SlideShare a Scribd company logo

Checkmarx meetup API Security - Solving security at scale - Ante Gulam

A
Adar Weidman

This document discusses API security best practices at Skyscanner. It outlines how Skyscanner uses four security squads of over 20 security engineers to implement continuous security monitoring and automation. Key practices include implementing mTLS for API traffic, role-based access control, short-lived access tokens, parameter validation, and ensuring authentication, authorization, and sensitive data protection. The document emphasizes shifting security left in the development process through design reviews, automated testing, and a real-time feedback loop to ensure long-term security improvements.

1 of 28
Downloaded 12 times
1
SOLVING API SECURITY AT SCALE.
2
• WORLD’S TRAVEL SEARCH ENGINE • FOUNDED 2003 • ACQUIRED BY CTRIP 2016 • OVER 1200 EMPLOYEES WORLDWIDE • 10+ GLOBAL OFFICES • OVER 90M ACTIVE MONTHLY USERS • OVER 1200 GLOBAL PARTNERS
3
• ENGINEERING (700+) SQUADIFICATION • 10 000+ CHANGES TO PRODUCTION DAILY • 1000+ DISTINCT SERVICES • 500+ A/B TESTS DAILY • 16 000+ PODS ACROSS K8S CLUSTERS • FAIL FAST / FAIL FORWARD • YOU BUILD IT, YOU RUN IT • BOYD’S LAW OF ITERATION
4
• SECURITY TRIBE • ENGINEERING DISCIPLINE • FOUR (4) SECURITY SQUADS • 20+ SECURITY ENGINEERS • 40+ SECURITY CHAMPIONS • WE TRUST BUT VERIFY AND EDUCATE • AUTOMATE OR DIE TRYING
5
“The time when a single person or team can be responsible for an organization's security is long over ...” Laura Bell, CEO SafeStack
6
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
7
REUSABLE COMPONENTS, CD AND ORCHESTRATION
8
• CONTINUOUS VISIBILITY • STANDARDISATION • SDFS • OPENAPI, SWAGGER, PROTOBUF … • OPEN • PIPELINE SECURITY DATA CONSOLIDATION • ATTACK SURFACE MONITORING • REMEDIATION ASSURANCE • FRICTIONLESS KEY DISCIPLINE CHALLENGES
9
• BUSINESS LOGIC • BAD BOTS • LOW HANGING FRUIT • SDFS • DoS, CREDENTIAL STUFFING, BRUTE FORCE ATTACKS … • OPEN • BROKEN ACCESS CONTROL • AUTHENTICATION • SENSITIVE DATA EXPOSURE • INJECTIONS • PARAMETER TAMPERING TOP API THREATS
10
K8s and Istio • mTLS for all API traffic • Kubelet to API server and everything etcd • Node – Master – User • API authentication & authorization • Restrict R/W access to the etcd backend • static Bearer token, RBAC • x509 auto-generated certificates • Separate namespaces with limited roles • Network and Pod security policies • Pod authorization • Network policy to the cluster
11
BOTS & RATE LIMITING • Web and mobile are easy • Sensors through JS and SDK’s • API Gateways FTW • Caching, quotas and throttling • Authenticity of the device • Device behaviours + network activity • Profiling API requests • Relies on behavioral analysis
12
INJECTIONS • Inline protection (WAF) • Runtime Protection (RASP) • Rules based on business logic • Filter Input Escape Output (FIEO) • Dependency security assurance automation • Method filtering • 405 Method Not Allowed • Content-type validation • Content negotiation + data acceptance • SAST + dependencies • Analyse the data flows • DAST pipeline support • Fuzzing API endpoints (integration)
13
BROKEN ACCESS CONTROL • Authorization frameworks • OAuth, OIDC specification • Randomize ID’s (UUID) • Store them in the session object • Deny all access by default • RBAC model usually works • Shift it left and assess offensively • Design reviews & threat modelling
14
AUTHENTICATION • Internal vs. External API endpoints • Always assume worst case scenario • Zero-trust networks • Standardise and shift it left • Avoid re-inventing the wheel • Short-lived access tokens • Standard auth and token generation • Avoid basic auth (JWT, OAuth) • Additional Auth controls • Stricter rate-limiting • Lockout policies
