API Security / Compliance

Tuesday, October 26, 2021

- PDT
PRO WORKSHOP (API): API Security Automation
Intesar Mohammed
Intesar Mohammed
Apisec, CTO & Co-Founder

API security is hard. API breaches now account for the majority of application/data breaches. Most web, mobile apps lack basic API-centric firewalls and gateways to protect app/data. This session will cover what developers need to know about the top API vulnerabilities and how to build an automated & continuous API security strategy

Wednesday, October 27, 2021

- PDT
OPEN TALK (API): API Access Is Broken: This Is How You Fix It
Aviad Mizrachi
Aviad Mizrachi
Frontegg, CTO & Co-Founder

More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.

In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.

- PDT
OPEN TALK (API): Rest Assured...API Security Testing Automation for CICD
Oliver Moradov
Oliver Moradov
NeuraLegion, VP

APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.

Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.

Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.

Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.

Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.

In this session Oliver will discover:

1. Key features that your dev-first security tools needs to enable developers to take ownership of security

2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs

3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left

4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs

- PDT
PRO TALK (API): API Security and Compliance – Onboarding Developers into Organization 2.0.
Rémi Le Mer
Rémi Le Mer
Qualys, Security Solution Architect

Over the past decade, we have witnessed a growing attempt to put security in the SDLC and to promote the "virtuous cycle." It is also true with API development. However, risk assessment campaigns still come too late in the dev cycle, and IT Security teams struggle to identify the risk earlier in cooperation with Dev teams. The OpenAPI Specification provides a set of rules and best practices to keep the interoperability in the ecosystem, and OWASP's API Security Top 10 gives an overview of the risks at play. In this talk, we'll present several use-cases of public APIs and their level of compliance with OAS standards, and we will suggest ways to remediate faster through a simple workflow between GRC, Security Operations, and Development Teams.

- PDT
PRO TALK (API): Who in Your Organization Is Responsible for Protecting APIs in a Modern Application Architecture?
Brian Joe
Brian Joe
Fastly, Head of Security Product Management

Modern applications and systems today are built by multiple teams, in multiple environments, and with more dependencies than ever. In this increasingly complex landscape, who is responsible for making sure that every API is protected, and which team should be accountable for ensuring the entire system is protected? In this session we will explore different patterns and best practices seen across thousands of customer applications and determine how developers can best work with devops and security teams to better protect APIs and larger applications in an increasingly complex and unsafe landscape.

- PDT
KEYNOTE (API): Ping Identity -- Ensuring Access to Digital Identities
Richard Bird
Richard Bird
Ping Identity, Chief Customer Information Officer

Ping Identity is part of the Decentralized Identity Foundation, which aims to develop an open ecosystem for decentralized management of digital identities and ensure interoperability between all participants. Richard can discuss how the foundation is helping people gain control of their online identities and why an open-standards based approach to identity management is the key to better privacy, lower fraud, and a more ethical user experience.

- PDT
OPEN TALK (API): Nightmare on API Street - How to Avoid one FinTech's Horror
Michael Isbitski
Michael Isbitski
Salt Security, Technical Evangelist

APIs help drive efficiency and faster innovation, so organizations use more of them than ever, and they drive more functionality than ever. They’re also more attractive to hackers than ever, creating a potential nightmare for organizations with API-driven business applications.

In this session, we review first hand API threat research gleaned from a large financial institution. Its SaaS platform provides API services to thousands of partner banks and financial advisors, and security researchers found many alarming API vulnerabilities. Researchers were able to demonstrate exploits of these vulnerabilities, showing that anyone could:

Read any financial records of any customer, despite lacking the proper authorization
Delete any customer’s user accounts across the financial platform
Tamper with authentication parameters and take over any account
Launch an application-level denial of service attack that would render entire applications unavailable

Unfortunately, this financial institution isn’t unique. Attend this session to gain insights into API security best practices to prevent this nightmare from being yours.

- PDT
OPEN TALK (API): How Attackers Utilize API Specs to Attack Your APIs
Jason Kent
Jason Kent
Cequence Security, Hacker in Residence

API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.

- PDT
Good Code, Bad Code, and VulnerablePRO TALK (API): Good Code, Bad Code, and Vulnerable CodeCode
Munawar Hafiz
Munawar Hafiz
OpenRefactory, CEO

Coding is like gardening; it requires good plan, good supplies, but most importantly continuous nurture and maintenance. In this talk, we will concentrate on refactorings and program transformations that help nurture good code by removing code smells and vulnerabilities. Refactoring code is a second nature primarily for modern language developers. But, why limit refactoring only to make code maintainable and understandable? What if there were refactorings that go beyond behavior preservation and make code more secure, morereliable, and run faster? That would require tools that rewrite code with surgical precision, such that the undesirable behavior of the code is fixed, while the good path behavior of the code remains intact. Being integrated with source code and development process, refactorings and program transformations not only help maintain good code, but also teach developers about how to write and appreciate good code.

