Wednesday, October 28, 2020
The immense growth of API enabled business offerings and services, has placed API traffic as over 80% of the total web traffic. According to Gartner, around 90% of web apps will possess exposed APIs as attack surface than the frontends. This portrays an increased amount of potential API vulnerabilities over the month and year. Though the release of the OWASP Top 10 - API Security will provide a great enablement vehicle to the secure API development professionals but due to the immense growth and market opportunities, it will not be a too difficult ask to any security professionals to predict an increased amount of API vulnerabilities over the next couple of years.
Which key API vulnerabilities dominated over the last year [October'2019 to October'2020 i.e., since Platform Summit 2019 to 2020]? What are the common lessons we could derive from those API vulnerabilities?
This talk will provide an overview of five most noteworthy vulnerabilities (with CVEs) of last year and will bring key lessons to the API professionals in the development of secure API.
The things you've done to secure your previous web apps might not be enough for your APIs. We'll review the OWASP API Security Top 10, reviewing the biggest risks and ways to mitigate them.
According to Gartner, APIs now account for over 40% of web/mobile application attack surface. Most API vulnerabilities come from business-logic, role-configuration, and other non-conventional flaws.
This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left/DevSecOps strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
When building cloud applications, we should always bear in mind that our services are exposed on the Internet and can be accessed by anyone and may have untrusted users.
Because of this, we need to be proactive and aware of these possible security threats so that we can design our cloud applications to be able to handle them properly. Apart from preventing malicious attacks, cloud applications must also be designed to protect sensitive data and grant access for certain resources to only authorized users.
In this session, I will be talking about 3 security patterns that can be used to prevent malicious or accidental actions outside of the applications designed usage, and to prevent disclosure or loss of information when building for the cloud.
PRO SESSION (API): Fighting Fraud and Friction in Mobile Apps with Location-Based Behavioral Biometrics SDK and APIsJoin on Hopin
Mobile fraud is increasing at alarming rates. Traditional web-centric security defenses based on static credentials and cumbersome two-factor authentication are no longer sufficient for protecting against mobile fraud. To ensure that neither user experience or security are compromised, mobile applications require identification and authentication techniques, specifically designed for the mobile experience, that not only protect against fraud but that are completely frictionless for the user. Location-based behavioral biometrics offers the opportunity for frictionless fraud prevention for mobile users, and the best part is, all the user has to do is be themselves.
This session will explore the use of network signals from GPS, Cell, Wi-Fi and on-device sensors to track location behavior and use for mobile fraud detection without the capture or storage of a user’s Personally Identifiable Information (PII). Developers will learn how their companies can make use of a location-based behavioral biometrics SDK and unique location fingerprints, device integrity and address verification APIs for advanced mobile fraud detection.
"Losing my religion" is an expression from the southern region of the United States that means “at my wit's end". While the internet is full of best practices, guidelines, and security tooling, getting software engineers to adopt, understand and remediate threats can be challenging, and can often make one believe that they are “losing my religion”. This talk will outline successful and unsuccessful approaches to API security in a global enterprise, and how companies can actually realize value from their API security efforts, as well as methods to get software engineers to become security advocates.
APIs. They’ve been around for years in one form or another, bringing the benefits of ease of use, efficiency and flexibility to the development community.
The beauty of using APIs for mobile and web apps is that you can build and deploy functionality and data integrations quickly. But that's the huge downside, too. Undermining the power of an API driven development methodology are shadow, deprecated and non-conforming APIs that when exposed to the public, introduce the risk of data loss, compromise or automated fraud.
The stateless nature of APIs and their ubiquity makes protecting them increasingly difficult. A challenge that is amplified by the wide range of API security alternatives. This session will delve into the different approaches to protecting APIs from a range of security risks and how should security and development teams approach a consistent protection philosophy.
How to secure micro service communication via JWT. How to overcome challenges in adopting to the new lightweight security into your Rest, RPC, GraphQL endpoints. Discuss potential issues around onboarding secure communication. Touch upon alternative approaches like SAML, Oauth and others.
Planning on introducing a mobile app into your product mix? Expect fresh attacks on your API infrastructure. User credentials try to identify who is calling your API, but they are a frequent target for hackers. Often overlooked is the importance of identifying, not just who, but what is calling your API - is it your authentic, untampered app running in a clean and secure environment, or is it a fake app or malicious bot? Can a hacker get between app and API backend in an insecure channel? These techniques complement user authentication and AI and traditional backend protections to ensure your APIs are not being abused. We'll use the context of a ride-sharing app to show how layering just a few additional techniques bolster both the strength and the determinism of your overall API security.