API Lifecycle: API Security / Compliance

Tuesday, October 25, 2022

- PDT
PRO Workshop (API): API Fuzz Testing Fundamentals
Alex Brewer
Alex Brewer
=ForAllSecure, Technical Solutions Engineer=

The goal of this 50 technical workshop is to explain what fuzz testing Is, then use a fuzz testing on a simple API server, understand and explain the benefits of API testing, and review fuzzing results to evaluate the API fuzzing targets for security and performance. 

- PDT
PRO Workshop (API): Automagic API Security Testing: Pre-prod Agent-Generated Tests FTW
Steve Chappell
Steve Chappell
Synopsys, SW Manager & API Security Evangelist

Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out. 

Wednesday, October 26, 2022

- PDT
PRO TALK (API): GraphQL: Great Flexibility, New Attack Vectors
Erez Yalon
Erez Yalon
Checkmarx, VP of Security Research
Paulo Silva
Paulo Silva
Checkmarx, Ethical Hacker / Senior Security Researcher

In recent years, GraphQL adoption has increased significantly. Developed by Facebook and introduced in 2012, GraphQL came with a proposal different than REST: native flexibility to those building and calling APIs.
As we know, with great flexibility come... new attack vectors!

In this session, we'll cover GraphQL-specific security risks and attack vectors. Beyond the commonly discussed topic of enabled introspection in production, we'll present and discuss how field suggestions can be abused, how common GraphQL Cross-Site
Request Forgery (CSRF) issues look like, and how attackers are using batching attacks, alias and directory overloading, and query depth issues for their advantage.

We want to shed some light on GraphQL-specific issues that
may hurt not only the system but also the business, leading to massive data leakages or Denial-of-Service (DoS). 

- PDT
OPEN TALK (API): Effective API Security: API Discovery, Runtime Protection, Security Analytics, Active Testing
Dan Gordon
Dan Gordon
Traceable, Technical Evangelist

APIs are the glue that connects all of our software systems. But our knowledge and ability to track and secure APIs has not kept up with our rapid adoption of them. This API sprawl introduces significant operational and security risks, yet securing your APIs is different than everything we've been doing to secure our applications to date. WAFs don't help. API gateways aren't enough. DAST testing isn't enough. So what do we need to do differently?


In this session we will discuss why and how the approach to securing APIs needs to be different. We'll look at what you should consider through the software development lifecycle. And we'll share some real-world examples of organizations that have built and maintained robust API security strategies, with impressive outcomes related to reduced risk, lowered costs, and more secure API development practices.

- PDT
PRO TALK (API): Securing Large API Ecosystems
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

Security is never a simple task, the same applies to APIs. Properly securing APIs gets even more challenging when the API ecosystem grows substantially. It’s naturally easier for a company to protect a few endpoints than hundreds. As the API ecosystem grows, merely starting to use OAuth may not be enough. Proper handling of OAuth tokens and utilizing different features that OAuth offers is required. 

- PDT
PRO TALK (API): API Monitoring For better Management
Aravind Babu Ramadugu
Aravind Babu Ramadugu
Accenture, Mulesoft Mentor and Architect

API Monitoring is a very critical part of the entire API Ecosystem.
In this session, I will be covering How APIs can be monitored and how we can plan for predicting the issues through Monitoring and heal the APIs automatically. 

- PDT
OPEN TALK (API): API Security 101: Top API Vulnerabilities and how to Fix from Code
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Recently, APIs have become the main attack vector for applications. APIs are so interesting to attackers because they expose valuable data and business logic to clients. Traditional security approaches fail to address these issues. In this workshop, we reveal the most common vulnerabilities found in APIs, uncover how to detect and subsequently remediate them, and how to put in place secure foundations that start at the design phase.
By the end of this workshop, participants will:
Know all about the OWASP API Top10
Understand the unique nature of API vulnerabilities
Learn what they look like in code examples
How to automate detection of API vulnerabilities
Develop strategies for API vulnerability remediation 

- PDT
PRO TALK (API): API Visibility: Securing Your Blind Spot without Losing Speed
Lebin Cheng
Lebin Cheng
Netskope and CloudVector, Cofounder

The growing prevalence of APIs, presents security teams with an all-too-familiar problem - deployment can outpace security processes and protections, creating a vulnerability they are left to address. With APIs emerging as the next big attack vector, this has become a critical shift left priority. Understanding the tradeoffs between securing APIs versus the cost of not taking action is the first step in gaining buy in across the organization From there, you can build a phased plan to introduce visibility into your APIs, determine which APIs expose sensitive data and finally to build processes around how APIs are managed. This session will offer tips and tricks for securing APIs without slowing down the speed of development. 

