Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Secure Are Your APIs?


Published on

APIs have revolutionized how companies build new marketing channels, access new customers, and create ecosystems. Enabling all this requires the exposure of APIs to a broad range of partners and developers—and potential threats.

Learn more about the latest API security issues.

Published in: Technology
  • Login to see the comments

How Secure Are Your APIs?

  1. 1. How Secure Are Your APIs? Kevin Ford Apigee | Google Cloud
  2. 2. Today’s Presenter
  3. 3. APIs Are Under Attack 3 • Standard Interface • Consistent Resource model • Easy Programmability • Published Documentation • Mobile App Proliferation
  4. 4. Proprietary and confidential API Attacks That Made the News “An Instagram Hack Hit Millions of Accounts, and Victims’ Phone Numbers are Now for Sale.” “No Butts About It, Some Pinterest Users Have Been Hacked.” “Three Million Moonpig Accounts Exposed by Flaw.” “Nissan Leaf Hackable Through Insecure APIs.” “Thieves Stole Taxpayer Data from IRS ‘Get Transcript’ Service.”
  5. 5. Layered Security and Governance Backend RBAC management IDM Integration Global Policies User Provisioning AD / LDAP Groups Quota/Spike Arrest SQL threat protection JSON bomb protection IP based restrictions Bot Detection (public today) Data Security Two-way TLS API key OAuth2 Threat Protection Identity Mgmt & Governance Management Server Portal Analytics API MANAGEMENT Data Security Two-way TLS IP Access Control Logging & Auditing Data Security Org Boundaries Encryption SOC 2, PCI-DSS, HIPAA Access Control OAuth2 API Key Verification IP Access Control Logging & Auditing Partners/ Apps
  6. 6. Signs of Attack on APIs • Persistent attempts from same IP • Unusual error rates • Suspicious client requests • Data crawling • Key harvesting • Activity bursts • Geographical patterns • Brute force attacks • Bots probing for API security weakness • Competitors scraping price data • Credential stuffing • Abuse of guest accounts • Bot traffic skewing analytics and KPIs • Using compromised API keys to access private APIs • Dictionary-type attacks • Man-in-the-Middle attacks
  7. 7. Backend Systems Apigee 7 WAF API Key Access Token User Agent Contextual Volume x x x x x x x x * Other Attributes Data Warehouse CRM, ERP, etc. SOA Microservices Why Traditional Approaches Fail
  8. 8. Solution: Dedicated API Security Infrastructure APIs need a dedicated security infrastructure to protect against the increasing threat of malicious behavior. Once is happenstance. Twice is coincidence. The third time it’s enemy action. Ian Fleming
  9. 9. Intelligent behavior detection to protect APIs from attack. 9 Apigee Sense
  10. 10. How does Apigee Sense Protect your APIs? ● Purpose built for APIs ● Uses behavior-based rules and algorithms ● Detects anomalous behavior patterns at the API layer ● Complete closed-loop system Takes actions based on rules specified by administrators
  11. 11. Intelligent Apigee Sense • Studies call patterns from API metadata • Algorithms detect anomalies • Analyzes customer traffic over time
  12. 12. Behavior Detection Apigee Sense • Detects behavior • Finds anomalies • Proactively identifies threats • Examines metadata • Characterizes requests • Flags suspicious requests • Administrators apply desired action for a given behavior Hackers Brute Force Attacks
  13. 13. Protect APIs Apigee Sense • Alerts teams • Tags or blocks • Takes Action based on admin policies • Closed-loop system
  14. 14. Closed Loop Protection:
  15. 15. Handle Flagged Requests via Configuration Handle Flagged Requests via Code Honeypot, Conditional Routing, Callouts, Logging Flexible Protection
  16. 16. A Secure Solution
  17. 17. A Secure Solution… With Extreme Visibility
  18. 18. The Best Defense Is A Good Offense
  19. 19. Questions?