SlideShare a Scribd company logo

Protecting Microservices APIs with 42Crunch API Firewall

42Crunch
42Crunch

In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We’ll use a mix of slides and demos to present: (1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security) (2) Which threat protections must be put in place in a microservices architecture, and where (3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time (4) How to automate threat protection deployment

1 of 27
Downloaded 18 times
1
THREATS PROTECTION IN A DISTRIBUTED WORLD 
 Using 42Crunch API Firewall on Kubernetes ISABELLE MAUNY - Field CTO (isabelle@42crunch.com)
2
LOOSELY COUPLED ARCHITECTURE 2 App icon made by https://www.flaticon.com/authors/pixel-buddha Microservice B Microservice A Front Process/Controller Data North South North South East West API API API API API
3
HOW DO WE SECURE APIS?
4
LAYERED APPROACH TO SECURITY 4 Hypervisor, images (VM/Docker) Intra-services communication (auth, azn, TLS) App level security (libs, code, data) OS / Network / Physical Access
5
COMMUNICATION LAYER SECURITY 5 Microservice B Microservice A Front Process/Controller Data North South North South East West API API API API API
6
WHAT DO WE ENFORCE AT COMMUNICATION LEVEL ? Can service A talk to service B ? ✓ Authentication (is this Service A?) ✓ Authorization (is it authorized to invoke Service B?) Where is service B ? ✓ Service registry Is the communication secure? ✓ Use TLS across the board Can any service B be abused via large number of calls from Service A? ✓ Traffic management Protection from cascading failures ✓ If Service B is stalled, how does the rest of the system reacts ? If somebody can inject a rogue service in our infra, will this service be able to invoke other services? 6
7
API GW Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy COMMUNICATION LAYER SECURITY 7 Microservice B Front Process/Controller Data API API Microservice A API API API
8
CRITICAL THINGS TO REMEMBER Respect separation of concerns ✓ A Service Mesh is only concerned with infrastructure security ! ✓ A mesh does not know about the data flowing through ✓ A service does not know about the infrastructure setup Think of an API Gateway as a pattern, not a product ! API Gateway is defined as a layer which can: ✓ Expose APIs to consumers (business APIs) ✓ Compose microservices into one or multiple macro-services ✓ Enforce communication level security as described before 8
9
SO NOW… Where do we validate that the data we are receiving is what we expect ? How do we ensure that we don’t leak data or exceptions? Where do we validate that our app tokens are the ones we expect ? Where do we authenticate/authorize access to our business services? ✓ Can Isabelle view a resource with ID 123456 ? 9 WE NEED APP LEVEL SECURITY
10
APPLICATION LEVEL SECURITY API Threat Protection API Access Control API/Identity managementAPI Firewall ➡ Content validation ➡ Token validation ➡ Traffic management ➡ Payload security (encrypt/ sign) ➡ Threat detection ➡ Access tokens management ➡ Authentication ➡ Authorization ➡ Identity management
11
API GW Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy COMMUNICATION LAYER + APP LAYER SECURITY 11 Microservice B Front Process/Controller Data API API Microservice A API API API
12
APPLICATION LEVEL SECURITY PRINCIPLES
13
13 GUIDING PRINCIPLE: ZERO TRUST ARCHITECTURE 1
14
14 GUIDING PRINCIPLE: ALL APIS ARE OPEN APIS 2 “Dance like no one is watching, encrypt like everyone is!” Werner Vogels, Amazon CTO
15
15 GUIDING PRINCIPLE: SECURITY IS ADAPTED FROM RISK 3
16
WHAT IS SPECIAL ABOUT API THREAT PROTECTION?
17
API-BASED APPLICATIONS HAVE DIFFERENT VULNERABILITIES API1 : Broken Object Level Access Control API2 : Broken Authentication API3 : Excessive Data Exposure API4 : Lack of Resources & Rate Limiting API5 : Missing Function/Resource Level Access Control API6 : Mass Assignment API7 : Security Misconfiguration API8 : Injection API9 : Improper Assets Management API10 : Insufficient Logging & Monitoring 17 DOWNLOAD
18
DEMO DEPLOYMENT SETUP 18 pixisecured pixiapp 42crunch Configuration firewall-props protection-token guardian-certs docker-credentials apifirewall 42 Crunch Platform pixiapp pixiapp pixidb
19
EQUIFAX AND MANY MORE (2017) The Attack ✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised. ✓ Example: ✓ The Breach ✓ One of the most important in history: 147 millions people worldwide, very sensitive data ✓ Equifax got fined $700 million in Sept 2019 Core Issue ✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited during months. 19 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
20
UBER (SEPT 2019) The Attack ✓ Account takeover for any Uber account from a phone number The Breach ✓ None. This was a bug bounty. Core Issues ✓ First Data leakage : driver internal UUID exposed through error message! ✓ Second Data leakage via the getConsentScreenDetails operation: full account information is returned, when only a few fields are used by the UI. This includes the mobile token used to login onto the account 20 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
21