15
SENSITIVE DATA EXPOSURE • Maintenance of API inventory • Especially externally exposed ones • Minimization of API responses • MVR (Minimum Viable Response) • Clearly defined schemas (+ errors) • Removal/tokenization of sensitive data • HSTS policy enforcement • Prevent SSL stripping • Enforced response checks • Prevent accidental leaks • Data management top-down • Identify all the sensitive data • Data classification • PII/PD justification
16
PARAMETER TAMPERING • Validation of parameters received • XSS, FI, Path Disclosure • API signing • Hash-based MAC • Avoiding dependence on client-side • Fuzzing helps (a lot!)
17
BUSINESS LOGIC • Legitimate work-flows gone wrong • Unintended behaviors • Solely depends on the nature of the workflow • Left vs. lefter • Trust but verify • Initial stage engagement (design/model) • No automation can help • Pipeline tooling • Reactive scanning • External offensive assessments
18
• PROTECT THE API ENDPOINTS FROM THREATS • GAMIFICATION • ENSURE LONG-TERM IMPROVEMENTS • REAL-TIME FEEDBACK LOOP • TARGETED APPROACH CAPABILITIES • SHIFT SDLC SECURITY TO THE LEFT • MAKE IT EXPENSIVE FOR AN ATTACKER • OPEN KEY OBJECTIVES “95% of all successful cyber-attacks are caused by human error”
19
Design Code Dependencies Containers Amazon Web Services SECURE DEVELOPMENT LIFECYCLE Skyscannerservice
20
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
21
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
22
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
23
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
24
HERMES Real-time feedback loop capabilities
25
AUTOMATING THE SECURITY LIFECYCLE Closing real-time feedback loop
26
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
27
• Nail the basics of API security • and of your tech stack • Automate the boring stuff • Real time visibility and feedback loop • It becomes a competition • Enable value-stream mapping • ‘Why’ behind it • Targeted continuous improvement • Who needs what and when • Move into Action • Team effectiveness integration (EngHealth) • Pipeline control “Culture eats strategy for breakfast” Peter Drucker JOURNEY SUMMARY
28
THANK YOU.
SOLVING API SECURITY AT SCALE.
• WORLD’S TRAVEL SEARCH ENGINE • FOUNDED 2003 • ACQUIRED BY CTRIP 2016 • OVER 1200 EMPLOYEES WORLDWIDE • 10+ GLOBAL OFFICES • OVER 90M ACTIVE MONTHLY USERS • OVER 1200 GLOBAL PARTNERS
• ENGINEERING (700+) SQUADIFICATION • 10 000+ CHANGES TO PRODUCTION DAILY • 1000+ DISTINCT SERVICES • 500+ A/B TESTS DAILY • 16 000+ PODS ACROSS K8S CLUSTERS • FAIL FAST / FAIL FORWARD • YOU BUILD IT, YOU RUN IT • BOYD’S LAW OF ITERATION
• SECURITY TRIBE • ENGINEERING DISCIPLINE • FOUR (4) SECURITY SQUADS • 20+ SECURITY ENGINEERS • 40+ SECURITY CHAMPIONS • WE TRUST BUT VERIFY AND EDUCATE • AUTOMATE OR DIE TRYING
“The time when a single person or team can be responsible for an organization's security is long over ...” Laura Bell, CEO SafeStack
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
REUSABLE COMPONENTS, CD AND ORCHESTRATION
• CONTINUOUS VISIBILITY • STANDARDISATION • SDFS • OPENAPI, SWAGGER, PROTOBUF … • OPEN • PIPELINE SECURITY DATA CONSOLIDATION • ATTACK SURFACE MONITORING • REMEDIATION ASSURANCE • FRICTIONLESS KEY DISCIPLINE CHALLENGES
• BUSINESS LOGIC • BAD BOTS • LOW HANGING FRUIT • SDFS • DoS, CREDENTIAL STUFFING, BRUTE FORCE ATTACKS … • OPEN • BROKEN ACCESS CONTROL • AUTHENTICATION • SENSITIVE DATA EXPOSURE • INJECTIONS • PARAMETER TAMPERING TOP API THREATS