- PDT
OPEN TALK (API): Identity Is Key to Secure APIs and Microservices
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

“Never Trust, Always Verify” is the short phrase minted by NIST in defining Zero Trust. With that in mind, understanding the user identity is an absolute requirement and should be applied when securing all APIs, for internal use cases, in the same way as external ones. Leveraging OAuth and OpenID Connect (OIDC) in a token-based architecture aligns perfectly with achieving Zero Trust, regardless of the level of security needed.

In this talk participants will learn:
- How to leverage mTLS and certificate-bound tokens to level up API security
- Architectural patterns that prevent Personal Identifiable Information (PII) in public applications
- How Scopes and Claims are used to authorize API access 

- PDT
PRO TALK (API): Solving the Never Ending Requirements of Authorization
Alex Olivier
Alex Olivier
Cerbos, Product Lead

Implementing access controls in your application can be a never ending task as business requirements change. What begins as a simple check to see if the user’s email is from your own domain name turns into a complex web of if/else statements to determine who can do what. Coming up with a scalable, manageable and maintainable authorization process is key to meet evolving requirements as your business scales.

This talk will cover the different areas of consideration when implementing permissions, common stages in the evolution of a company where authorization needs to fundamentally change and an example of how to take a gitops based approach to scaling policy. 

- PDT
PRO TALK (API): Anomaly Detection Is No Longer a Security Strategy
Matt Anderson
Matt Anderson
Resurface Labs, Chief Revenue Officer

Much of security is focused on finding the outliers, the anomalies to provide a reliable signal for security teams. Once identified, these anomalies are considered instructive and actionable. But, with the proliferation of APIs and the volume of attack traffic every second, relying on outliers leads to exceptionally noisy and unproductive searches. Your anomalies are actually valid traffic vs. majority of attacker traffic. We'll cover how to identify API risk and threats where threat traffic outweighs valid user traffic. 

- PDT
WORKSHOP (API): Designing Secure API and Microservices-Based Applicationsapis
Farshad Abasi
Farshad Abasi
Forward Security, Founder and CEO

Many applications are being modernized by leveraging APIs and being decomposed into smaller units typically living in containers. These involve many new tools and technologies that are not always well understood, leading to a poor application security posture. Many application architects and developers who take advantage of these architectures lack the knowledge to apply the required security controls. The ideas, principles and concepts such as API gateways, end-to-end trust, authentication and authorization discussed in this presentation have existed for some time. But this presentation brings it all together to provide a blueprint for modern API and microservices-based application security. 

- PDT
PRO TALK (API): Zero Trust Strategies to Protect the APIs That Drive Your CICDPipelines
AJ
Andrew Jones
Corsha, Director of Solutions Engineering

Many organizations are jumping to DevSecOps from DevOps by adding security scanning and validation in their CI/CD pipelines. This shift-left approach is fantastic because it builds security into applications early on.  Now the question is -  How do we protect API-driven communication in our CI/CD pipelines themselves?  These automated pipelines are a rich treasure trove for hackers of proprietary code and configuration, release artifacts,  deployment environments, and of course the critical keys and secrets to control it all.  And all of the automation driving these pipelines is via APIs and communication between different chained third-party services. In this talk, we’ll go over strategies for best practices around CI/CD security and show you how to pin access and control to only trusted stages of your pipeline. 

- PDT
PRO TALK (API): API Security Doesn’t Stop at Inventory
Steve Wilson
Steve Wilson
Contrast Security, Chief Product Officer

The modern web “application” is really a conglomeration of interconnected APIs, microservices, web apps, frameworks, libraries, and serverless functions spread across multiple cloud and on-premise environments. Simply inventorying your APIs is not nearly enough to make them secure. In this talk, I'll review the five major components of an API security program. We’ll talk about detection, security testing, securing libraries, runtime protection, and access management. We will focus on automation and review the pros and cons of traditional scanning and perimeter tools as well as modern instrumentation-based security tools. You’ll leave with practical guidance on next steps for your API security program. 