HARBOUR REGISTRY (SEPT 2019) The Attack ✓ Privilege escalation: become registry administrator The Breach ✓ Potentially 1300+ registries with default security settings Core Issue ✓ Mass Assignment vulnerability allows any normal user to become an admin POST /api/users {“username”:”test”,”email”:”test123@gmail.com”,”realname”:” noname”,”password”:”Password1u0021″,”comment”:null, “has_admin_role” = True} 21 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
22
FACEBOOK (FEB 2018) The Attack ✓ Account takeover via password reset at https://www.facebook.com/login/identify? ctx=recover&lwv=110. ✓ facebook.com has rate limiting, beta.facebook.com does not! The Breach ✓ None. This was a bug bounty. Core Issues ✓ Rate limiting missing on beta APIs, which allows brute force guessing on password reset code ✓ Misconfigured security on beta endpoints 22 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it
23
PROTECTING APIS AGAINST THREATS REQUIRES A NEW APPROACH!
24
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL OPENAPI 
 INITIATIVE OpenAPI Specification (formerly Swagger Specification) is an API description format for REST APIs. An OpenAPI file allows you to describe your entire API, including: Available endpoints ( /users ) and operations on each endpoint ( GET /users , POST /users ) • Web Application Security is painful because the security is not handled from beginning • Developers cannot define how the web application is built and designed • After 20 years of R&D, detection and protection tools have to use AI to understand how the Web Application works... => Now we have a worldwide accepted and used API standard: OpenAPI Specification => We build a whitelist based on OAS POSITIVE SECURITY MODEL FOR APIS
25
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL API DEVSECOPS: SHIFT- LEFT AND AUTOMATE API security becomes fully part of the API lifecycle
 Key Benefits • Security can now be applied automatically and at scale • Vulnerable APIs are detected early • APIs are automatically protected as soon as the contract is defined
26
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL ZERO-TRUST ARCHITECTURE FOR MICROSERVICES Low footprint, ultra-low latency runtime that can be deployed in Kubernetes 
API micro-firewall can be deployed as: • Sidecar proxy for defense in depth • Reverse proxy (Gateway) for edge protection Key Benefits • Enables zero trust architecture: microservices must not trust the environment • Platform agnostic: any cloud, hybrid or on-premises • Deployment agnostic: monolithic, microservices, and service-mesh • Supports multi-cloud, multi-geo zone deployments
27
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL RESOURCES • 42Crunch Website • Free OAS Security Audit • OpenAPI VS Code Extension • OpenAPI Spec Encyclopedia • OWASP API Security Top 10 • APIsecurity.io • Security Strategies for Microservices Apps • API Security Pentesting
THREATS PROTECTION IN A DISTRIBUTED WORLD 
 Using 42Crunch API Firewall on Kubernetes ISABELLE MAUNY - Field CTO (isabelle@42crunch.com)
LOOSELY COUPLED ARCHITECTURE 2 App icon made by https://www.flaticon.com/authors/pixel-buddha Microservice B Microservice A Front Process/Controller Data North South North South East West API API API API API
HOW DO WE SECURE APIS?
LAYERED APPROACH TO SECURITY 4 Hypervisor, images (VM/Docker) Intra-services communication (auth, azn, TLS) App level security (libs, code, data) OS / Network / Physical Access
COMMUNICATION LAYER SECURITY 5 Microservice B Microservice A Front Process/Controller Data North South North South East West API API API API API
WHAT DO WE ENFORCE AT COMMUNICATION LEVEL ? Can service A talk to service B ? ✓ Authentication (is this Service A?) ✓ Authorization (is it authorized to invoke Service B?) Where is service B ? ✓ Service registry Is the communication secure? ✓ Use TLS across the board Can any service B be abused via large number of calls from Service A? ✓ Traffic management Protection from cascading failures ✓ If Service B is stalled, how does the rest of the system reacts ? If somebody can inject a rogue service in our infra, will this service be able to invoke other services? 6
API GW Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy COMMUNICATION LAYER SECURITY 7 Microservice B Front Process/Controller Data API API Microservice A API API API
CRITICAL THINGS TO REMEMBER Respect separation of concerns ✓ A Service Mesh is only concerned with infrastructure security ! ✓ A mesh does not know about the data flowing through ✓ A service does not know about the infrastructure setup Think of an API Gateway as a pattern, not a product ! API Gateway is defined as a layer which can: ✓ Expose APIs to consumers (business APIs) ✓ Compose microservices into one or multiple macro-services ✓ Enforce communication level security as described before 8
SO NOW… Where do we validate that the data we are receiving is what we expect ? How do we ensure that we don’t leak data or exceptions? Where do we validate that our app tokens are the ones we expect ? Where do we authenticate/authorize access to our business services? ✓ Can Isabelle view a resource with ID 123456 ? 9 WE NEED APP LEVEL SECURITY
