Upgrade to Pro — share decks privately, control downloads, hide ads and more …

INTERFACE by apidays 2023 - Security Exposure M...

INTERFACE by apidays 2023 - Security Exposure Management in API First World, Sandeep Nain, Carta

INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023

Security Exposure Management in API First World
Sandeep Nain, VP Security and Trust at Carta

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

July 11, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Who am I Sandeep Nain VP of Security, Carta Head

    of Security Partners, Meta / Facebook Managing Principal, HPE Fortify Advisor: Riscosity, Araali Networks Two decades in information security Built security organizations and comprehensive security programs
  2. Security needs to reduce risk at low operational cost Devices

    Infrastructure Software Supply Chain Detect Vulnerabilities Triage Vulnerabilities Apps Identify Assets Identify Remediator Remediate Exposures Technologies Processes and People
  3. Managing security exposures is an expensive manual process that fails

    7/10 times Inefficient use of security engineers on monotonous operational work of triaging vulnerabilities a.k.a. identifying exposures Fixing non-logic security exposures is distraction for engineers thus leaving exposures unmitigated Expensive security engineers tasked to find the best person to fix the exposure ESG Security Posture Management Survey 2021 organizations have experienced cyber attack that started from unknown, unmanaged or poorly managed asset
  4. Eliminating manual operational overhead from security exposure management using “actuator”

    software Automatically triages security exposures and identifies root cause Automatically identifies most appropriate person for mitigation a.k.a. remediator Offers exposure remediation within engineering processes
  5. Current tech landscape is ripe for such innovation Adoption of

    APIs by security technology vendors. Mass adoption of API-enabled cloud infrastructure DevOps standardization of release management technologies with API support
  6. Step 1: Gather disparate data from existing tech stack Gather

    detailed information in graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Security exposure Identified Time Series Infra
  7. Step 1: Gather disparate data from existing tech stack Gather

    detailed information in graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Security exposure Identified Time Series Infra SBOM: accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;”** SBOM* Entry Points: • APIs • Serverless Third Party Code: • Open Source Dependencies • Commercial Libraries • Licenses Data Management • Data Types • Data Classification • Data format Code Structure • Repositories • Code Modules Orchestration • Services • Deployments Infrastructure • Terraform • Dockerfiles Security Risks* OSS security risk assessment and SCA findings •SAST findings •Weaknesses in entry points •Exposed secrets in code •License compliance issues •SCA and CI/CD Access control weaknesses •Infrastructure misconfigurations •Weak branch protection rules •Risky material changes •Missing security tool coverage *https://apiiro.com/blog/extended-software-bill-of-materials-xbom-sbom/ **https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  8. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-prioritize Security exposure Identified Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)
  9. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context SBOM in graphical format enable you to identify the source of vulnerable assets automatically.
  10. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame
  11. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame Infrastructure Generative AI (LLM) Code fix generated
  12. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame One-click remediation sent to the remediator via Slack Infrastructure Generative AI (LLM) Code fix generated
  13. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame One-click remediation sent to the remediator via Slack Infrastructure Generative AI (LLM) Code fix generated PR created to update asset
  14. APIs enable security to reduce risk at low operational cost

    Devices Infrastructure Software Supply Chain Detect Vulnerabilities Triage Exposures Apps Identify Assets Identify Remediator Remediate Exposures Technologies Facilitate distributed security decision making Removes pain & provides immediate value to security teams & engineers
  15. In future, more organizations to opt for “distributed security decision

    making”. This will require: • Elimination of operational work. Enrich information sourced from point solutions in SBOM format, converts them into security actions and delivers it to the right stake holders quickly. • Minimum friction for engineering. Usage of most security technologies drop drastically within first few weeks due to the learning curve and friction. Such automation will meet the users where they are, and hence provide maximum ROI. Leveraging APIs to automate security exposure management will enable ‘distributed security decision making’