- PDT
WORKSHOP (API): Protecting GraphQL with Effective Governance & Security
Shiu-Fun Poon
Shiu-Fun Poon
IBM, Principal Architect, API Security
Morris Matsa
Morris Matsa
IBM, Principal Architect, API Connect & Gateways

GraphQL is a new approach to expose your services to application developers. There are many advantages which come with new challenges to security and governance. In this session you can learn how to protect and enforce governance for your GraphQL server endpoints from these unique GraphQL threats with a low-code approach. You'll see demoes of numerous approaches such as cost analysis, graph filtering, and much more. 

- PDT
PRO TALK (API): API Protection Best Practices
Varun Kohli
Varun Kohli
Cequence Security, Chief Marketing Officer (CMO)

It’s no secret that APIs are the developers tool of choice and an attackers #1 target. The question on every CISOs mind is this: if APIs are the number one target for attackers, and everyone claims to secure APIs, how do we choose the solution that best fits our API protection needs for an entire API lifecycle? To address that question, do you start with a focus on secure API development? Do you try and stay on top of constantly discovering unknown or shadow APIs? Or do you merely bolster existing defenses in an effort to stop future attacks? Using customer examples as the backdrop, this session will walk attendees through best practices for protecting your APIs regardless of where you are in your API protection lifecycle. 

- PDT
PRO TALK (API): From Reactive to Proactive, Changing the Culture on API Security
Bryant Schuck
Bryant Schuck
Checkmarx, Senior Product Manager

If software is eating the world then APIs are the teeth. Good application security approaches and best practices start at the API code level. But the bigger question is, “do you know what those practices are?” Security and threat intelligence must play a role within each part of the API lifecycle to stay ahead of the curve.

In this talk, you’ll hear from Bryant Schuck, Senior Product Manager at Checkmarx, where he will dive deep into the following topics:

· How to shift API security as far left as possible to create secure APIs on every pull request
· How to focus your efforts and attention on where the vulnerable API lives
· New ways to prioritize vulnerability remediation based on APIs handling of sensitive data
· Live demo of an API Attack 

- PDT
PRO TALK (API): The Target of Multi-Mode Attacks, Is APIs
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.

As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever. 

Thursday, October 27, 2022

- PDT
OPEN TALK (API):The Target of Multi-Mode Attacks, Is APIs
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.

As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever.

- PDT
OPEN TALK (API): PDF Signatures vs Web-Based Signatures: Building Workflows to Enhance your Security and Efficiency
Mahender Bist
Mahender Bist
Foxit, SVP of Foxit eSign

The focus of this talk with be PDF document signatures and how they differ from web-based signatures. This talk will cover:
• What are the different types of eSignatures?
• Advantage of document-based vs web-based eSignatures.
• Digital signature security.
• Validations including LTV.
• Building workflows with document-based signatures.
• Using a PDF SDK to enhance the eSignature process. 

- PDT
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Delivers End-To-End API Security
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

API and security teams want the best for their APIs, yet companies are still debating the pros and cons of adopting a developer-first approach to protecting their APIs versus a more traditional shield-right security model. In this presentation, Colin Domoney examines the pros and cons of each approach, and shows through demonstrations how development and security teams can achieve the best of both approaches to achieve continuous API Security. Colin will show how developers can embed security as code in their APIs but also how security teams can maintain visibility and control via API micro-firewalls and existing SIEM services. 

- PDT
OPEN TALK (API): API Tools for the Stages, Not the Ages
Andrew Stiefel
Andrew Stiefel
NGINX, Product Marketing Manager

There is no one-size-fits-all approach to building API infrastructure, and what you need will change with the scale of your operations. So instead of buying a tool for the ages, learn how to select technologies based on where you are today in your API journey. Explore the stages of API modernization, implications for your API strategy, and considerations to ensure your technology will scale with you as you grow.

- PDT
OPEN TALK (API): Cautionary Tales - Real World Case Studies of API Blind Spots and Security Issues, and How to Avoid Them
Chuck Herrin
Chuck Herrin
WIB, CTO

While experience is the best teacher, tuition is high. In this session WIB’s CTO Chuck Herrin builds on our Filed Report session to take a deep dive into real world examples of API security issues in live environments, and how your team can take the lessons to benefit your organization. 

