Ever faster agile development and a wide gap across development and security teams are 2 of the main reasons you want to entirely automate all aspects of API security: code scans, infra scans, security testing, automatic policies deployment and deployment of lightweight, secure enforcement points (PEPs). Let's shift left!
Presentation given at APIDays Paris in Jan 2018.
11. “Security experts are going to have to figure out how to deliver
‘security as code’.
Essentially, they have to translate every security requirement,
every coding guideline, every ‘best practice,’ every threat model,
and every security architecture into code that can run during the
development, build, test, and deployment process.
Even in operations, it’s critical that attack detection and response
is fully automated.”
Jeff Williams
OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10.
https://sdtimes.com/owasp-adds-unprotected-apis-insufficient-attack-protection-top-ten-2017-release/
11
13. LET’S SHIFT SECURITY LEFT!
13
DeploymentTestingDevelopmentDesign
Security vulnerabilities are bugs. The later you find them, the more costly it is to fix them.
16. 1. Use Threat Modelling to eval the APIs risk
2. Define security profiles by risk level
3. Apply security profiles automatically
based on risk.
4. Avoid policies in code and API-specific
16
IMPLEMENT
‘POLICY AS CODE’
2
17. 1. Easy to deploy even on developer’s laptops
2. Can be deployed hundreds of times
3. Immutable
17
USE A
CONTAINERIZED
PEP
3
VERIFY IMAGE INTEGRITY !
18. 1. Constant monitoring at all stages
2. Automated Response when possible.
3. Leverage Machine Learning (but be
careful of false positives!)
18
MONITOR AND
ANALYZE
4
19. FULL DEV-SEC-OPS CYCLE FOR APIS
19
Develop
Assess
Secure
Test
Document
Deploy
API is developed on
platform of choice
Continuous API testing
including security
testing
Deploy to containerized
PEP
Configure and apply
security policy from
assessed risk
Assess API description
and evaluate risk level
Document and annotate
API with OpenAPI/Swagger
20. 20
RELIES ON STRONG COLLABORATION
ACROSS OPERATIONS, DEVELOPMENT,
SECURITY AND BUSINESS TEAMS
PROPER SECURITY