APPLICATION LEVEL SECURITY API Threat Protection API Access Control API/Identity managementAPI Firewall ➡ Content validation ➡ Token validation ➡ Traffic management ➡ Payload security (encrypt/ sign) ➡ Threat detection ➡ Access tokens management ➡ Authentication ➡ Authorization ➡ Identity management
API GW Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy COMMUNICATION LAYER + APP LAYER SECURITY 11 Microservice B Front Process/Controller Data API API Microservice A API API API
APPLICATION LEVEL SECURITY PRINCIPLES
13 GUIDING PRINCIPLE: ZERO TRUST ARCHITECTURE 1
14 GUIDING PRINCIPLE: ALL APIS ARE OPEN APIS 2 “Dance like no one is watching, encrypt like everyone is!” Werner Vogels, Amazon CTO
15 GUIDING PRINCIPLE: SECURITY IS ADAPTED FROM RISK 3
WHAT IS SPECIAL ABOUT API THREAT PROTECTION?
API-BASED APPLICATIONS HAVE DIFFERENT VULNERABILITIES API1 : Broken Object Level Access Control API2 : Broken Authentication API3 : Excessive Data Exposure API4 : Lack of Resources & Rate Limiting API5 : Missing Function/Resource Level Access Control API6 : Mass Assignment API7 : Security Misconfiguration API8 : Injection API9 : Improper Assets Management API10 : Insufficient Logging & Monitoring 17 DOWNLOAD
DEMO DEPLOYMENT SETUP 18 pixisecured pixiapp 42crunch Configuration firewall-props protection-token guardian-certs docker-credentials apifirewall 42 Crunch Platform pixiapp pixiapp pixidb
EQUIFAX AND MANY MORE (2017) The Attack ✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised. ✓ Example: ✓ The Breach ✓ One of the most important in history: 147 millions people worldwide, very sensitive data ✓ Equifax got fined $700 million in Sept 2019 Core Issue ✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited during months. 19 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
UBER (SEPT 2019) The Attack ✓ Account takeover for any Uber account from a phone number The Breach ✓ None. This was a bug bounty. Core Issues ✓ First Data leakage : driver internal UUID exposed through error message! ✓ Second Data leakage via the getConsentScreenDetails operation: full account information is returned, when only a few fields are used by the UI. This includes the mobile token used to login onto the account 20 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
HARBOUR REGISTRY (SEPT 2019) The Attack ✓ Privilege escalation: become registry administrator The Breach ✓ Potentially 1300+ registries with default security settings Core Issue ✓ Mass Assignment vulnerability allows any normal user to become an admin POST /api/users {“username”:”test”,”email”:”test123@gmail.com”,”realname”:” noname”,”password”:”Password1u0021″,”comment”:null, “has_admin_role” = True} 21 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
FACEBOOK (FEB 2018) The Attack ✓ Account takeover via password reset at https://www.facebook.com/login/identify? ctx=recover&lwv=110. ✓ facebook.com has rate limiting, beta.facebook.com does not! The Breach ✓ None. This was a bug bounty. Core Issues ✓ Rate limiting missing on beta APIs, which allows brute force guessing on password reset code ✓ Misconfigured security on beta endpoints 22 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it
PROTECTING APIS AGAINST THREATS REQUIRES A NEW APPROACH!
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL OPENAPI 
 INITIATIVE OpenAPI Specification (formerly Swagger Specification) is an API description format for REST APIs. An OpenAPI file allows you to describe your entire API, including: Available endpoints ( /users ) and operations on each endpoint ( GET /users , POST /users ) • Web Application Security is painful because the security is not handled from beginning • Developers cannot define how the web application is built and designed • After 20 years of R&D, detection and protection tools have to use AI to understand how the Web Application works... => Now we have a worldwide accepted and used API standard: OpenAPI Specification => We build a whitelist based on OAS POSITIVE SECURITY MODEL FOR APIS
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL API DEVSECOPS: SHIFT- LEFT AND AUTOMATE API security becomes fully part of the API lifecycle
 Key Benefits • Security can now be applied automatically and at scale • Vulnerable APIs are detected early • APIs are automatically protected as soon as the contract is defined
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL ZERO-TRUST ARCHITECTURE FOR MICROSERVICES Low footprint, ultra-low latency runtime that can be deployed in Kubernetes 
API micro-firewall can be deployed as: • Sidecar proxy for defense in depth • Reverse proxy (Gateway) for edge protection Key Benefits • Enables zero trust architecture: microservices must not trust the environment • Platform agnostic: any cloud, hybrid or on-premises • Deployment agnostic: monolithic, microservices, and service-mesh • Supports multi-cloud, multi-geo zone deployments
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL RESOURCES • 42Crunch Website • Free OAS Security Audit • OpenAPI VS Code Extension • OpenAPI Spec Encyclopedia • OWASP API Security Top 10 • APIsecurity.io • Security Strategies for Microservices Apps • API Security Pentesting
Ad

