Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays London 2023 - APIs: The Attack Surface ...

apidays
September 21, 2023

apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan Mardak, Akamai Technologies

apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023

APIs: The Attack Surface That Connects Us All
Stefan Mardak
Enterpise Security Architect, Principal at Akamai Technologies

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

September 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. 2 How many APIs do you have? How convenient do

    you find it to manage your APIs? Dou you think your APIs are well secured? Introduction
  2. 3 APIs: The Attack Surface That Connects Us All Stefan

    Mardak Enterprise Security Architect. Principal
  3. 4 1061 Average number of applications per enterprise Including mission-critical

    applications Source: 2023 Connectivity Benchmark Report by MuleSoft In collaboration with Deloitte Digital
  4. 5 By 2024, API abuses and related data breaches will

    nearly double.1 Existing application security solutions not built for APIs 31% web traffic is APIs 2 1 Gartner: Top 10 Things Software Engineering Leaders Need to Know About APIs 2 Akamai threat researchers have identified that 31% of all traffic protected by Akamai is API traffic More APIs deployed every day More API traffic More API attacks The API Security Environment
  5. 6 What is your API landscape? Business Unit A Business

    Unit B East-West APIs Inside your organization App A App B App C North-South APIs you open to the outside Authenticated Web app, Mobile APIs | B2C Mobile App Website Partner APIs | B2B
  6. 7 API’s Have a Large Attack Surface Known Threat Protection

    (Bot Mitigation, WAF) Authentication & Authorization (API Gateway) DDoS Protection (DNS, Infrastructure, Layer 7) Cloud Security (CWPP, CSPM, SWSEG) Account Takeover Unauthorized Data Access Data Harvesting Authenticated Users & Partners are the Riskiest B2B / Partner Integration User Access Fraud / Business Logic Abuse
  7. 8 OWASP Top 10 API Security Risks – 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/

    8 Only #1 can be addressed by Authentication & Authorization at an API gateway
  8. 9 API Security Problems Today’s Focus Tomorrow’s Focus Discover your

    complete API footprint - including rogue, legacy, admin, zombie, etc. Prevent OWASP Top 10 vulnerabilities and misconfigurations from hitting production. Stop business logic abuse such as data scraping or data exfiltration using behavioral analytics. Discover Shadow APIs Determine Vulnerable APIs Detect API Abuse
  9. 10 Reinventing API Security AI-Driven | 100% SaaS Platform |

    Data rich | API Detection and Response Continuous API Discovery Risk Audit & Posture Alerts Behavioral Alerts Detection & Response Be Visibility & Investigations & Threat Hunting Shadow APIs Vulnerable APIs API Abuse
  10. 11 Why you need API Security? • Discovery of APIs

    in any environment • Determine risk posture (OWASP API Top 10) • Understanding API user behavior • Detect API abuse • Perform Investigations and threat hunting API Security Problems WAAP Focused on External Threats. B2C only. Detection: Signatures & ML API GATEWAY Focused on gateway functions. AuthN l AuthZ l Rate limiting Detection: None API Security Focused on all API traffic. B2C & B2B l North-South l East-West Detection: Behavioral Analytics API ACTIVITY DATA LAKE DDOS BOT WAF API FIREWALL BAD GOOD Partner traffic on authentication APIs Any API traffic that bypasses API gateway - (Whitelisted) Shadow API Shadow API East-West East-West
  11. 12