- PDT
PRO TALK (API): GraphQL - Security Implications and Best Practices
Amir Shaked
Amir Shaked
PerimeterX, SVP R&D

GraphQL Is one of the fastest-growing approaches in API specifications. But it comes with security risks that can and should be addressed as you design your AAA - authentication, authorization and auditing. 

- PDT
PRO TALK (API): The 12 facets of the OpenAPI Specification
NP
Neelesh Pateriya
Cisco, Principal Engineer

We'll introduce how Cisco Engineering leverages OAS to drive API quality and state-of-the-art developer experience. We'll then describe OpenAPI best practices, tools and processes built internally and opensourced, as well as the benefits for Cisco partners and customers. Join this session to hear from the best practices and lessons learnt when standardizing on OAS for organizations with a massive internal and external facing APIs porfolio. 

Tuesday, November 1, 2022

- PDT
[#VIRTUAL] PRO Workshop (API): Automagic API Security Testing: Pre-prod agent-generated tests FTW
Steve Chappell
Steve Chappell
Synopsys, SW Manager & API Security Evangelist

Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out. 

- PDT
[#VIRTUAL] PRO Workshop (API): API Fuzz Testing Fundamentals
Alex Brewer
Alex Brewer
=ForAllSecure, Technical Solutions Engineer=

The goal of this 50 technical workshop is to explain what fuzz testing Is, then use a fuzz testing on a simple API server, understand and explain the benefits of API testing, and review fuzzing results to evaluate the API fuzzing targets for security and performance. 

Wednesday, November 2, 2022

- PDT
[#VIRTUAL] PRO TALK (API): GraphQL: Great Flexibility, New Attack Vectors
Erez Yalon
Erez Yalon
Checkmarx, VP of Security Research
Paulo Silva
Paulo Silva
Checkmarx, Ethical Hacker / Senior Security Researcher

In recent years, GraphQL adoption has increased significantly. Developed by Facebook and introduced in 2012, GraphQL came with a proposal different than REST: native flexibility to those building and calling APIs.
As we know, with great flexibility come... new attack vectors!

In this session, we'll cover GraphQL-specific security risks and attack vectors. Beyond the commonly discussed topic of enabled introspection in production, we'll present and discuss how field suggestions can be abused, how common GraphQL Cross-Site
Request Forgery (CSRF) issues look like, and how attackers are using batching attacks, alias and directory overloading, and query depth issues for their advantage.

We want to shed some light on GraphQL-specific issues that
may hurt not only the system but also the business, leading to massive data leakages or Denial-of-Service (DoS). 

- PDT
[#VIRTUAL] OPEN TALK (API): Effective API Security: API Discovery, Runtime Protection, Security Analytics, Active Testing
Dan Gordon
Dan Gordon
Traceable, Technical Evangelist

APIs are the glue that connects all of our software systems. But our knowledge and ability to track and secure APIs has not kept up with our rapid adoption of them. This API sprawl introduces significant operational and security risks, yet securing your APIs is different than everything we've been doing to secure our applications to date. WAFs don't help. API gateways aren't enough. DAST testing isn't enough. So what do we need to do differently?


In this session we will discuss why and how the approach to securing APIs needs to be different. We'll look at what you should consider through the software development lifecycle. And we'll share some real-world examples of organizations that have built and maintained robust API security strategies, with impressive outcomes related to reduced risk, lowered costs, and more secure API development practices.

- PDT
[#VIRTUAL] PRO TALK (API): Securing Large API Ecosystems
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

Security is never a simple task, the same applies to APIs. Properly securing APIs gets even more challenging when the API ecosystem grows substantially. It’s naturally easier for a company to protect a few endpoints than hundreds. As the API ecosystem grows, merely starting to use OAuth may not be enough. Proper handling of OAuth tokens and utilizing different features that OAuth offers is required. 

- PDT
[#VIRTUAL] OPEN TALK (API): Increase Developer Happiness with OpenAPI-driven Quality Engineering
Tom Peelen
Tom Peelen
Sauce Labs, Senior Solution Engineer

Most developers did not grow up dreaming of becoming professional debuggers. Nor did they dream of becoming professional gamblers who sometimes bet the house on when to mark an application ready for production. At the end of the day, most developers really want one big thing: digital confidence.

