The growing prevalence of APIs, presents security teams with an all-too-familiar problem - deployment can outpace security processes and protections, creating a vulnerability they are left to address. With APIs emerging as the next big attack vector, this has become a critical shift left priority. Understanding the tradeoffs between securing APIs versus the cost of not taking action is the first step in gaining buy in across the organization From there, you can build a phased plan to introduce visibility into your APIs, determine which APIs expose sensitive data and finally to build processes around how APIs are managed. This session will offer tips and tricks for securing APIs without slowing down the speed of development. 

Implementing access controls in your application can be a never ending task as business requirements change. What begins as a simple check to see if the user’s email is from your own domain name turns into a complex web of if/else statements to determine who can do what. Coming up with a scalable, manageable and maintainable authorization process is key to meet evolving requirements as your business scales.

This talk will cover the different areas of consideration when implementing permissions, common stages in the evolution of a company where authorization needs to fundamentally change and an example of how to take a gitops based approach to scaling policy. 

Much of security is focused on finding the outliers, the anomalies to provide a reliable signal for security teams. Once identified, these anomalies are considered instructive and actionable. But, with the proliferation of APIs and the volume of attack traffic every second, relying on outliers leads to exceptionally noisy and unproductive searches. Your anomalies are actually valid traffic vs. majority of attacker traffic. We'll cover how to identify API risk and threats where threat traffic outweighs valid user traffic. 

Many organizations are jumping to DevSecOps from DevOps by adding security scanning and validation in their CI/CD pipelines. This shift-left approach is fantastic because it builds security into applications early on.  Now the question is -  How do we protect API-driven communication in our CI/CD pipelines themselves?  These automated pipelines are a rich treasure trove for hackers of proprietary code and configuration, release artifacts,  deployment environments, and of course the critical keys and secrets to control it all.  And all of the automation driving these pipelines is via APIs and communication between different chained third-party services. In this talk, we’ll go over strategies for best practices around CI/CD security and show you how to pin access and control to only trusted stages of your pipeline. 

It’s no secret that APIs are the developers tool of choice and an attackers #1 target. The question on every CISOs mind is this: if APIs are the number one target for attackers, and everyone claims to secure APIs, how do we choose the solution that best fits our API protection needs for an entire API lifecycle? To address that question, do you start with a focus on secure API development? Do you try and stay on top of constantly discovering unknown or shadow APIs? Or do you merely bolster existing defenses in an effort to stop future attacks? Using customer examples as the backdrop, this session will walk attendees through best practices for protecting your APIs regardless of where you are in your API protection lifecycle. 

We'll introduce how Cisco Engineering leverages OAS to drive API quality and state-of-the-art developer experience. We'll then describe OpenAPI best practices, tools and processes built internally and opensourced, as well as the benefits for Cisco partners and customers. Join this session to hear from the best practices and lessons learnt when standardizing on OAS for organizations with a massive internal and external facing APIs porfolio.