DeveloperWeek New York 2020 DeveloperWeek New York 2020
Get your ticket or log in to build your agenda.

API Security in a Kubernetes World

- EST
Session Stage
Join on Hopin

Dmitry Sotnikov
42Crunch, Vice President, Cloud Platform

Dmitry Sotnikov serves as Vice President of Cloud Platform at 42Crunch – an enterprise API security company – and also maintains APISecurity.io, a popular community site with daily API Security news and weekly newsletter on API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry has more than two decades of experience in enterprise IT software and cloud computing – holding executive positions with companies such as WSO2, Jelastic and Quest Software. Microsoft MVP: https://bit.ly/2KAFtAB


Securing APIs deployed in Kubernetes implies securing the infrastructure but also the APIs themselves. Having a perfectly setup cluster, with all possible protections in place unfortunately is only one aspect of the recent OWASP Top10 for API Security. Other issues such as data leakage, mass assignment or broken authentication must be handled at the application level.

Learning from other’s mistakes:
The publication of the OWASP API Security Top 10 marks a corner stone in the API Security history. Finally, there is a global recognition that applications based on APIs require different protection. In the past year or so, more than 200 breaches have been published on apisecurity.io. Some very well known names are on that list: T-Mobile, Facebook, and Uber to name a few. What did they do wrong? How can we learn from their mistakes and take an approach that prevents most common API security issues.

The Kubernetes specifics:
API security is not specific to Kubernetes. But Kubernetes deployments, usually created to run microservices-based, decoupled applications, make some API security worse. To start with, the sheer number of APIs to manage and protect. In Kubernetes deployments, everything is an API. Enterprises end up having to protect 1000's of endpoints, and to make it worse, those endpoints get re-deployed very frequently. DevSecOps anyone?

Pragmatism is key:
Our goal in this talk is to share pragmatic, direct actionable best practices. We present a methodology to “pick your battles” and focus on the most critical issues first. You will leave this with either the great satisfaction that you’ve already done a good job to protect your APIs or an actionable TO-DO list to address immediate issues.