Shielding Your APIs:

Practical Tips and AI-Powered Solutions

Keiron Shepherd: Regional Solution Architect, F5
Brandon Dunlap: Moderator
Shielding Your APIs: Practical
Tips and AI-Powered Solutions

Keiron Shepherd
Regional Solution Architect, F5
 Digital transformation

Trends driving The rise of modern apps

architectural
complexity and
API sprawl IoT and edge computing

The rise of generative AI

3 ©2024 F5
APIs are the connective tissue...

API
API

Edge API API Data Center

Modern Apps Legacy and Modern Apps

CDN Public Cloud

API Modern, Legacy, and Cloud-Native Apps
Modern and Legacy Apps
API
API

API

4 ©2024 F5
... for modern apps and digital experiences

UI
UI API
3rd Party Service

Business Logic API API

API API

Data Access
Layer
Microservices Microservices Microservices

Architectural complexity | Larger attack surface | Data exposure

5 ©2024 F5
Modern apps and APIs drive complexity

AWS API SaaS

• More complex architectures and

expanded attack surface API API API

API

• Microservices and their APIs change Azure

API
Colocation
more rapidly and independently API

• More attacks are logic-based,

bypassing rule-based defences API API

• Patchwork of point-solutions leads Google API

Data Centers
Cloud Traditional and
to blind spots and inconsistent API Private Cloud
security posture API
API

Edge

6 ©2024 F5
 API threats

7 ©2024 F5
APIs are risky by definition

Open by design – APIs are created to share Expose extra data – Developers build flexible APIs
access to data and applications that can provide more data than is required

Larger attack surface – Every API and endpoint Predictable structure – APIs adhere to logical
expands the potential attack surface architectures (REST) making them easy to probe

Difficult to observe – API attacks can evolve Lack protections – APIs are often deployed
slowly with small requests over weeks or months without basic protections like access control

8 ©2024 F5
OWASP Top 10 API Security Risks – 2023

API1 – Broken Object Level Authorization API6 – Unrestricted Access to Sensitive Business Flows

API2 – Broken Authentication API7 – Server Side Request Forgery

API3 – Broken Object Property Level Authorization API8 – Security Misconfiguration

API4 – Unrestricted Ressource Consumption API9 – Improper Inventory Management

API5 – Broken Function Level Authorization API10 – Unsafe Consumption of APIs

9 ©2024 F5
API security risks of greatest concern

Multiple choices allowed.

10 ©2024 F5 Source: 2023 State of the API Report, Postman

Recent API breaches: Scraping at scale

Facebook 2021 Twitter 2021

• API used to link phone numbers • API used to link phone numbers
• Leaked over 500M accounts and email addresses
• Millions of accounts leaked

Trello 2021 Dell 2024

• API flaw • Partner API
• Lost over 15M accounts • Queried 5,000
• For three weeks

11 ©2024 F5
Attack example

user1
• Attempt to access “objects” / get data
401 Unauthorized
without authentication user2 /login GET

• Find and re-use successful logins 401 Unauthorized

(access token) user3 /login GET

200 OK

• Static token without expiration /login GET

• Weak JWT configuration

user3

• No PKCE on client side (Oauth) 200 OK

GET
?
POST
/profil
PUT
DEL

12 ©2024 F5
Attack example

• Modify object data which shouldn’t be

accessible without authorisation user1

• Change object properties to escalate 200 OK

GET
priviledges /customer/profile
user1
• Add “roles” or permission 200 OK
PUT
/customer/profile

{
"id": "019898-886878-878787-578588",
"first_name": "alexis",
?
"last_name": "da costa",
"address": "16 bis rue Champ Lagarde",
"is_admin": true,
"is_sso": true,
"permission_type": "admin"
}

13 ©2024 F5
 API security challenges

14 ©2024 F5
Existing tactics for securing APIs are insufficient
Many organisations have a patchwork of security controls in place

Can a WAF protect APIs? What is the function of an API Gateway?

Mitigates threats and bad actors Aggregates, manages, and directs incoming API requests
Interprets API-specific protocols Provides basic security and access control

Only protects what is in line (traffic it inspects) Fails to protect against advanced threats
Does not extend to code development Unable to quantify API risks
Does not help find and monitor all APIs

15 ©2024 F5
API Security
Key capabilities

Discover
API Gateway
Dynamically learn and document API endpoints

Monitor
API Gateway
Continuously inspect and identify anomalies with
API endpoints
API Security

Secure
API Gateway
Clients

Enforce API behaviour and block/limit undesirable or

malicious traffic

API Gateway

16 ©2024 F5
It is critical to integrate API security into the API dev pipeline
Plan / Code Release / Deploy

Build

Operate

Test Monitor

SHIFT LEFT SHIELD RIGHT

API scanning API discovery and Runtime protection

API code analysis
and testing traffic analysis and enforcement
17 ©2024 F5
A shift left approach is critical to reduce risks and API exposure
Solving for the built-in 90-day exposure window

