API Security / Compliance
Tuesday, October 26, 2021
API security is hard. API breaches now account for the majority of application/data breaches. Most web, mobile apps lack basic API-centric firewalls and gateways to protect app/data. This session will cover what developers need to know about the top API vulnerabilities and how to build an automated & continuous API security strategy
Wednesday, October 27, 2021
More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.
In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.
APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.
Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.
Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.
Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session Oliver will discover:
1. Key features that your dev-first security tools needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs
Over the past decade, we have witnessed a growing attempt to put security in the SDLC and to promote the "virtuous cycle." It is also true with API development. However, risk assessment campaigns still come too late in the dev cycle, and IT Security teams struggle to identify the risk earlier in cooperation with Dev teams. The OpenAPI Specification provides a set of rules and best practices to keep the interoperability in the ecosystem, and OWASP's API Security Top 10 gives an overview of the risks at play. In this talk, we'll present several use-cases of public APIs and their level of compliance with OAS standards, and we will suggest ways to remediate faster through a simple workflow between GRC, Security Operations, and Development Teams.
PRO TALK (API): Who in Your Organization Is Responsible for Protecting APIs in a Modern Application Architecture?
Modern applications and systems today are built by multiple teams, in multiple environments, and with more dependencies than ever. In this increasingly complex landscape, who is responsible for making sure that every API is protected, and which team should be accountable for ensuring the entire system is protected? In this session we will explore different patterns and best practices seen across thousands of customer applications and determine how developers can best work with devops and security teams to better protect APIs and larger applications in an increasingly complex and unsafe landscape.
Ping Identity is part of the Decentralized Identity Foundation, which aims to develop an open ecosystem for decentralized management of digital identities and ensure interoperability between all participants. Richard can discuss how the foundation is helping people gain control of their online identities and why an open-standards based approach to identity management is the key to better privacy, lower fraud, and a more ethical user experience.
APIs help drive efficiency and faster innovation, so organizations use more of them than ever, and they drive more functionality than ever. They’re also more attractive to hackers than ever, creating a potential nightmare for organizations with API-driven business applications.
In this session, we review first hand API threat research gleaned from a large financial institution. Its SaaS platform provides API services to thousands of partner banks and financial advisors, and security researchers found many alarming API vulnerabilities. Researchers were able to demonstrate exploits of these vulnerabilities, showing that anyone could:
Read any financial records of any customer, despite lacking the proper authorization
Delete any customer’s user accounts across the financial platform
Tamper with authentication parameters and take over any account
Launch an application-level denial of service attack that would render entire applications unavailable
Unfortunately, this financial institution isn’t unique. Attend this session to gain insights into API security best practices to prevent this nightmare from being yours.
API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.
Coding is like gardening; it requires good plan, good supplies, but most importantly continuous nurture and maintenance. In this talk, we will concentrate on refactorings and program transformations that help nurture good code by removing code smells and vulnerabilities. Refactoring code is a second nature primarily for modern language developers. But, why limit refactoring only to make code maintainable and understandable? What if there were refactorings that go beyond behavior preservation and make code more secure, morereliable, and run faster? That would require tools that rewrite code with surgical precision, such that the undesirable behavior of the code is fixed, while the good path behavior of the code remains intact. Being integrated with source code and development process, refactorings and program transformations not only help maintain good code, but also teach developers about how to write and appreciate good code.
The use of GraphQL tends to expand quickly as its capabilities manifest into compelling digital experiences--and users across the organization envision how to tap into its potential. It’s important, therefore, to think proactively about reducing the attack surface area to protect both the performance of your graph and the data behind it. This session will provide prescriptive recommendations for reducing the GraphQL API attack surface area, including best practices and lessons learned based on the experiences of developers integrating GraphQL at companies of all industries and sizes.
We deal with HTTP based APIs for many of our common interactions between services and system components. Not all services we want to communicate with use HTTP, and when confronted with a service that doesn’t use it, getting started can be intimidating. In this talk, we’ll use RabbitMQ Streams as our example service and cover all of the design and implementation considerations needed to work with a non-HTTP API.
Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Enables Continuous API Security
Security teams are struggling to keep up with the increasing volume and scale of APIs as traditional security and API management solutions simply cannot address all API security challenges. The time is now right for a continuous approach to API Security that combines a shift-left and shield-right approach to ensure full protection for APIs. Isabelle explores how a continuous approach to API security can be achieved, that combines proactive application security measures with continuous activity monitoring, API-specific threat analysis, and runtime policy enforcement. She discusses how the security and compliance risks that APIs are exposed to are shaping how DevSecOps teams address the challenges with a developer-first API security approach.
Application security is shifting into the development pipeline - that’s no longer up for debate.
But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.
Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.
APIs are central to digital transformation. Public cloud adoption and cloud-native designs capitalize on APIs as a foundational building block. Meanwhile, Gartner predicts that APIs will become the most frequently targeted attack vector by 2022.
This discussion will highlight strategies for security and risk management of the modern API ecosystem — API discovery and inventory, API cyber attack prevention, API misconfiguration detection, and continuous API vulnerability identification and testing.
We’ll share best practices for orchestration across business, technology, and security teams to empower API-centric business and technology strategies with a shared, complete picture of API risks from code to production.
Thursday, October 28, 2021
OPEN TALK (API): The Real World, API Security Edition: When Best Practices Stop Being Polite and Start Being Real
API security has emerged as a top priority for protecting vital data and services. Unfortunately, many organizations are just one vulnerable API away from a privacy incident or data breach, and it’s an area where many companies lack expertise.
This “real world” episode shares six essential techniques, drawn straight from the trenches of customer deployments, to help guide your API security best practices.
Join us for a discussion of these key areas:
- API documentation, discovery, and cataloging to improve awareness of your API attack surface
- Runtime protection to prevent sensitive data exposure and protect your APIs from abuse
- API-centric security operations so you're prepared in the event of an API incident or breach
This session will also share ways to make it easier and more automatic to address the many elements of API security.
Come find out what happens…when APIs stop being vulnerable. And start getting secure.
In this talk, Travis Spencer, CEO at Curity, will explain what a hypermedia API is and how it can be applied to the problem of login. He will explain how hypermedia is an architectural pattern that lends itself to exposing the state machine that a user transitions through when authenticating. Travis will also show how such an API allows seamless, browser-less integration of authentication into mobile and single-page applications. The demonstration that he performs will show these concepts in a real-world scenario. He will discuss the security challenges involved in creating such an API, and leave the audience with resources, websites, and open-source examples where they can go to learn more.
The “API First” mantra is great for business innovation, but the end result can often be a wild jungle of APIs that leaves your security team scrambling to ensure adequate API controls are in place to safeguard the business. In this session, we’ll cover a practical strategy to help implement API security across the organization from development through run-time and threat remediation. You’ll see a demonstration of the tools and techniques that, when used with the right methodology, can help your team tame the API jungle.
According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.