INTERFACE by apidays 2023 - Security Exposure Management in API First World, Sandeep Nain, Carta

Transcript

1. Security Exposure Management in API First World Sandeep Nain

2. None

3. Who am I Sandeep Nain VP of Security, Carta Head

   of Security Partners, Meta / Facebook Managing Principal, HPE Fortify Advisor: Riscosity, Araali Networks Two decades in information security Built security organizations and comprehensive security programs

4. Security needs to reduce risk at low operational cost Devices

   Infrastructure Software Supply Chain Detect Vulnerabilities Triage Vulnerabilities Apps Identify Assets Identify Remediator Remediate Exposures Technologies Processes and People

5. Managing security exposures is an expensive manual process that fails

   7/10 times Inefficient use of security engineers on monotonous operational work of triaging vulnerabilities a.k.a. identifying exposures Fixing non-logic security exposures is distraction for engineers thus leaving exposures unmitigated Expensive security engineers tasked to find the best person to fix the exposure ESG Security Posture Management Survey 2021 organizations have experienced cyber attack that started from unknown, unmanaged or poorly managed asset

6. We need to eliminate manual operational overhead from security exposure

   management.

7. Two types of software

8. Eliminating manual operational overhead from security exposure management using “actuator”

   software Automatically triages security exposures and identifies root cause Automatically identifies most appropriate person for mitigation a.k.a. remediator Offers exposure remediation within engineering processes

9. Current tech landscape is ripe for such innovation Adoption of

   APIs by security technology vendors. Mass adoption of API-enabled cloud infrastructure DevOps standardization of release management technologies with API support

10. Step 1: Gather data from the tech stack

11. Step 1: Gather disparate data from existing tech stack Gather

    detailed information in graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Security exposure Identified Time Series Infra

12. Step 1: Gather disparate data from existing tech stack Gather

    detailed information in graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Security exposure Identified Time Series Infra SBOM: accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;”** SBOM* Entry Points: • APIs • Serverless Third Party Code: • Open Source Dependencies • Commercial Libraries • Licenses Data Management • Data Types • Data Classification • Data format Code Structure • Repositories • Code Modules Orchestration • Services • Deployments Infrastructure • Terraform • Dockerfiles Security Risks* OSS security risk assessment and SCA findings •SAST findings •Weaknesses in entry points •Exposed secrets in code •License compliance issues •SCA and CI/CD Access control weaknesses •Infrastructure misconfigurations •Weak branch protection rules •Risky material changes •Missing security tool coverage *https://apiiro.com/blog/extended-software-bill-of-materials-xbom-sbom/ **https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

13. Step 2: Convert data into actionable intelligence

14. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-prioritize Security exposure Identified Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/)

15. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context SBOM in graphical format enable you to identify the source of vulnerable assets automatically.

16. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame

17. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame Infrastructure Generative AI (LLM) Code fix generated

18. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame One-click remediation sent to the remediator via Slack Infrastructure Generative AI (LLM) Code fix generated

19. Step 2: Convert data into actionable intelligence Gather detailed information

    in a graph format CI / CD Security Products CI/CD Git Monitor for assets and configuration changes across organization Delta discovered Auto-triage & prioritize security exposure Infrastructure EPSS Score Reachability Analysis Exploitability Context Time Series Retrospective Predictive Infra Infrastructure Reachability Analysis Reachability Analysis* *https://www.phylum.io/automated-vulnerability-reachability *EPSS: Exploit Prediction Scoring System (https://www.first.org/epss/) Exposure root-cause discovered Technical Context Identify the remediator for the exposure Resource tagging; Git blame One-click remediation sent to the remediator via Slack Infrastructure Generative AI (LLM) Code fix generated PR created to update asset

20. APIs enable security to reduce risk at low operational cost

    Devices Infrastructure Software Supply Chain Detect Vulnerabilities Triage Exposures Apps Identify Assets Identify Remediator Remediate Exposures Technologies Facilitate distributed security decision making Removes pain & provides immediate value to security teams & engineers

21. In future, more organizations to opt for “distributed security decision

    making”. This will require: • Elimination of operational work. Enrich information sourced from point solutions in SBOM format, converts them into security actions and delivers it to the right stake holders quickly. • Minimum friction for engineering. Usage of most security technologies drop drastically within first few weeks due to the learning curve and friction. Such automation will meet the users where they are, and hence provide maximum ROI. Leveraging APIs to automate security exposure management will enable ‘distributed security decision making’

22. Thanks