Developer introduces Vulnerable API Pen-Tester discovered the

Detection Response
a new PII vulnerability deployed to Prod vulnerability exposing customer data

Development SecOps

Day 0-n Day 0 90 days between Pen-Tests Day 90 n weeks of exposure Day 90+n

Eliminate >90 days of exposure Without early detection and

Introducing continuous and automated API security remediation, the “negotiations”
between security and dev start here

18 ©2024 F5
 API discovery

19 ©2024 F5
API discovery in code
Shift left

20 ©2024 F5
API discovery in runtime
Inventory and shadow

Inventory

• Defined by Swagger Inventory

• Enforceable (validation)

Shadow

• Discovered, not inventoried Shadow

• Enforceable (fall through validation)

21 ©2024 F5
Challenge – Detect and adapt drifts in API definitions
Reduce time to protect

enabled
API Discovery
APPDEV

enabled
API Discovery
V2.0 V2.0
APPDEV
DRIFT

V1.0 V2.0 SECOPS

? DRIFT discovered
and applied

V1.0 SECOPS

SECOPS

Current version New version Detect / Inform Adjust / Protect

22 ©2024 F5
API discovery from external scanning

• Discovering and mapping public-facing services is

critical to avoid cyber attacks and data breaches

• Recon in web app scanning to automatically create

accurate, complete inventories of apps and API
services across domains
• Reducing attack surface and protecting sensitive
data in apps

23 ©2024 F5
 API enforcement

24 ©2024 F5
 Behavioural
analysis of API
endpoints

• Monitor and baseline API

behaviour continuously with
machine learning (ML) engine

• Identify anomalies (e.g., spikes

in request rates, latency,
response size, etc.)

• Identify any PII in API

communications

25 ©2024 F5
OpenAPI spec enforcement
Automatically enforce API schema and a positive
security model

• Upload existing API schema for

enforcement of appropriate API behaviour

Avoid wasting time on configuring and

Source: https://swagger.io/
•
deploying APIs

• Allow valid requests and block any method

that the schema doesn’t support

• Import via UI or the API and integrate into

a CI/CD pipeline

26 ©2024 F5
OpenAPI spec enforcement

Enforce known
API Validation
endpoints
GET GET

GET
/animals /animals

Req and Resp body

POST

/locations GET

POST

/colors /locations

27 ©2024 F5
Security across distributed environments

SaaS Console – Centralised

management and analytics

PUBLIC CLOUD
Integrated web app
and API protection

API
PRIVATE DATA CENTER
Users Internet

Integrated web app Internal Apps

and API protection

28 ©2024 F5
 API and AI workloads

29 ©2024 F5
Future of enterprise computing and application security

Multicloud API-first Powered by AI

30 ©2024 F5
AI brings a whole new set of distributed apps and APIs
... which amplifies multicloud complexity and security risk

AI is a powerful accelerant for each of these secular trends

Growing number of applications

Growing number of APIs in

front of applications

Increasing distribution of apps across

hybrid and multicloud environments

Increasing cyber risk with more business

value accessible via apps and APIs

31 ©2024 F5
Enterprise adoption of AI technologies
... will unleash a flood of new AI-driven apps and an even greater number of APIs

API
AWS SaaS

API API API

API

API
Azure Colocation
API

API API

Data centers
Google API Traditional &
Cloud Private Cloud
API
API
API
API

Edge

32 ©2024 F5
 Summary

33 ©2024 F5
Key takeaways

API security is an integral part of AI and ML technologies can

an application security solution improve efficacy of API security

API protection applies along all API security must be deployable and
the API development lifecycle consumable in any environment

34 ©2024 F5
Questions?
 Thank you for attending this webinar!

Please visit the

“Attachments” tab.
There you’ll find supporting
assets and speaker’s LinkedIn
information.
Cybersecurity’s Professional Mark of
Excellence

Always the Highest Standards

Register for the Exam

Test now on the current CISSP content. On April 15, 2024,
the domains will be refreshed as part of our rigorous
process to ensure relevancy.

Prep for the Exam

Take Official ISC2 CISSP Training to build a strong
understanding of the topics covered in the CISSP exam
outline. For a limited time, save 40% on online self-paced
training when you sign up for 90-day access.

Walk in Ready
Add Exam Peace of Mind Protection for the assurance of
a second sitting, if needed.

Learn more at isc2.org/landing/cissp-anniversary

Early Bird Savings are On!
Register by August 4 for your best price.
Please take a moment to leave
your feedback and comments
in the “Rate This” tab.
 Stay Connected!
Update your email preferences to receive
news about upcoming ISC2 webinars, research & more!

Certified Members, Associates and ISC2 Candidates:

https://my.isc2.org/s/Dashboard/Preferences

New to ISC2? Join free as an ISC2 Candidate!

https://www.isc2.org/candidate
Image: Joybot via Wikimedia Commons, The Blue
Screen of Death in the Wild, CC BY-SA 2.0 DEED.
We’re currently
experiencing

difficulties.
technical