Recommended

The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
REST API Security by Design with Azure Pipelines
REST API Security by Design with Azure PipelinesREST API Security by Design with Azure Pipelines
REST API Security by Design with Azure Pipelines
42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
PrashantDhakol
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
Apigee | Google Cloud
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 

More Related Content

What's hot (20)

The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
PrashantDhakol
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
Apigee | Google Cloud
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
PrashantDhakol
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
Apigee | Google Cloud
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 

Similar to Protecting Microservices APIs with 42Crunch API Firewall (20)

APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs
 
Unit 3_detailed_automotiving_mobiles.pptx
Unit 3_detailed_automotiving_mobiles.pptxUnit 3_detailed_automotiving_mobiles.pptx
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
Alexandra N. Martinez
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
WSO2
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...
Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...
Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...
MysoreMuleSoftMeetup
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs
 
Unit 3_detailed_automotiving_mobiles.pptx
Unit 3_detailed_automotiving_mobiles.pptxUnit 3_detailed_automotiving_mobiles.pptx
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
Alexandra N. Martinez
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
WSO2
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...
Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...
Handling NFRs for the API through OoTB API policies Part-1 | MuleSoft Mysore ...
MysoreMuleSoftMeetup
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
Ad

Recently uploaded (20)

Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Palo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity FoundationPalo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity Foundation
VICTOR MAESTRE RAMIREZ
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
Extend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptxExtend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptx
hoang971
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Scott M. Graffius
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.
hok12341073
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
Oracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI ProfessionalOracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI Professional
VICTOR MAESTRE RAMIREZ
 
Jira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : IntroductionJira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : Introduction
Ravi Teja
 
