Applying DevOps principles to API security

Transcript

1. WHY YOU NEED TO AUTOMATE API SECURITY ISABELLE MAUNY -

   CTO [email protected] The API Security Platform for the Enterprise

2. 2 Source: https:/ /blog.appdynamics.com/product/the-importance-of-monitoring-containers-infographic/ MULTIPLICATION OF ENDPOINTS

3. TITLE TEXT 3 App icon made by https://www.flaticon.com/authors/pixel-buddha Internal Partner

   Public RISE OF VIRTUAL APPLICATION NETWORKS

4. TITLE TEXT EVER FASTER PACE OF APP DELIVERY 4 APPLICATION


   DEVELOPMENT APPLICATION
 SECURITY

5. API SECURITY NEEDS TO 5 EVOLVE

6. 6 DEFINING “PROPER” SECURITY

7. 7 Authentication Integrity (transport & message) Audit Confidentiality (transport &

   message) Availability (Rate Limiting) Access Control Non Repudiation Data Validity (attacks protection)

8. 8 YES. You need to consider all of this… …

   AND you need to configure all aspects in the right way

9. 9 EASY TO GET THOSE WRONG!

10. 10 AND you need the right infrastructure…

11. “Security experts are going to have to figure out how

    to deliver ‘security as code’. Essentially, they have to translate every security requirement, every coding guideline, every ‘best practice,’ every threat model, and every security architecture into code that can run during the development, build, test, and deployment process. Even in operations, it’s critical that attack detection and response is fully automated.” Jeff Williams OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10. https://sdtimes.com/owasp-adds-unprotected-apis-insufficient-attack-protection-top-ten-2017-release/ 11

12. 12 THE SOLUTION ? DEVOPS, BUT WITH SECURITY ON!

13. LET’S SHIFT SECURITY LEFT! 13 Deployment Testing Development Design Security

    vulnerabilities are bugs. The later you find them, the more costly it is to fix them.

14. HACK YOURSELF ! Automated Scans ✓ Code Scans ✓ Infrastructure

    Scans Automated Hacking ✓ OWASP ZAP, BURP Chaos Engineering ✓ DDOS Attacks Test Security ✓ Authentication ✓ Authorization Complementary Initiatives ✓ Pen-Testing ✓ Bug Bounty ✓ Secure Code Reviews 14 1 Choose scanning platforms/tools where 
 functionality is exposed as APIs/CLI.

15. IT’S ILLEGAL TO ATTACK SYSTEMS! UNLESS ALLOWED TO… 15

16. 1. Use Threat Modelling to eval the APIs risk 2.

    Define security profiles by risk level 3. Apply security profiles automatically based on risk. 4. Avoid policies in code and API-specific 16 IMPLEMENT ‘POLICY AS CODE’ 2

17. 1. Easy to deploy even on developer’s laptops 2. Can

    be deployed hundreds of times 3. Immutable 17 USE A CONTAINERIZED PEP 3 VERIFY IMAGE INTEGRITY !

18. 1. Constant monitoring at all stages 2. Automated Response when

    possible. 3. Leverage Machine Learning (but be careful of false positives!) 18 MONITOR AND ANALYZE 4

19. FULL DEV-SEC-OPS CYCLE FOR APIS 19 Develop Assess Secure Test

    Document Deploy API is developed on platform of choice Continuous API testing including security testing Deploy to containerized PEP Configure and apply security policy from assessed risk Assess API description and evaluate risk level Document and annotate API with OpenAPI/Swagger

20. 20 RELIES ON STRONG COLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND

    BUSINESS TEAMS PROPER SECURITY

21. 21 BUILD A SECURITY CHAMPIONS TEAM

22. IT’S NOT ABOUT IF, IT’S ABOUT WHEN. BE PREPARED. 22

23. 23 www.42crunch.com/whitepaper

24. CONTACT: [email protected] WWW.42CRUNCH.COM The API Security Platform for the Enterprise

25. RESOURCES Chaos Engineering ✓ http:/ /principlesofchaos.org ✓ https:/ /github.com/dastergon/awesome-chaos-engineering OWASP

    ZAP ✓ https:/ /www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https:/ /www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https:/ /www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https:/ /www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 25

26. RESOURCES SSL Setup Scan ✓ https:/ /hardenize.com ✓ https:/ /securityheaders.io

    ✓ https:/ /www.ssllabs.com/ssltest/ 26