apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan Mardak, Akamai Technologies

Transcript

1. 2 How many APIs do you have? How convenient do

   you find it to manage your APIs? Dou you think your APIs are well secured? Introduction

2. 3 APIs: The Attack Surface That Connects Us All Stefan

   Mardak Enterprise Security Architect. Principal

3. 4 1061 Average number of applications per enterprise Including mission-critical

   applications Source: 2023 Connectivity Benchmark Report by MuleSoft In collaboration with Deloitte Digital

4. 5 By 2024, API abuses and related data breaches will

   nearly double.1 Existing application security solutions not built for APIs 31% web traffic is APIs 2 1 Gartner: Top 10 Things Software Engineering Leaders Need to Know About APIs 2 Akamai threat researchers have identified that 31% of all traffic protected by Akamai is API traffic More APIs deployed every day More API traffic More API attacks The API Security Environment

5. 6 What is your API landscape? Business Unit A Business

   Unit B East-West APIs Inside your organization App A App B App C North-South APIs you open to the outside Authenticated Web app, Mobile APIs | B2C Mobile App Website Partner APIs | B2B

6. 7 API’s Have a Large Attack Surface Known Threat Protection

   (Bot Mitigation, WAF) Authentication & Authorization (API Gateway) DDoS Protection (DNS, Infrastructure, Layer 7) Cloud Security (CWPP, CSPM, SWSEG) Account Takeover Unauthorized Data Access Data Harvesting Authenticated Users & Partners are the Riskiest B2B / Partner Integration User Access Fraud / Business Logic Abuse

7. 8 OWASP Top 10 API Security Risks – 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/

   8 Only #1 can be addressed by Authentication & Authorization at an API gateway

8. 9 API Security Problems Today’s Focus Tomorrow’s Focus Discover your

   complete API footprint - including rogue, legacy, admin, zombie, etc. Prevent OWASP Top 10 vulnerabilities and misconfigurations from hitting production. Stop business logic abuse such as data scraping or data exfiltration using behavioral analytics. Discover Shadow APIs Determine Vulnerable APIs Detect API Abuse

9. 10 Reinventing API Security AI-Driven | 100% SaaS Platform |

   Data rich | API Detection and Response Continuous API Discovery Risk Audit & Posture Alerts Behavioral Alerts Detection & Response Be Visibility & Investigations & Threat Hunting Shadow APIs Vulnerable APIs API Abuse

10. 11 Why you need API Security? • Discovery of APIs

    in any environment • Determine risk posture (OWASP API Top 10) • Understanding API user behavior • Detect API abuse • Perform Investigations and threat hunting API Security Problems WAAP Focused on External Threats. B2C only. Detection: Signatures & ML API GATEWAY Focused on gateway functions. AuthN l AuthZ l Rate limiting Detection: None API Security Focused on all API traffic. B2C & B2B l North-South l East-West Detection: Behavioral Analytics API ACTIVITY DATA LAKE DDOS BOT WAF API FIREWALL BAD GOOD Partner traffic on authentication APIs Any API traffic that bypasses API gateway - (Whitelisted) Shadow API Shadow API East-West East-West

11. 12