTs?42Crunch

42crunch-API-security-workshop42Crunch

SecDevOps for API Security42Crunch

Guidelines to protect your APIs from threatsIsabelle Mauny

OWASP API Security Top 10 Examples42Crunch

Data-driven API SecurityApigee | Google Cloud

API Security Guidelines: Beyond SSL and OAuth.Isabelle Mauny

APISecurity_OWASP_MitigationGuide Isabelle Mauny

Five Principles to API SecurityIsabelle Mauny

Advanced API Security Patterns42Crunch

Managing Identities in the World of APIsApigee | Google Cloud

Better API Security with Automation 42Crunch

API Security: the full story42Crunch

API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy

REST API Security by Design with Azure Pipelines42Crunch

OWASP API Security Top 10 - API World42Crunch

API Security in a Microservices World42Crunch

Owasp top 10 2017 (en)PrashantDhakol

OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz

WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch

Are You Properly Using JWTs?42Crunch

42crunch-API-security-workshop42Crunch

SecDevOps for API Security42Crunch

Guidelines to protect your APIs from threatsIsabelle Mauny

OWASP API Security Top 10 Examples42Crunch

Data-driven API SecurityApigee | Google Cloud

API Security Guidelines: Beyond SSL and OAuth.Isabelle Mauny

APISecurity_OWASP_MitigationGuide Isabelle Mauny

Five Principles to API SecurityIsabelle Mauny

Advanced API Security Patterns42Crunch

Managing Identities in the World of APIsApigee | Google Cloud

Better API Security with Automation 42Crunch

Similar to The Dev, Sec and Ops of API Security - API World (20)

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays

apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays

APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Time to Take the "F*^!" out of ShiFt Left Christine Bevilacqua, API Security Evangelist at APIsec University ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro

This document provides an overview of API security from multiple perspectives: API security posture, runtime security, and security testing. It discusses the complex API ecosystem involving various stakeholders. The document also outlines common API attack classes like DDoS, data breaches, and abuse of functionality. Finally, it provides key takeaways that APIs have complex interconnected systems, require coordination across teams, and need to be evaluated from different security perspectives.

Better API Security With A SecDevOps ApproachNordic APIs

In an ever agile world where APIs are designed and implemented at an incredible rate, securing APIs is often a last moment thought and security teams as a obstacle. Security vulnerabilities are bugs, and like any other bug must be found as early as possible. In this session, Isabelle explains how developers can take advantage of an automated approach to discover and fix security issues as early as possible and how security teams can put the right tools in place to ensure that their security requirements are met as part of the API lifecycle. We will talk about static/dynamic code analysis, OpenAPI and dynamic security policies.

APIDays Paris Security Workshop42Crunch

Virtual Meetup - API Security Best PracticesJimmy Attia

API Security Best Practices and GuidelinesWSO2

View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/ Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints. At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing. There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems. This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem. DURING THE WEBINAR, WE WILL COVER: Managed APIs OAuth 2.0 and API security patterns Introduction to WSO2 Identity Server How we align with OWASP API security guidelines

7 Best Practices for Secure API Development .pdfchrisbrown798789

7 Best Practices for Secure API Development .docxchrisbrown798789

5 step plan to securing your APIs💻 Javier Garza

42Crunch Security Audit for WSO2 API Manager 3.1WSO2

API Security has become an important concern in recent times as organizations are more cautious about exposing raw, sensitive data via APIs. Therefore, it is important that APIs adhere to the OpenAPI Specification (OAS) to ensure API security. WSO2 has partnered with 42Crunch, to bring in the ability to conduct a security audit on the OpenAPI Specification definition, and to obtain an audit report. The WSO2 API Manager 3.1 brings a lot of interesting features, including the ability to run 42Crunch’s audit tool directly from the API Publishing portal. In this webinar, we will: - Explain the advantages of introducing security at design time - Introduce the 42Crunch audit functionality - Explain how 42Crunch and WSO2 API Manager can be used together for better API Security

apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays

Layered Approach of API Security Strategies and its Business Impact Akansha Shukla, Security Domain Expert at ABN AMRO NL apidays Paris 2024 - The Future API Stack for Mass Innovation December 3 - 5, 2024 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 API Security - doing more with less. Nir Paz, Product Management at Standard.ai ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays

This document provides guidance on API security for developers. It discusses common API threats like lack of input validation, insecure authentication, and authorization issues. It outlines API security best practices like implementing zero trust architectures, considering all APIs as open, and applying fine-grained access control. The document also summarizes several real-world API vulnerabilities and breaches at companies like T-Mobile, Facebook, Uber, and Equifax to illustrate the risks. Developers are encouraged to incorporate security testing and follow secure development practices.

APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Exploring Advanced API Security Techniques and Technologies Sudhir Chepeni, Engineering and Product Leader ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Designing Secure APIsSteven Chen

APIs are the building blocks of interoperability on the web and are a key component of scalable and successful technology companies. As externally-consumable APIs expose more information and functionality, ensuring privacy and security of customer data is an increasingly risky proposition. In this session, we’ll talk about some of Slack’s learnings around building Developer APIs and best practices for keeping your APIs safe. Slides originally for a presentation at the Rocky Mountain Technology Summit. Slightly reduced content.

APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays

This document provides guidance on API security for developers. It discusses common API threats like lack of input validation, insecure authentication, and authorization issues. It outlines API security principles like zero trust architecture and considering all APIs as open. The document gives examples of real API breaches at companies like T-Mobile, Facebook, Uber, and Equifax. It provides mitigation strategies for these issues and encourages developers to prioritize API security, implement controls like rate limiting, and test APIs for vulnerabilities.

Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...apidays

Security Vulnerabilities in your APIs Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

APIs: The New Security LayerApigee | Google Cloud

The document discusses API security fundamentals and how to effectively secure APIs. It notes that many past API breaches were due to a lack of authentication on APIs, no rate limiting of requests, and other basic security issues. It emphasizes that every system with a URI has an API and outlines steps like applying authentication, authorization, rate limiting, validating requests to prevent attacks. The document argues that APIs with well-defined contracts that specify URIs, input/output formats and authentication models are easier to securely implement and test compared to more complex, dynamic APIs.

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays

apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays

APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...apidays

Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro

Better API Security With A SecDevOps ApproachNordic APIs

APIDays Paris Security Workshop42Crunch

Virtual Meetup - API Security Best PracticesJimmy Attia

API Security Best Practices and GuidelinesWSO2

7 Best Practices for Secure API Development .pdfchrisbrown798789

7 Best Practices for Secure API Development .docxchrisbrown798789

5 step plan to securing your APIs💻 Javier Garza

42Crunch Security Audit for WSO2 API Manager 3.1WSO2

apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...apidays

APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)apidays

APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays

APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays

Designing Secure APIsSteven Chen

APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays

Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...apidays

APIs: The New Security LayerApigee | Google Cloud

Recently uploaded (20)

Build enterprise-ready applications using skills you already have!PhilMeredith3

Process Tempo is a rapid application development (RAD) environment that empowers data teams to create enterprise-ready applications using skills they already have. With Process Tempo, data teams can craft beautiful, pixel-perfect applications the business will love. Process Tempo combines features found in business intelligence tools, graphic design tools and workflow solutions - all in a single platform. Process Tempo works with all major databases such as Databricks, Snowflake, Postgres and MySQL. It also works with leading graph database technologies such as Neo4j, Puppy Graph and Memgraph. It is the perfect platform to accelerate the delivery of data-driven solutions. For more information, you can find us at www.processtempo.com

Marketo & Dynamics can be Most Excellent to Each Other – The SequelBradBedford3

So you’ve built trust in your Marketo Engage-Dynamics integration—excellent. But now what? This sequel picks up where our last adventure left off, offering a step-by-step guide to move from stable sync to strategic power moves. We’ll share real-world project examples that empower sales and marketing to work smarter and stay aligned. If you’re ready to go beyond the basics and do truly most excellent stuff, this session is your guide.

Plooma is a writing platform to plan, write, and shape books your wayPlooma

Plooma is your all in one writing companion, designed to support authors at every twist and turn of the book creation journey. Whether you're sketching out your story's blueprint, breathing life into characters, or crafting chapters, Plooma provides a seamless space to organize all your ideas and materials without the overwhelm. Its intuitive interface makes building rich narratives and immersive worlds feel effortless. Packed with powerful story and character organization tools, Plooma lets you track character development and manage world building details with ease. When it’s time to write, the distraction-free mode offers a clean, minimal environment to help you dive deep and write consistently. Plus, built-in editing tools catch grammar slips and style quirks in real-time, polishing your story so you don’t have to juggle multiple apps. What really sets Plooma apart is its smart AI assistant - analyzing chapters for continuity, helping you generate character portraits, and flagging inconsistencies to keep your story tight and cohesive. This clever support saves you time and builds confidence, especially during those complex, detail packed projects. Getting started is simple: outline your story’s structure and key characters with Plooma’s user-friendly planning tools, then write your chapters in the focused editor, using analytics to shape your words. Throughout your journey, Plooma’s AI offers helpful feedback and suggestions, guiding you toward a polished, well-crafted book ready to share with the world. With Plooma by your side, you get a powerful toolkit that simplifies the creative process, boosts your productivity, and elevates your writing - making the path from idea to finished book smoother, more fun, and totally doable. Get Started here: https://www.plooma.ink/