OpenAPI-driven development has emerged as the most popular way to help boost developer confidence. Instead of distributed teams trying to inefficiently collaborate on distributed systems using API documentation that may have to change often, teams can work with confidence on a single version of API truth by turning all documentation into standardized OpenAPI (OAS) specification files. Engineers can then use the OAS files to write API contract, functional, integration and load/performance tests.

But what happens to digital confidence when engineers are asked to add tens or hundreds of microservices? The OpenAPI-driven approach can still work–but it needs to scale at unprecedented levels.

New solutions such as Python micro-frameworks, Flask and FastAPI, have quickly emerged to give developers an easy and highly scalable way to auto-generate OpenAPI spec files from countless API documentation. But these new solutions tell only half the story of scaling digital confidence for microservices, CI/CD pipelines, TDD/BDD and other use cases.

Tom Peelen, Senior Solution Engineer at Sauce Labs, discusses how developers at gaming companies, large banks and financial services companies, retailers, healthcare, telecom and other organizations are handling being held accountable for releases in production. Tom shows how developers using frameworks like FastAPI to auto-generate OAS spec files are also able to almost simultaneously auto-generate API contract tests of both the consumer and provider (via mock servers) during API development. Attendees will also hear Tom describe how Performance, Reliability and API Monitoring teams are leveraging insights from OpenAPI-driven API tests (contract, functional, integration and load/performance) to optimize digital confidence in production environments. 

- PDT
[#VIRTUAL] PRO TALK (API): API Monitoring For better Management
Aravind Babu Ramadugu
Aravind Babu Ramadugu
Accenture, Mulesoft Mentor and Architect

API Monitoring is a very critical part of the entire API Ecosystem.
In this session, I will be covering How APIs can be monitored and how we can plan for predicting the issues through Monitoring and heal the APIs automatically. 

- PDT
[#VIRTUAL] OPEN TALK (API): API Security 101: Top API Vulnerabilities and how to Fix from Code
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Recently, APIs have become the main attack vector for applications. APIs are so interesting to attackers because they expose valuable data and business logic to clients. Traditional security approaches fail to address these issues. In this workshop, we reveal the most common vulnerabilities found in APIs, uncover how to detect and subsequently remediate them, and how to put in place secure foundations that start at the design phase.
By the end of this workshop, participants will:
Know all about the OWASP API Top10
Understand the unique nature of API vulnerabilities
Learn what they look like in code examples
How to automate detection of API vulnerabilities
Develop strategies for API vulnerability remediation 

- PDT
[#VIRTUAL] OPEN TALK (API): Identity Is Key to Secure APIs and Microservices
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

“Never Trust, Always Verify” is the short phrase minted by NIST in defining Zero Trust. With that in mind, understanding the user identity is an absolute requirement and should be applied when securing all APIs, for internal use cases, in the same way as external ones. Leveraging OAuth and OpenID Connect (OIDC) in a token-based architecture aligns perfectly with achieving Zero Trust, regardless of the level of security needed.

In this talk participants will learn:
- How to leverage mTLS and certificate-bound tokens to level up API security
- Architectural patterns that prevent Personal Identifiable Information (PII) in public applications
- How Scopes and Claims are used to authorize API access 

- PDT
[#VIRTUAL] PRO TALK (API): Solving the Never Ending Requirements of Authorization
Alex Olivier
Alex Olivier
Cerbos, Product Lead

Implementing access controls in your application can be a never ending task as business requirements change. What begins as a simple check to see if the user’s email is from your own domain name turns into a complex web of if/else statements to determine who can do what. Coming up with a scalable, manageable and maintainable authorization process is key to meet evolving requirements as your business scales.

This talk will cover the different areas of consideration when implementing permissions, common stages in the evolution of a company where authorization needs to fundamentally change and an example of how to take a gitops based approach to scaling policy. 

- PDT
[#VIRTUAL] PRO TALK (API): Anomaly Detection Is No Longer a Security Strategy
Matt Anderson
Matt Anderson
Resurface Labs, Chief Revenue Officer

Much of security is focused on finding the outliers, the anomalies to provide a reliable signal for security teams. Once identified, these anomalies are considered instructive and actionable. But, with the proliferation of APIs and the volume of attack traffic every second, relying on outliers leads to exceptionally noisy and unproductive searches. Your anomalies are actually valid traffic vs. majority of attacker traffic. We'll cover how to identify API risk and threats where threat traffic outweighs valid user traffic. 

