The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect. Downside: The more APIs, the higher the security risk! API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs. Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language. In this presentation you will learn: Security risks at each stage of the API lifecycle, and how to mitigate them. How to implement an end-to-end automated API security model that development, security and operations teams will love. How to think positive! Why a positive security model works.

1. SECURING AN API WORLD
THE DEV, SEC AND OPS
OF APIS
ISABELLE MAUNY
CHIEF EVANGELIST & CO-FOUNDER
ISABELLE@42CRUNCH.COM

2. 2
➔ Chief Evangelist and co-founder @42Crunch
➔ 42Crunch is the company behind apisecurity.io
➔ Working with APIs since 2005!
➔ Most career at IBM
➔ French native, in Spain since 2003
isabelle@42crunch.com
@isamauny

3. 3
400+
AVERAGE NUMBER OF APIS IN THE ENTERPRISE

4. MANY APIS, MANY DEPLOYMENTS
4
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

5. API SECURITY CHALLENGES
API Security is considered
too late
✓ Security teams can’t do their job
properly
API Security is hard
✓ Complex standards, limited skills
Applying API Security at
scale
✓ How do we cope with dozens of
deployment per week, with hundreds
of APIs to deploy ?
Detecting vulnerabilities
early
Measuring the efficiency of
our security measures
5

6. MEET
DEV SEC OPS
6
“DevSecOps is the philosophy of integrating security
practices within the DevOps process.
DevSecOps involves creating a 'Security as Code'
culture with ongoing, flexible collaboration between
release engineers and security teams.”

7. INJECTING SECURITY AS EARLY
AS POSSIBLE IN THE API LIFECYCLE
7
DeploymentTestingDevelopmentDesign
SHIFTING SECURITY LEFT

8. 8
Development
Security
Operations
Business
A CHANGE IN CULTURE: PEOPLE COLLABORATING…

9. 9
…FOLLOWING ESTABLISHED PROCESSES…

10. 10
…AND USING THE RIGHT TOOLS.

11. KEY BENEFITS
Everyone is responsible for security, everyone has a role to play
✓ No more “throwing over the fence” approach
Vulnerabilities found early take up to 30x less effort to solve
Secure by design principles
✓ Automated reviews
✓ Automated security testing
Security becomes transparent, thanks to security as code
Developers iteratively learn about best practices
Security is continuously improved 11

12. A DEV-SEC-OPS CYCLE FOR APIS
12From: https://jaxenter.com/exploration-devsecops-144849.html

13. 13
1 ANALYZE
What do we need to secure ?

14. KNOW YOUR APIS AND
THE RISK THEY BRING
14See: https://www.owasp.org/index.php/Application_Threat_Modeling

15. 15
SECURE
2
Establish the rules

16. CORE API SECURITY RULES
All APIs request/response data must
be validated
All access tokens must be validated
Proper authentication in place,
adapted to risk
Rate Limiting for all operations
Fine-grained authorization for data
access
Authenticate Apps
Managed secrets: no hardcoded/
readable APIKeys, passwords, tokens
in code or deployment scripts
Security headers must be used
No libraries with known vulnerabilities
All transactions are logged
All APIs are known and governed
16
Can we extended from “How to Prevent” section from OWASP Top 10 for APIs

17. 17
VERIFY
3
Ensure we comply with the rules!

18. 18
Dev QA/Testing Production/Ops
Code Analysis (SAST)
Code reviews (manual)
API contract analysis (SAST)
Software Component Analysis
API Implementation Testing (DAST)
API Contract Testing (DAST)
Negative Testing: Hack yourselves!
Container Images Analysis
Deployment Scripts Analysis
SSL/TLS Configuration
Kubernetes Configuration
Perf testing
Pen Testing (manual)

19. RULE OF THUMB FOR TOOLS
Fit in “developer flow”
✓ IDEs Integration
Can be automated
✓ Plugins for CI/CD pipelines
✓ API driven
Can integrate with
ecosystem
✓ Logging
✓ Monitoring
✓ SIEM
19

20. 20
DEFEND4
Enforce the rules!

21. 21
App icon made by https://www.flaticon.com/authors/pixel-buddha
Front Process Data
North
South North
South
East
West
Firewall/GW
Service Mesh
Service Mesh
PROTECT ALL APIS
•Automatic Deployment
•Protections as code
•Deployed early

22. 22
MONITOR AND ANALYZE
Dev/QA
✓ Immediate feedback loop in developer’s IDE
✓ Treat vulnerabilities as bugs:
✓ Track issues found with your favorite ticketing system
Production
✓ Analyze automatically all system logs
✓ Profile runtime behaviour and raise potential issues automatically

23. KEY RECOMMENDATIONS
Start small and iterate
✓ Don’t try to address all issues at once!
Educate and help developers
✓ Add security people to development teams
✓ Don’t throw security at them as a new responsibility
✓ Help them by including feedback in their existing development flow
Don’t throw too many tools in the pipeline
✓ Evaluate and choose depending on your needs
23

24. CONTACT US:
INFO@42CRUNCH.COM
Securing an API World