The case for on-premises AI
The case for on-premises AIThe case for on-premises AI
The case for on-premises AI
Principled Technologies
 
6th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 20256th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 2025
DanBrown980551
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Palo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity FoundationPalo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity Foundation
VICTOR MAESTRE RAMIREZ
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
Extend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptxExtend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptx
hoang971
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Scott M. Graffius
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.
hok12341073
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
Oracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI ProfessionalOracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI Professional
VICTOR MAESTRE RAMIREZ
 
Jira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : IntroductionJira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : Introduction
Ravi Teja
 
The case for on-premises AI
The case for on-premises AIThe case for on-premises AI
The case for on-premises AI
Principled Technologies
 
6th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 20256th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 2025
DanBrown980551
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Ad

Protecting Microservices APIs with 42Crunch API Firewall

  • 1. THREATS PROTECTION IN A DISTRIBUTED WORLD 
 Using 42Crunch API Firewall on Kubernetes ISABELLE MAUNY - Field CTO ([email protected])
  • 2. LOOSELY COUPLED ARCHITECTURE 2 App icon made by https://www.flaticon.com/authors/pixel-buddha Microservice B Microservice A Front Process/Controller Data North South North South East West API API API API API
  • 3. HOW DO WE SECURE APIS?
  • 4. LAYERED APPROACH TO SECURITY 4 Hypervisor, images (VM/Docker) Intra-services communication (auth, azn, TLS) App level security (libs, code, data) OS / Network / Physical Access
  • 5. COMMUNICATION LAYER SECURITY 5 Microservice B Microservice A Front Process/Controller Data North South North South East West API API API API API
  • 6. WHAT DO WE ENFORCE AT COMMUNICATION LEVEL ? Can service A talk to service B ? ✓ Authentication (is this Service A?) ✓ Authorization (is it authorized to invoke Service B?) Where is service B ? ✓ Service registry Is the communication secure? ✓ Use TLS across the board Can any service B be abused via large number of calls from Service A? ✓ Traffic management Protection from cascading failures ✓ If Service B is stalled, how does the rest of the system reacts ? If somebody can inject a rogue service in our infra, will this service be able to invoke other services? 6
  • 7. API GW Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy COMMUNICATION LAYER SECURITY 7 Microservice B Front Process/Controller Data API API Microservice A API API API
  • 8. CRITICAL THINGS TO REMEMBER Respect separation of concerns ✓ A Service Mesh is only concerned with infrastructure security ! ✓ A mesh does not know about the data flowing through ✓ A service does not know about the infrastructure setup Think of an API Gateway as a pattern, not a product ! API Gateway is defined as a layer which can: ✓ Expose APIs to consumers (business APIs) ✓ Compose microservices into one or multiple macro-services ✓ Enforce communication level security as described before 8
  • 9. SO NOW… Where do we validate that the data we are receiving is what we expect ? How do we ensure that we don’t leak data or exceptions? Where do we validate that our app tokens are the ones we expect ? Where do we authenticate/authorize access to our business services? ✓ Can Isabelle view a resource with ID 123456 ? 9 WE NEED APP LEVEL SECURITY
  • 10. APPLICATION LEVEL SECURITY API Threat Protection API Access Control API/Identity managementAPI Firewall ➡ Content validation ➡ Token validation ➡ Traffic management ➡ Payload security (encrypt/ sign) ➡ Threat detection ➡ Access tokens management ➡ Authentication ➡ Authorization ➡ Identity management
  • 11. API GW Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy Service Mesh Proxy COMMUNICATION LAYER + APP LAYER SECURITY 11 Microservice B Front Process/Controller Data API API Microservice A API API API
  • 14. 14 GUIDING PRINCIPLE: ALL APIS ARE OPEN APIS 2 “Dance like no one is watching, encrypt like everyone is!” Werner Vogels, Amazon CTO
  • 15. 15 GUIDING PRINCIPLE: SECURITY IS ADAPTED FROM RISK 3