Top 11 Fleet Management Software Providers in 2025 (2).pdfTrackobit

Artificial Intelligence Applications Across IndustriesSandeepKS52

Artificial Intelligence is a rapidly growing field that influences many aspects of modern life, including transportation, healthcare, and finance. Understanding the basics of AI provides insight into how machines can learn and make decisions, which is essential for grasping its applications in various industries. In the automotive sector, AI enhances vehicle safety and efficiency through advanced technologies like self-driving systems and predictive maintenance. Similarly, in healthcare, AI plays a crucial role in diagnosing diseases and personalizing treatment plans, while in financial services, it helps in fraud detection and risk management. By exploring these themes, a clearer picture of AI's transformative impact on society emerges, highlighting both its potential benefits and challenges.

Automating Map Production With FME and PythonSafe Software

People still love a good paper map, but every time a request lands on a GIS team’s desk, it takes time to create that perfect, individual map—even when you're ready and have projects prepped. Then come the inevitable changes and iterations that add even more time to the process. This presentation explores a solution for automating map production using FME and Python. FME handles the setup of variables, leveraging GIS reference layers and parameters to manage details like map orientation, label sizes, and layout elements. Python takes over to export PDF maps for each location and template size, uploading them monthly to ArcGIS Online. The result? Fresh, regularly updated maps, ready for anyone to grab anytime—saving you time, effort, and endless revisions while keeping users happy with up-to-date, accessible maps.

iOS Developer Resume 2025 | Pramod KumarPramod Kumar

Explore the professional resume of Pramod Kumar, a skilled iOS developer with extensive experience in Swift, SwiftUI, and mobile app development. This portfolio highlights key projects, technical skills, and achievements in app design and development, showcasing expertise in creating intuitive, high-performance iOS applications. Ideal for recruiters and tech managers seeking a talented iOS engineer for their team.

Top 5 Task Management Software to Boost Productivity in 2025Orangescrum

Software Engineering Process, Notation & Tools Introduction - Part 3Gaurav Sharma

Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Safe Software

In today’s data-driven world, efficiency is key. For Cadac, a Dutch leading provider of SaaS solutions and Autodesk Platinum partner, ensuring that customers can process data on demand is crucial to delivering a seamless experience. However, with fluctuating user demand, a challenge emerged: How do we scale FME Flow to meet on-the-fly processing needs without over-investing in infrastructure? Enter Kubernetes and KEDA (Kubernetes Event-Driven Autoscaling). In this presentation, we will explore how these cutting-edge technologies helped dynamically scale FME Flow engines based on real-time demand, without wasting resources. Instead of relying on the standard Kubernetes autoscaling based on CPU and RAM metrics, which can lead to ineffective scaling, KEDA can integrate directly with the FME Flow REST API. This allowed autoscaling based on the actual number and type of jobs in the queue. Now, whenever demand spikes, Kubernetes automatically spins up additional machines tailored to the type of workload—whether it’s CPU-intensive tasks or memory-heavy processes—ensuring optimal performance and cost-efficiency. While afterwards also autoscaling to zero, to reduce costs. Join us as we dive into how this approach helped Cadac scale on demand, reduce infrastructure costs, and provide a better experience for their customers. This session will feature both a technical walkthrough and insights on the real-world impact and value this solution has delivered to their platform and client.

Essentials of Resource Planning in a DownturnOnePlan Solutions

Providing Better Biodiversity Through Better DataSafe Software

This session explores how FME is transforming data workflows at Ireland’s National Biodiversity Data Centre (NBDC) by eliminating manual data manipulation, incorporating machine learning, and enhancing overall efficiency. Attendees will gain insight into how NBDC is using FME to document and understand internal processes, make decision-making fully transparent, and shine a light on underlying code to improve clarity and reduce silent failures. The presentation will also outline NBDC’s future plans for FME, including empowering staff to access and query data independently, without relying on external consultants. It will also showcase ambitions to connect to new data sources, unlock the full potential of its valuable datasets, create living atlases, and place its valuable data directly into the hands of decision-makers across Ireland—ensuring that biodiversity is not only protected but actively enhanced.

