Over the past decade, we have witnessed a growing attempt to put security in the SDLC and to promote the "virtuous cycle." It is also true with API development. However, risk assessment campaigns still come too late in the dev cycle, and IT Security teams struggle to identify the risk earlier in cooperation with Dev teams. The OpenAPI Specification provides a set of rules and best practices to keep the interoperability in the ecosystem, and OWASP's API Security Top 10 gives an overview of the risks at play. In this talk, we'll present several use-cases of public APIs and their level of compliance with OAS standards, and we will suggest ways to remediate faster through a simple workflow between GRC, Security Operations, and Development Teams.
PRO TALK (API): API Security and Compliance – Onboarding Developers into Organization 2.0.
Rémi Le Mer is an experienced network and security specialist whose professional career began in 1999. Prior to joining Qualys in 2015, Rémi worked as a network and security engineer for the past ten years for the French industry and finance markets, implementing numerous appsec oriented projects using a mix of vendor and opensource-based solutions. In 2009, Rémi dove into building WAF policies, and in 2013, he participated in authoring WAF operational programs.