K8s and Istio • mTLS for all API traffic • Kubelet to API server and everything etcd • Node – Master – User • API authentication & authorization • Restrict R/W access to the etcd backend • static Bearer token, RBAC • x509 auto-generated certificates • Separate namespaces with limited roles • Network and Pod security policies • Pod authorization • Network policy to the cluster
BOTS & RATE LIMITING • Web and mobile are easy • Sensors through JS and SDK’s • API Gateways FTW • Caching, quotas and throttling • Authenticity of the device • Device behaviours + network activity • Profiling API requests • Relies on behavioral analysis
INJECTIONS • Inline protection (WAF) • Runtime Protection (RASP) • Rules based on business logic • Filter Input Escape Output (FIEO) • Dependency security assurance automation • Method filtering • 405 Method Not Allowed • Content-type validation • Content negotiation + data acceptance • SAST + dependencies • Analyse the data flows • DAST pipeline support • Fuzzing API endpoints (integration)
BROKEN ACCESS CONTROL • Authorization frameworks • OAuth, OIDC specification • Randomize ID’s (UUID) • Store them in the session object • Deny all access by default • RBAC model usually works • Shift it left and assess offensively • Design reviews & threat modelling
AUTHENTICATION • Internal vs. External API endpoints • Always assume worst case scenario • Zero-trust networks • Standardise and shift it left • Avoid re-inventing the wheel • Short-lived access tokens • Standard auth and token generation • Avoid basic auth (JWT, OAuth) • Additional Auth controls • Stricter rate-limiting • Lockout policies
SENSITIVE DATA EXPOSURE • Maintenance of API inventory • Especially externally exposed ones • Minimization of API responses • MVR (Minimum Viable Response) • Clearly defined schemas (+ errors) • Removal/tokenization of sensitive data • HSTS policy enforcement • Prevent SSL stripping • Enforced response checks • Prevent accidental leaks • Data management top-down • Identify all the sensitive data • Data classification • PII/PD justification
PARAMETER TAMPERING • Validation of parameters received • XSS, FI, Path Disclosure • API signing • Hash-based MAC • Avoiding dependence on client-side • Fuzzing helps (a lot!)
BUSINESS LOGIC • Legitimate work-flows gone wrong • Unintended behaviors • Solely depends on the nature of the workflow • Left vs. lefter • Trust but verify • Initial stage engagement (design/model) • No automation can help • Pipeline tooling • Reactive scanning • External offensive assessments
• PROTECT THE API ENDPOINTS FROM THREATS • GAMIFICATION • ENSURE LONG-TERM IMPROVEMENTS • REAL-TIME FEEDBACK LOOP • TARGETED APPROACH CAPABILITIES • SHIFT SDLC SECURITY TO THE LEFT • MAKE IT EXPENSIVE FOR AN ATTACKER • OPEN KEY OBJECTIVES “95% of all successful cyber-attacks are caused by human error”
Design Code Dependencies Containers Amazon Web Services SECURE DEVELOPMENT LIFECYCLE Skyscannerservice
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
HERMES Real-time feedback loop capabilities
AUTOMATING THE SECURITY LIFECYCLE Closing real-time feedback loop
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
• Nail the basics of API security • and of your tech stack • Automate the boring stuff • Real time visibility and feedback loop • It becomes a competition • Enable value-stream mapping • ‘Why’ behind it • Targeted continuous improvement • Who needs what and when • Move into Action • Team effectiveness integration (EngHealth) • Pipeline control “Culture eats strategy for breakfast” Peter Drucker JOURNEY SUMMARY
THANK YOU.
Ad