  • 16. WHAT IS SPECIAL ABOUT API THREAT PROTECTION?
  • 17. API-BASED APPLICATIONS HAVE DIFFERENT VULNERABILITIES API1 : Broken Object Level Access Control API2 : Broken Authentication API3 : Excessive Data Exposure API4 : Lack of Resources & Rate Limiting API5 : Missing Function/Resource Level Access Control API6 : Mass Assignment API7 : Security Misconfiguration API8 : Injection API9 : Improper Assets Management API10 : Insufficient Logging & Monitoring 17 DOWNLOAD
  • 18. DEMO DEPLOYMENT SETUP 18 pixisecured pixiapp 42crunch Configuration firewall-props protection-token guardian-certs docker-credentials apifirewall 42 Crunch Platform pixiapp pixiapp pixidb
  • 19. EQUIFAX AND MANY MORE (2017) The Attack ✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised. ✓ Example: ✓ The Breach ✓ One of the most important in history: 147 millions people worldwide, very sensitive data ✓ Equifax got fined $700 million in Sept 2019 Core Issue ✓ Unpatched Apache Struts library, with remote command injection vulnerability, widely exploited during months. 19 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
  • 20. UBER (SEPT 2019) The Attack ✓ Account takeover for any Uber account from a phone number The Breach ✓ None. This was a bug bounty. Core Issues ✓ First Data leakage : driver internal UUID exposed through error message! ✓ Second Data leakage via the getConsentScreenDetails operation: full account information is returned, when only a few fields are used by the UI. This includes the mobile token used to login onto the account 20 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
  • 21. HARBOUR REGISTRY (SEPT 2019) The Attack ✓ Privilege escalation: become registry administrator The Breach ✓ Potentially 1300+ registries with default security settings Core Issue ✓ Mass Assignment vulnerability allows any normal user to become an admin POST /api/users {“username”:”test”,”email”:”[email protected]”,”realname”:” noname”,”password”:”Password1u0021″,”comment”:null, “has_admin_role” = True} 21 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
  • 22. FACEBOOK (FEB 2018) The Attack ✓ Account takeover via password reset at https://www.facebook.com/login/identify? ctx=recover&lwv=110. ✓ facebook.com has rate limiting, beta.facebook.com does not! The Breach ✓ None. This was a bug bounty. Core Issues ✓ Rate limiting missing on beta APIs, which allows brute force guessing on password reset code ✓ Misconfigured security on beta endpoints 22 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://appsecure.security/blog/we-figured-out-a-way-to-hack-any-of-facebook-s-2-billion-accounts-and-they-paid-us-a-15-000-bounty-for-it
  • 24.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL OPENAPI 
 INITIATIVE OpenAPI Specification (formerly Swagger Specification) is an API description format for REST APIs. An OpenAPI file allows you to describe your entire API, including: Available endpoints ( /users ) and operations on each endpoint ( GET /users , POST /users ) • Web Application Security is painful because the security is not handled from beginning • Developers cannot define how the web application is built and designed • After 20 years of R&D, detection and protection tools have to use AI to understand how the Web Application works... => Now we have a worldwide accepted and used API standard: OpenAPI Specification => We build a whitelist based on OAS POSITIVE SECURITY MODEL FOR APIS
  • 25.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL API DEVSECOPS: SHIFT- LEFT AND AUTOMATE API security becomes fully part of the API lifecycle
 Key Benefits • Security can now be applied automatically and at scale • Vulnerable APIs are detected early • APIs are automatically protected as soon as the contract is defined
  • 26.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL ZERO-TRUST ARCHITECTURE FOR MICROSERVICES Low footprint, ultra-low latency runtime that can be deployed in Kubernetes 
API micro-firewall can be deployed as: • Sidecar proxy for defense in depth • Reverse proxy (Gateway) for edge protection Key Benefits • Enables zero trust architecture: microservices must not trust the environment • Platform agnostic: any cloud, hybrid or on-premises • Deployment agnostic: monolithic, microservices, and service-mesh • Supports multi-cloud, multi-geo zone deployments
  • 27.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL RESOURCES • 42Crunch Website • Free OAS Security Audit • OpenAPI VS Code Extension • OpenAPI Spec Encyclopedia • OWASP API Security Top 10 • APIsecurity.io • Security Strategies for Microservices Apps • API Security Pentesting