SlideShare a Scribd company logo

Better API Security with Automation

42Crunch
42Crunch

API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.

1 of 33
Downloaded 34 times
1
The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM BETTER SECURITY WITH AN AUTOMATED APPROACH
2
OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring *= API related
3
3By 2022 APIs will become the most common attack vector - Gartner
4
HOW DID WE GET THERE? 4
5
WE ARE HUMANS! 5
6
6
7
COVERING THE BASICS 7
8
8
9
KNOW YOUR APIS 9 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
10
VALIDATE AND SANITIZE INPUT 10 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
11
VALIDATE JWT TOKENS 11 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 3 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
12
FINE-GRAIN AUTHORIZATION 12 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution (XACML!) 4
13
FINDING VULNERABILITIES 13
14
START EARLY: SHIFT LEFT ! 14 DeploymentTestingDevelopmentDesign
15
15 Development Security Operations Business
16
COVER THE BASICS 16 Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
17
HACK YOURSELVES! 17 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
18
18 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
19
Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 19 MONITOR AND ANALYZE 4
20
JOIN THE MAILING LIST ! APISECURITY.IO NEWS AND TOOLS FOR BETTER API SECURITY
21
ADDITIONAL INFORMATION 21
22
PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS 22 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
23
CONTENT INJECTION: WORDPRESS API 23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
24
TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 24
25
25 https://www.talosintelligence.com/reports/TALOS-2018-0539/
26
26 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
27
N26 CONTINUED… 27
28
28 Failed to properly validate that you can’t input any other number than yours!
29
UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 29
30
AND OF COURSE …. EQUIFAX FOR A9 30
31
JWT TOKEN VALIDATION 31 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
32
RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32
33
RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 33
The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM BETTER SECURITY WITH AN AUTOMATED APPROACH
OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring *= API related
3By 2022 APIs will become the most common attack vector - Gartner
HOW DID WE GET THERE? 4
WE ARE HUMANS! 5
6
COVERING THE BASICS 7
8
KNOW YOUR APIS 9 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
VALIDATE AND SANITIZE INPUT 10 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
VALIDATE JWT TOKENS 11 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 3 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
FINE-GRAIN AUTHORIZATION 12 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution (XACML!) 4
FINDING VULNERABILITIES 13
START EARLY: SHIFT LEFT ! 14 DeploymentTestingDevelopmentDesign
15 Development Security Operations Business
COVER THE BASICS 16 Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
HACK YOURSELVES! 17 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
18 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 19 MONITOR AND ANALYZE 4
JOIN THE MAILING LIST ! APISECURITY.IO NEWS AND TOOLS FOR BETTER API SECURITY
ADDITIONAL INFORMATION 21
PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS 22 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
CONTENT INJECTION: WORDPRESS API 23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 24
25 https://www.talosintelligence.com/reports/TALOS-2018-0539/
26 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
N26 CONTINUED… 27
28 Failed to properly validate that you can’t input any other number than yours!
UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 29
AND OF COURSE …. EQUIFAX FOR A9 30
JWT TOKEN VALIDATION 31 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32
RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 33
Ad

Recommended

42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 

More Related Content

What's hot (20)

OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 

Similar to Better API Security with Automation (20)

Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration Tests
Roy Kim
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
John Staveley
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration Tests
Roy Kim
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
John Staveley
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Ad

Recently uploaded (20)

COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps CyclesFrom Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
Marjukka Niinioja
 
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
SheenBrisals
 
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnEssentials of Resource Planning in a Downturn
Essentials of Resource Planning in a Downturn
OnePlan Solutions
 
Design by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First DevelopmentDesign by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First Development
Par-Tec S.p.A.
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxHow AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
kalichargn70th171
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
Topic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptxTopic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptx
marutnand8
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI SearchAgentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Maxim Salnikov
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
Boost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for SchoolsBoost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for Schools
Visitu
 
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesBest Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small Businesses
TheTelephony
 
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
Nacho Cougil
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps CyclesFrom Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
Marjukka Niinioja
 
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
SheenBrisals
 
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnEssentials of Resource Planning in a Downturn
Essentials of Resource Planning in a Downturn
OnePlan Solutions
 
Design by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First DevelopmentDesign by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First Development
Par-Tec S.p.A.
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxHow AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
kalichargn70th171
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
Topic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptxTopic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptx
marutnand8
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI SearchAgentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Maxim Salnikov
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
Boost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for SchoolsBoost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for Schools
Visitu
 
Best Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small BusinessesBest Inbound Call Tracking Software for Small Businesses
Best Inbound Call Tracking Software for Small Businesses
TheTelephony
 
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
Nacho Cougil
 
Ad

Better API Security with Automation

  • 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER [email protected] BETTER SECURITY WITH AN AUTOMATED APPROACH
  • 2. OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring *= API related
  • 3. 3By 2022 APIs will become the most common attack vector - Gartner
  • 4. HOW DID WE GET THERE? 4
  • 6. 6
  • 8. 8
  • 10. VALIDATE AND SANITIZE INPUT 10 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
  • 11. VALIDATE JWT TOKENS 11 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 3 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
  • 12. FINE-GRAIN AUTHORIZATION 12 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution (XACML!) 4
  • 14. START EARLY: SHIFT LEFT ! 14 DeploymentTestingDevelopmentDesign
  • 16. COVER THE BASICS 16 Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
  • 17. HACK YOURSELVES! 17 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
  • 18. 18 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
  • 19. Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 19 MONITOR AND ANALYZE 4
  • 20. JOIN THE MAILING LIST ! APISECURITY.IO NEWS AND TOOLS FOR BETTER API SECURITY
  • 22. PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS 22 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
  • 23. CONTENT INJECTION: WORDPRESS API 23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  • 24. TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 24
  • 26. 26 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
  • 28. 28 Failed to properly validate that you can’t input any other number than yours!
  • 29. UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 29
  • 30. AND OF COURSE …. EQUIFAX FOR A9 30
  • 31. JWT TOKEN VALIDATION 31 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
  • 32. RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32
  • 33. RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 33