- PDT
PRO TALK (API): How to Reduce GraphQL Attack Surface Area
Mandi Wise
Mandi Wise
Apollo GraphQL, Solutions Architect

The use of GraphQL tends to expand quickly as its capabilities manifest into compelling digital experiences--and users across the organization envision how to tap into its potential. It’s important, therefore, to think proactively about reducing the attack surface area to protect both the performance of your graph and the data behind it. This session will provide prescriptive recommendations for reducing the GraphQL API attack surface area, including best practices and lessons learned based on the experiences of developers integrating GraphQL at companies of all industries and sizes.

- PDT
OPEN TALK (API): Writing Client Libraries for Non-HTTP APIs
Hunter Madison
Hunter Madison
Instana, an IBM Company, Senior Software Engineer

We deal with HTTP based APIs for many of our common interactions between services and system components. Not all services we want to communicate with use HTTP, and when confronted with a service that doesn’t use it, getting started can be intimidating. In this talk, we’ll use RabbitMQ Streams as our example service and cover all of the design and implementation considerations needed to work with a non-HTTP API.

- PDT
OPEN TALK (API): Live demo of browser-less login using a Hypermedia Authentication API
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.

- PDT
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Enables Continuous API Security
Isabelle Mauny
Isabelle Mauny
42Crunch, Field CTO & Co-Founder

Security teams are struggling to keep up with the increasing volume and scale of APIs as traditional security and API management solutions simply cannot address all API security challenges. The time is now right for a continuous approach to API Security that combines a shift-left and shield-right approach to ensure full protection for APIs. Isabelle explores how a continuous approach to API security can be achieved, that combines proactive application security measures with continuous activity monitoring, API-specific threat analysis, and runtime policy enforcement. She discusses how the security and compliance risks that APIs are exposed to are shaping how DevSecOps teams address the challenges with a developer-first API security approach.

- PDT
OPEN TALK (API): API Security Testing: The Next Step in Modernizing AppSec
Scott Gerlach
Scott Gerlach
StackHawk, Co-Founder & CSO

Application security is shifting into the development pipeline - that’s no longer up for debate.

But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.

Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.

- PDT
KEYNOTE (API): Noname Security -- Securing APIs in a Cloud-First World
Mark Campbell
Mark Campbell
Noname Security, Sr. Dir of Product Marketing

APIs are central to digital transformation. Public cloud adoption and cloud-native designs capitalize on APIs as a foundational building block. Meanwhile, Gartner predicts that APIs will become the most frequently targeted attack vector by 2022.

This discussion will highlight strategies for security and risk management of the modern API ecosystem — API discovery and inventory, API cyber attack prevention, API misconfiguration detection, and continuous API vulnerability identification and testing.

We’ll share best practices for orchestration across business, technology, and security teams to empower API-centric business and technology strategies with a shared, complete picture of API risks from code to production.

Thursday, October 28, 2021

- PDT
OPEN TALK (API): The Real World, API Security Edition: When Best Practices Stop Being Polite and Start Being Real
Michael Isbitski
Michael Isbitski
Salt Security, Technical Evangelist

API security has emerged as a top priority for protecting vital data and services. Unfortunately, many organizations are just one vulnerable API away from a privacy incident or data breach, and it’s an area where many companies lack expertise.

This “real world” episode shares six essential techniques, drawn straight from the trenches of customer deployments, to help guide your API security best practices.

Join us for a discussion of these key areas:

- API documentation, discovery, and cataloging to improve awareness of your API attack surface
- Runtime protection to prevent sensitive data exposure and protect your APIs from abuse
- API-centric security operations so you're prepared in the event of an API incident or breach

This session will also share ways to make it easier and more automatic to address the many elements of API security.

Come find out what happens…when APIs stop being vulnerable. And start getting secure.

- PDT
FEATURED TALK (API): Hypermedia API for Secure, Seamless User Authentication
Travis Spencer
Travis Spencer
Curity, CEO

In this talk, Travis Spencer, CEO at Curity, will explain what a hypermedia API is and how it can be applied to the problem of login. He will explain how hypermedia is an architectural pattern that lends itself to exposing the state machine that a user transitions through when authenticating. Travis will also show how such an API allows seamless, browser-less integration of authentication into mobile and single-page applications. The demonstration that he performs will show these concepts in a real-world scenario. He will discuss the security challenges involved in creating such an API, and leave the audience with resources, websites, and open-source examples where they can go to learn more.

- PDT
OPEN TALK (API): Adding Security Controls to the API Jungle
Mark Campbell
Mark Campbell
Noname Security, Sr. Dir of Product Marketing
Andre Kerstens
Andre Kerstens
Noname Security, Senior Solution Architect

The “API First” mantra is great for business innovation, but the end result can often be a wild jungle of APIs that leaves your security team scrambling to ensure adequate API controls are in place to safeguard the business. In this session, we’ll cover a practical strategy to help implement API security across the organization from development through run-time and threat remediation. You’ll see a demonstration of the tools and techniques that, when used with the right methodology, can help your team tame the API jungle.

- PDT
OPEN TALK (API): API Security Testing Best Practices
Intesar Mohammed
Intesar Mohammed
Apisec, CTO & Co-Founder

According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.