Recommended

Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and Compliance
Matthew R. Barrett
 
Monitor all the cloud things - security monitoring for everyone
Monitor all the cloud things - security monitoring for everyoneMonitor all the cloud things - security monitoring for everyone
Monitor all the cloud things - security monitoring for everyone
Duncan Godfrey
 
How to Keep Your Databases Secure in Just Minutes a Day
How to Keep Your Databases Secure in Just Minutes a DayHow to Keep Your Databases Secure in Just Minutes a Day
How to Keep Your Databases Secure in Just Minutes a Day
Ed Leighton-Dick
 
Logsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution Overview
Logsign
 
Logsign Focus Overview
Logsign Focus OverviewLogsign Focus Overview
Logsign Focus Overview
Logsign
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
tmd800
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
Logsign Windows Auditing
Logsign Windows AuditingLogsign Windows Auditing
Logsign Windows Auditing
Logsign
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
Henrik Høegh
 
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultOSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
NETWAYS
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloud
Nextel S.A.
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
Hentsū
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)
Logsign
 
So I DevSecOpsed Office 365
So I DevSecOpsed Office 365So I DevSecOpsed Office 365
So I DevSecOpsed Office 365
Alex Mags
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
David Etue
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuck
Andy Thompson
 
ZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign Network
Morgan Davidson
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 

More Related Content

What's hot (12)

Logsign Windows Auditing
Logsign Windows AuditingLogsign Windows Auditing
Logsign Windows Auditing
Logsign
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
Henrik Høegh
 
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultOSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
NETWAYS
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloud
Nextel S.A.
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
Hentsū
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)
Logsign
 
So I DevSecOpsed Office 365
So I DevSecOpsed Office 365So I DevSecOpsed Office 365
So I DevSecOpsed Office 365
Alex Mags
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
David Etue
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuck
Andy Thompson
 
ZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign Network
Morgan Davidson
 
Logsign Windows Auditing
Logsign Windows AuditingLogsign Windows Auditing
Logsign Windows Auditing
Logsign
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
Henrik Høegh
 
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with VaultOSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
OSDC 2017 - Seth Vargo - Modern Secrets Management with Vault
NETWAYS
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloud
Nextel S.A.
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
Hentsū
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)
Logsign
 
So I DevSecOpsed Office 365
So I DevSecOpsed Office 365So I DevSecOpsed Office 365
So I DevSecOpsed Office 365
Alex Mags
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
David Etue
 
More zBang for the zBuck
More zBang for the zBuckMore zBang for the zBuck
More zBang for the zBuck
Andy Thompson
 
ZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign NetworkZIRRO / Powerland Data Sovereign Network
ZIRRO / Powerland Data Sovereign Network
Morgan Davidson
 

Similar to Checkmarx meetup API Security - Solving security at scale - Ante Gulam (20)

APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Api security-present
Api security-presentApi security-present
Api security-present
Security Bootcamp
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
Apigee | Google Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
apidays
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
Steven Chen
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Api security-present
Api security-presentApi security-present
Api security-present
Security Bootcamp
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
Apigee | Google Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
apidays
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
Steven Chen
 
Ad

Recently uploaded (20)

FME as an Orchestration Tool - Peak of Data & AI 2025
FME as an Orchestration Tool - Peak of Data & AI 2025FME as an Orchestration Tool - Peak of Data & AI 2025
FME as an Orchestration Tool - Peak of Data & AI 2025
Safe Software
 
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdfThe Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
Varsha Nayak
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesBest Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small Businesses
TheTelephony
 
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
SheenBrisals
 
IMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptx
IMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptxIMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptx
IMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptx
usmanch7829
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
Automating Map Production With FME and Python
Automating Map Production With FME and PythonAutomating Map Production With FME and Python
Automating Map Production With FME and Python
Safe Software
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionIBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - Introduction
Gaurav Sharma
 
Plooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your wayPlooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your way
Plooma
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
How Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines OperationsHow Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines Operations
Insurance Tech Services
 
Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...
Rishab Acharya
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Providing Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better DataProviding Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better Data
Safe Software
 
OpenTelemetry 101 Cloud Native Barcelona
OpenTelemetry 101 Cloud Native BarcelonaOpenTelemetry 101 Cloud Native Barcelona
OpenTelemetry 101 Cloud Native Barcelona
Imma Valls Bernaus
 
Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4
Gaurav Sharma
 
FME as an Orchestration Tool - Peak of Data & AI 2025
FME as an Orchestration Tool - Peak of Data & AI 2025FME as an Orchestration Tool - Peak of Data & AI 2025
FME as an Orchestration Tool - Peak of Data & AI 2025
Safe Software
 
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdfThe Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
The Future of Open Source Reporting Best Alternatives to Jaspersoft.pdf
Varsha Nayak
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesBest Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small Businesses
TheTelephony
 
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
SheenBrisals
 
IMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptx
IMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptxIMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptx
IMAGE CLASSIFICATION USING CONVOLUTIONAL NEURAL NETWORK.P.pptx
usmanch7829
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
Automating Map Production With FME and Python
Automating Map Production With FME and PythonAutomating Map Production With FME and Python
Automating Map Production With FME and Python
Safe Software
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionIBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - Introduction
Gaurav Sharma
 
Plooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your wayPlooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your way
Plooma
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
How Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines OperationsHow Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines Operations
Insurance Tech Services
 
Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...
Rishab Acharya
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Providing Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better DataProviding Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better Data
Safe Software
 
OpenTelemetry 101 Cloud Native Barcelona
OpenTelemetry 101 Cloud Native BarcelonaOpenTelemetry 101 Cloud Native Barcelona
OpenTelemetry 101 Cloud Native Barcelona
Imma Valls Bernaus
 
Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4
Gaurav Sharma
 
Ad

Checkmarx meetup API Security - Solving security at scale - Ante Gulam

  • 2. • WORLD’S TRAVEL SEARCH ENGINE • FOUNDED 2003 • ACQUIRED BY CTRIP 2016 • OVER 1200 EMPLOYEES WORLDWIDE • 10+ GLOBAL OFFICES • OVER 90M ACTIVE MONTHLY USERS • OVER 1200 GLOBAL PARTNERS
  • 3. • ENGINEERING (700+) SQUADIFICATION • 10 000+ CHANGES TO PRODUCTION DAILY • 1000+ DISTINCT SERVICES • 500+ A/B TESTS DAILY • 16 000+ PODS ACROSS K8S CLUSTERS • FAIL FAST / FAIL FORWARD • YOU BUILD IT, YOU RUN IT • BOYD’S LAW OF ITERATION
  • 4. • SECURITY TRIBE • ENGINEERING DISCIPLINE • FOUR (4) SECURITY SQUADS • 20+ SECURITY ENGINEERS • 40+ SECURITY CHAMPIONS • WE TRUST BUT VERIFY AND EDUCATE • AUTOMATE OR DIE TRYING
  • 5. “The time when a single person or team can be responsible for an organization's security is long over ...” Laura Bell, CEO SafeStack
  • 7. REUSABLE COMPONENTS, CD AND ORCHESTRATION
  • 8. • CONTINUOUS VISIBILITY • STANDARDISATION • SDFS • OPENAPI, SWAGGER, PROTOBUF … • OPEN • PIPELINE SECURITY DATA CONSOLIDATION • ATTACK SURFACE MONITORING • REMEDIATION ASSURANCE • FRICTIONLESS KEY DISCIPLINE CHALLENGES
  • 9. • BUSINESS LOGIC • BAD BOTS • LOW HANGING FRUIT • SDFS • DoS, CREDENTIAL STUFFING, BRUTE FORCE ATTACKS … • OPEN • BROKEN ACCESS CONTROL • AUTHENTICATION • SENSITIVE DATA EXPOSURE • INJECTIONS • PARAMETER TAMPERING TOP API THREATS
  • 10. K8s and Istio • mTLS for all API traffic • Kubelet to API server and everything etcd • Node – Master – User • API authentication & authorization • Restrict R/W access to the etcd backend • static Bearer token, RBAC • x509 auto-generated certificates • Separate namespaces with limited roles • Network and Pod security policies • Pod authorization • Network policy to the cluster
  • 11. BOTS & RATE LIMITING • Web and mobile are easy • Sensors through JS and SDK’s • API Gateways FTW • Caching, quotas and throttling • Authenticity of the device • Device behaviours + network activity • Profiling API requests • Relies on behavioral analysis
  • 12. INJECTIONS • Inline protection (WAF) • Runtime Protection (RASP) • Rules based on business logic • Filter Input Escape Output (FIEO) • Dependency security assurance automation • Method filtering • 405 Method Not Allowed • Content-type validation • Content negotiation + data acceptance • SAST + dependencies • Analyse the data flows • DAST pipeline support • Fuzzing API endpoints (integration)
  • 13. BROKEN ACCESS CONTROL • Authorization frameworks • OAuth, OIDC specification • Randomize ID’s (UUID) • Store them in the session object • Deny all access by default • RBAC model usually works • Shift it left and assess offensively • Design reviews & threat modelling
  • 14. AUTHENTICATION • Internal vs. External API endpoints • Always assume worst case scenario • Zero-trust networks • Standardise and shift it left • Avoid re-inventing the wheel • Short-lived access tokens • Standard auth and token generation • Avoid basic auth (JWT, OAuth) • Additional Auth controls • Stricter rate-limiting • Lockout policies
  • 15. SENSITIVE DATA EXPOSURE • Maintenance of API inventory • Especially externally exposed ones • Minimization of API responses • MVR (Minimum Viable Response) • Clearly defined schemas (+ errors) • Removal/tokenization of sensitive data • HSTS policy enforcement • Prevent SSL stripping • Enforced response checks • Prevent accidental leaks • Data management top-down • Identify all the sensitive data • Data classification • PII/PD justification
  • 16. PARAMETER TAMPERING • Validation of parameters received • XSS, FI, Path Disclosure • API signing • Hash-based MAC • Avoiding dependence on client-side • Fuzzing helps (a lot!)
  • 17. BUSINESS LOGIC • Legitimate work-flows gone wrong • Unintended behaviors • Solely depends on the nature of the workflow • Left vs. lefter • Trust but verify • Initial stage engagement (design/model) • No automation can help • Pipeline tooling • Reactive scanning • External offensive assessments
  • 18. • PROTECT THE API ENDPOINTS FROM THREATS • GAMIFICATION • ENSURE LONG-TERM IMPROVEMENTS • REAL-TIME FEEDBACK LOOP • TARGETED APPROACH CAPABILITIES • SHIFT SDLC SECURITY TO THE LEFT • MAKE IT EXPENSIVE FOR AN ATTACKER • OPEN KEY OBJECTIVES “95% of all successful cyber-attacks are caused by human error”
  • 19. Design Code Dependencies Containers Amazon Web Services SECURE DEVELOPMENT LIFECYCLE Skyscannerservice
  • 25. AUTOMATING THE SECURITY LIFECYCLE Closing real-time feedback loop
  • 27. • Nail the basics of API security • and of your tech stack • Automate the boring stuff • Real time visibility and feedback loop • It becomes a competition • Enable value-stream mapping • ‘Why’ behind it • Targeted continuous improvement • Who needs what and when • Move into Action • Team effectiveness integration (EngHealth) • Pipeline control “Culture eats strategy for breakfast” Peter Drucker JOURNEY SUMMARY