Integrating Survey123 and R&H Data Using FMESafe Software

West Virginia Department of Transportation (WVDOT) actively engages in several field data collection initiatives using Collector and Survey 123. A critical component for effective asset management and enhanced analytical capabilities is the integration of Geographic Information System (GIS) data with Linear Referencing System (LRS) data. Currently, RouteID and Measures are not captured in Survey 123. However, we can bridge this gap through FME Flow automation. When a survey is submitted through Survey 123 for ArcGIS Portal (10.8.1), it triggers FME Flow automation. This process uses a customized workbench that interacts with a modified version of Esri's Geometry to Measure API. The result is a JSON response that includes RouteID and Measures, which are then applied to the feature service record.

Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffTier1 app

When it comes to performance testing, most engineers instinctively gravitate toward the big-picture indicators—response time, memory usage, throughput. But what about the smaller, more subtle indicators that quietly shape your application’s performance and stability? we explored the hidden layer of performance diagnostics that too often gets overlooked: micro-metrics. These small but mighty data points can reveal early signs of trouble long before they manifest as outages or degradation in production. From garbage collection behavior and object creation rates to thread state transitions and blocked thread patterns, we unpacked the critical micro-metrics every performance engineer should assess before giving the green light to any release. This session went beyond the basics, offering hands-on demonstrations and JVM-level diagnostics that help identify performance blind spots traditional tests tend to miss. We showed how early detection of these subtle anomalies can drastically reduce post-deployment issues and production firefighting. Whether you're a performance testing veteran or new to JVM tuning, this session helped shift your validation strategies left—empowering you to detect and resolve risks earlier in the lifecycle.

The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdfVarsha Nayak

In recent years, organizations have increasingly sought robust open source alternative to Jasper Reports as the landscape of open-source reporting tools rapidly evolves. While Jaspersoft has been a longstanding choice for generating complex business intelligence and analytics reports, factors such as licensing changes and growing demands for flexibility have prompted many businesses to explore other options. Among the most notable alternatives to Jaspersoft, Helical Insight stands out for its powerful open-source architecture, intuitive analytics, and dynamic dashboard capabilities. Designed to be both flexible and budget-friendly, Helical Insight empowers users with advanced features—such as in-memory reporting, extensive data source integration, and customizable visualizations—making it an ideal solution for organizations seeking a modern, scalable reporting platform. This article explores the future of open-source reporting and highlights why Helical Insight and other emerging tools are redefining the standards for business intelligence solutions.

Leveraging Foundation Models to Infer IntentsKeheliya Gallaba

Invited Talk at RAISE 2025: Requirements engineering for AI-powered SoftwarE Workshop co-located with ICSE, the IEEE/ACM International Conference on Software Engineering. Abstract: Foundation Models (FMs) have shown remarkable capabilities in various natural language tasks. However, their ability to accurately capture stakeholder requirements remains a significant challenge for using FMs for software development. This paper introduces a novel approach that leverages an FM-powered multi-agent system called AlignMind to address this issue. By having a cognitive architecture that enhances FMs with Theory-of-Mind capabilities, our approach considers the mental states and perspectives of software makers. This allows our solution to iteratively clarify the beliefs, desires, and intentions of stakeholders, translating these into a set of refined requirements and a corresponding actionable natural language workflow in the often-overlooked requirements refinement phase of software engineering, which is crucial after initial elicitation. Through a multifaceted evaluation covering 150 diverse use cases, we demonstrate that our approach can accurately capture the intents and requirements of stakeholders, articulating them as both specifications and a step-by-step plan of action. Our findings suggest that the potential for significant improvements in the software development process justifies these investments. Our work lays the groundwork for future innovation in building intent-first development environments, where software makers can seamlessly collaborate with AIs to create software that truly meets their needs.

How Insurance Policy Management Software Streamlines OperationsInsurance Tech Services

Rebuilding Cadabra Studio: AI as Our Core FoundationCadabra Studio

Cadabra Studio set out to reconstruct its core processes, driven entirely by AI, across all functions of its software development lifecycle. This journey resulted in remarkable efficiency improvements of 40–80% and reshaped the way teams collaborate. This presentation shares our challenges and lessons learned in becoming an AI-native firm, including overcoming internal resistance and achieving significant project delivery gains. Discover our strategic approach and transformative recommendations to integrate AI not just as a feature, but as a fundamental element of your operational structure. What changes will AI bring to your company?