- PDT
[#VIRTUAL] WORKSHOP (API): Designing secure API and microservices-based applications
Farshad Abasi
Farshad Abasi
Forward Security, Founder and CEO

Many applications are being modernized by leveraging APIs and being decomposed into smaller units typically living in containers. These involve many new tools and technologies that are not always well understood, leading to a poor application security posture. Many application architects and developers who take advantage of these architectures lack the knowledge to apply the required security controls. The ideas, principles and concepts such as API gateways, end-to-end trust, authentication and authorization discussed in this presentation have existed for some time. But this presentation brings it all together to provide a blueprint for modern API and microservices-based application security. 

- PDT
[#VIRTUAL] PRO TALK (API): Zero Trust Strategies to Protect the APIs That Drive Your CICDPipelines
AJ
Andrew Jones
Corsha, Director of Solutions Engineering

Many organizations are jumping to DevSecOps from DevOps by adding security scanning and validation in their CI/CD pipelines. This shift-left approach is fantastic because it builds security into applications early on.  Now the question is -  How do we protect API-driven communication in our CI/CD pipelines themselves?  These automated pipelines are a rich treasure trove for hackers of proprietary code and configuration, release artifacts,  deployment environments, and of course the critical keys and secrets to control it all.  And all of the automation driving these pipelines is via APIs and communication between different chained third-party services. In this talk, we’ll go over strategies for best practices around CI/CD security and show you how to pin access and control to only trusted stages of your pipeline. 

- PDT
[#VIRTUAL] PRO TALK (API): API Security Doesn’t Stop at Inventory
Steve Wilson
Steve Wilson
Contrast Security, Chief Product Officer

The modern web “application” is really a conglomeration of interconnected APIs, microservices, web apps, frameworks, libraries, and serverless functions spread across multiple cloud and on-premise environments. Simply inventorying your APIs is not nearly enough to make them secure. In this talk, I'll review the five major components of an API security program. We’ll talk about detection, security testing, securing libraries, runtime protection, and access management. We will focus on automation and review the pros and cons of traditional scanning and perimeter tools as well as modern instrumentation-based security tools. You’ll leave with practical guidance on next steps for your API security program. 

- PDT
[#VIRTUAL] WORKSHOP (API): Protecting GraphQL with Effective Governance & Security
Shiu-Fun Poon
Shiu-Fun Poon
IBM, Principal Architect, API Security
Morris Matsa
Morris Matsa
IBM, Principal Architect, API Connect & Gateways

GraphQL is a new approach to expose your services to application developers. There are many advantages which come with new challenges to security and governance. In this session you can learn how to protect and enforce governance for your GraphQL server endpoints from these unique GraphQL threats with a low-code approach. You'll see demoes of numerous approaches such as cost analysis, graph filtering, and much more. 

- PDT
[#VIRTUAL] PRO TALK (API): API Protection Best Practices
Varun Kohli
Varun Kohli
Cequence Security, Chief Marketing Officer (CMO)

It’s no secret that APIs are the developers tool of choice and an attackers #1 target. The question on every CISOs mind is this: if APIs are the number one target for attackers, and everyone claims to secure APIs, how do we choose the solution that best fits our API protection needs for an entire API lifecycle? To address that question, do you start with a focus on secure API development? Do you try and stay on top of constantly discovering unknown or shadow APIs? Or do you merely bolster existing defenses in an effort to stop future attacks? Using customer examples as the backdrop, this session will walk attendees through best practices for protecting your APIs regardless of where you are in your API protection lifecycle. 

- PDT
[#VIRTUAL] PRO TALK (API): From Reactive to Proactive, Changing the Culture on API Security
Bryant Schuck
Bryant Schuck
Checkmarx, Senior Product Manager

If software is eating the world then APIs are the teeth. Good application security approaches and best practices start at the API code level. But the bigger question is, “do you know what those practices are?” Security and threat intelligence must play a role within each part of the API lifecycle to stay ahead of the curve.

