Ever faster agile development and a wide gap across development and security teams are 2 of the main reasons you want to entirely automate all aspects of API security: code scans, infra scans, security testing, automatic policies deployment and deployment of lightweight, secure enforcement points (PEPs). Let's shift left! Presentation given at APIDays Paris in Jan 2018.

1. WHYYOU NEED
TO AUTOMATE
API SECURITY
ISABELLE MAUNY - CTO
ISABELLE@42CRUNCH.COM
The API Security Platform for the Enterprise

2. 2
Source: https://blog.appdynamics.com/product/the-importance-of-monitoring-containers-infographic/
MULTIPLICATION OF ENDPOINTS

3. TITLE TEXT
3App icon made by https://www.flaticon.com/authors/pixel-buddha
Internal
Partner Public
RISE OF VIRTUAL APPLICATION NETWORKS

4. TITLE TEXTEVER FASTER PACE OF APP DELIVERY
4
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

5. API SECURITY NEEDS TO
5
EVOLVE

6. 6
DEFINING “PROPER” SECURITY

7. 7
Authentication
Integrity
(transport &
message)
Audit
Confidentiality
(transport &
message)
Availability
(Rate Limiting)
Access Control
Non
Repudiation
Data Validity
(attacks
protection)

8. 8
YES. You need to
consider all of this…
… AND you need to
configure all aspects
in the right way

9. 9
EASY TO GET
THOSE WRONG!

10. 10
AND you need the
right infrastructure…

11. “Security experts are going to have to figure out how to deliver
‘security as code’.
Essentially, they have to translate every security requirement,
every coding guideline, every ‘best practice,’ every threat model,
and every security architecture into code that can run during the
development, build, test, and deployment process.
Even in operations, it’s critical that attack detection and response
is fully automated.”
Jeff Williams
OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10.
https://sdtimes.com/owasp-adds-unprotected-apis-insufficient-attack-protection-top-ten-2017-release/
11

12. 12
THE SOLUTION ?
DEVOPS, BUT WITH
SECURITY ON!

13. LET’S SHIFT SECURITY LEFT!
13
DeploymentTestingDevelopmentDesign
Security vulnerabilities are bugs. The later you find them, the more costly it is to fix them.

14. HACK
YOURSELF !
Automated Scans
✓ Code Scans
✓ Infrastructure Scans
Automated Hacking
✓ OWASP ZAP, BURP
Chaos Engineering
✓ DDOS Attacks
Test Security
✓ Authentication
✓ Authorization
Complementary Initiatives
✓ Pen-Testing
✓ Bug Bounty
✓ Secure Code Reviews
14
1
Choose scanning platforms/tools where
functionality is exposed as APIs/CLI.

15. IT’S ILLEGAL TO
ATTACK SYSTEMS!
UNLESS
ALLOWED TO…
15

16. 1. Use Threat Modelling to eval the APIs risk
2. Define security profiles by risk level
3. Apply security profiles automatically
based on risk.
4. Avoid policies in code and API-specific
16
IMPLEMENT
‘POLICY AS CODE’
2

17. 1. Easy to deploy even on developer’s laptops
2. Can be deployed hundreds of times
3. Immutable
17
USE A
CONTAINERIZED
PEP
3
VERIFY IMAGE INTEGRITY !

18. 1. Constant monitoring at all stages
2. Automated Response when possible.
3. Leverage Machine Learning (but be
careful of false positives!)
18
MONITOR AND
ANALYZE
4

19. FULL DEV-SEC-OPS CYCLE FOR APIS
19
Develop
Assess
Secure
Test
Document
Deploy
API is developed on
platform of choice
Continuous API testing
including security
testing
Deploy to containerized
PEP
Configure and apply
security policy from
assessed risk
Assess API description
and evaluate risk level
Document and annotate
API with OpenAPI/Swagger

20. 20
RELIES ON STRONG COLLABORATION
ACROSS OPERATIONS, DEVELOPMENT,
SECURITY AND BUSINESS TEAMS
PROPER SECURITY

21. 21
BUILD
SECURITY
CHAMPIONS

22. IT’S NOT ABOUT IF,
IT’S ABOUT WHEN.
BE PREPARED.
22

23. 23
www.42crunch.com/whitepaper

24. CONTACT: INFO@42CRUNCH.COM
WWW.42CRUNCH.COM
The API Security Platform for the Enterprise

25. RESOURCES
Chaos Engineering
✓ http://principlesofchaos.org
✓ https://github.com/dastergon/awesome-chaos-engineering
OWASP ZAP
✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Source Code Analysis
✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Code Security reviews
✓ https://www.owasp.org/index.php/Code_Review_Introduction
Systems Scans
✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
25

26. RESOURCES
SSL Setup Scan
✓ https://hardenize.com
✓ https://securityheaders.io
✓ https://www.ssllabs.com/ssltest/
26