Bonk coin airdrop_ Everything You Need to Know.pdfHerond Labs

Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeeealexandernoetzold

Build enterprise-ready applications using skills you already have!PhilMeredith3

Marketo & Dynamics can be Most Excellent to Each Other – The SequelBradBedford3

Plooma is a writing platform to plan, write, and shape books your wayPlooma

Top 11 Fleet Management Software Providers in 2025 (2).pdfTrackobit

Artificial Intelligence Applications Across IndustriesSandeepKS52

Automating Map Production With FME and PythonSafe Software

iOS Developer Resume 2025 | Pramod KumarPramod Kumar

Top 5 Task Management Software to Boost Productivity in 2025Orangescrum

Software Engineering Process, Notation & Tools Introduction - Part 3Gaurav Sharma

Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Safe Software

Essentials of Resource Planning in a DownturnOnePlan Solutions

Providing Better Biodiversity Through Better DataSafe Software

Integrating Survey123 and R&H Data Using FMESafe Software

Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffTier1 app

The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdfVarsha Nayak

Leveraging Foundation Models to Infer IntentsKeheliya Gallaba

How Insurance Policy Management Software Streamlines OperationsInsurance Tech Services

Rebuilding Cadabra Studio: AI as Our Core FoundationCadabra Studio

Bonk coin airdrop_ Everything You Need to Know.pdfHerond Labs

Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeeealexandernoetzold

The Dev, Sec and Ops of API Security - API World

1. SECURING AN API WORLD THE DEV, SEC AND OPS OF APIS ISABELLE MAUNY CHIEF EVANGELIST & CO-FOUNDER [email protected]

2. 2 363 AVERAGE NUMBER OF APIS IN THE ENTERPRISE

3. MANY APIS, MANY DEPLOYMENTS 3 APPLICATION DEVELOPMENT APPLICATION SECURITY

4. MEET DEV SEC OPS 4

5. WHAT IS NOT DEV-SEC-OPS? 5

6. 6 A SINGLE PERSON !

7. WHAT IS DEV-SEC-OPS ? 7

8. INJECTING SECURITY AS EARLY AS POSSIBLE IN THE API LIFECYCLE 8 DeploymentTestingDevelopmentDesign SHIFTING SECURITY LEFT

9. 9 Development Security Operations Business A CHANGE IN CULTURE: TEAMS COLLABORATING…

10. 10 …USING THE RIGHT TOOLS.

11. 11

12. A DEV-SEC-OPS CYCLE FOR APIS 12From: https://jaxenter.com/exploration-devsecops-144849.html

13. 13 1 ANALYZE & PLAN

14. KNOW YOUR APIS AND THE RISK THEY BRING 14See: https://www.owasp.org/index.php/Application_Threat_Modeling

15. 15 SECURE 2

16. TREAT ALL APIS AS PUBLIC 16

17. VALIDATE AND SANITIZE DATA 17 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching ✓ Prefer Positive Security Model Content-Type validation ✓ Don’t accept as-is! Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary

18. VALIDATE ACCESS TOKENS 18 Don’t blindly trust the incoming token contents! Validate JWT algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure.

19. IMPLEMENT A PROPER AUTHORIZATION MODEL 19 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? ✓ From where ? What can they do ? ✓ Principles of least priviledge ✓ Do they own the data they want to access ? OAuth scopes are often not enough ! ✓ Limited to operations access ✓ You need to deal with data access! ✓ Need more fine-grained approach (XACML/OPA- Open Policy Agent)

20. 20 VERIFY 3

21. 21 Dev QA/Testing Production Ops Code Validation Code reviews API contract validation Libraries/Components Validation API Implementation Testing API Contract Testing Negative Testing: Hack yourselves! Container Images Validation Deployment Scripts Validation Chaos Engineering SSL/TLS Configuration PenTesting

22. 22 DEFEND 4

23. 23 AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls Security As Code approach Enforce Rate Limiting Protect all APIs (Dev/QA/Prod) Deploy at the edge and/or close to APIs (microservices architecture) PROTECT ALL APIS

24. Dev/QA Immediate feedback loop Track issues found with your favorite ticketing system Production Analyze automatically all system logs Profile runtime behaviour and raise potential issues automatically 24MONITOR AND ANALYZE

25. ADOPTING DEC SEC OPS Start small and iterate ✓ Don’t try to address all issues at once! Educate and help developers ✓ Don’t throw security at them as a new responsibility ✓ Help them by including feedback in their existing development flow ✓ Add security people to development teams Don’t through too many tools in the pipeline ✓ Evaluate and choose depending on your needs 25 API Contract Audit Scan Protect

26. CONTACT US: [email protected] The API Security Company

The Dev, Sec and Ops of API Security - API World

Recommended

More Related Content

What's hot (20)

Similar to The Dev, Sec and Ops of API Security - API World (20)

Recently uploaded (20)

The Dev, Sec and Ops of API Security - API World