In this talk, you’ll hear from Bryant Schuck, Senior Product Manager at Checkmarx, where he will dive deep into the following topics:

· How to shift API security as far left as possible to create secure APIs on every pull request
· How to focus your efforts and attention on where the vulnerable API lives
· New ways to prioritize vulnerability remediation based on APIs handling of sensitive data
· Live demo of an API Attack 

- PDT
[#VIRTUAL] PRO TALK (API): The Target of Multi-Mode Attacks, Is APIs
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.

As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever. 

Thursday, November 3, 2022

- PDT
[#VIRTUAL] OPEN TALK (API): The Target of Multi-Mode Attacks, Is APIs
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.

As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever.

- PDT
[#VIRTUAL] OPEN TALK (API): PDF Signatures vs Web-Based Signatures: Building Workflows to Enhance your Security and Efficiency
Mahender Bist
Mahender Bist
Foxit, SVP of Foxit eSign

The focus of this talk with be PDF document signatures and how they differ from web-based signatures. This talk will cover:
• What are the different types of eSignatures?
• Advantage of document-based vs web-based eSignatures.
• Digital signature security.
• Validations including LTV.
• Building workflows with document-based signatures.
• Using a PDF SDK to enhance the eSignature process. 

- PDT
[#VIRTUAL] OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Delivers End-To-End API Security
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

API and security teams want the best for their APIs, yet companies are still debating the pros and cons of adopting a developer-first approach to protecting their APIs versus a more traditional shield-right security model. In this presentation, Colin Domoney examines the pros and cons of each approach, and shows through demonstrations how development and security teams can achieve the best of both approaches to achieve continuous API Security. Colin will show how developers can embed security as code in their APIs but also how security teams can maintain visibility and control via API micro-firewalls and existing SIEM services. 

- PDT
[#VIRTUAL] OPEN TALK (API): API Tools for the Stages, Not the Ages
Andrew Stiefel
Andrew Stiefel
NGINX, Product Marketing Manager

There is no one-size-fits-all approach to building API infrastructure, and what you need will change with the scale of your operations. So instead of buying a tool for the ages, learn how to select technologies based on where you are today in your API journey. Explore the stages of API modernization, implications for your API strategy, and considerations to ensure your technology will scale with you as you grow.

- PDT
[#VIRTUAL] OPEN TALK (API): Cautionary Tales - Real World Case Studies of API Blind Spots and Security Issues, and How to Avoid Them
Chuck Herrin
Chuck Herrin
WIB, CTO

While experience is the best teacher, tuition is high. In this session Wib’s CTO Chuck Herrin builds on our Filed Report session to take a deep dive into real world examples of API security issues in live environments, and how your team can take the lessons to benefit your organization. 

- PDT
[#VIRTUAL] PRO TALK (API): API Visibility: Securing Your Blind Spot without Losing Speed
Lebin Cheng
Lebin Cheng
Netskope and CloudVector, Cofounder

The growing prevalence of APIs, presents security teams with an all-too-familiar problem - deployment can outpace security processes and protections, creating a vulnerability they are left to address. With APIs emerging as the next big attack vector, this has become a critical shift left priority. Understanding the tradeoffs between securing APIs versus the cost of not taking action is the first step in gaining buy in across the organization From there, you can build a phased plan to introduce visibility into your APIs, determine which APIs expose sensitive data and finally to build processes around how APIs are managed. This session will offer tips and tricks for securing APIs without slowing down the speed of development. 

- PDT
[#VIRTUAL] PRO TALK (API): GraphQL - Security Implications and Best Practices
Amir Shaked
Amir Shaked
PerimeterX, SVP R&D

GraphQL Is one of the fastest-growing approaches in API specifications. But it comes with security risks that can and should be addressed as you design your AAA - authentication, authorization and auditing. 

- PDT
[#VIRTUAL] PRO TALK (API): The 12 facets of the OpenAPI Specification
NP
Neelesh Pateriya
Cisco, Principal Engineer

We'll introduce how Cisco Engineering leverages OAS to drive API quality and state-of-the-art developer experience. We'll then describe OpenAPI best practices, tools and processes built internally and opensourced, as well as the benefits for Cisco partners and customers. Join this session to hear from the best practices and lessons learnt when standardizing on OAS for organizations with a massive internal and external facing APIs porfolio.