16
Data Driven API Security Subra Kumaraswamy @subrak Michael Russo

Data-driven API Security

  • Upload
    apigee

  • View
    236

  • Download
    0

Embed Size (px)

DESCRIPTION

Standard API security approaches and best practices that harden your API security can ensure safe and secure operations. However, these approaches may not be enough to protect your backend from sophisticated data extrusion through API key attacks, low and slow data scrapping that blend with your legitimate traffic. Enter data driven security. This session at I Love APIs 2014 covered how your API data can help you gain insights to traffic anomalies and security/privacy abuse. And how you can mitigate risks using data driven API security controls.

Citation preview

Page 1: Data-driven API Security

Data Driven API SecuritySubra Kumaraswamy @subrakMichael Russo

Page 2: Data-driven API Security

2

Don’t Let Your APIs get Naked!

Page 3: Data-driven API Security

3

What’s Keeping You Up at Night?

Key TheftMan-in-the-Middle

Page 4: Data-driven API Security

4

Legacy design can also haunt you..

Page 5: Data-driven API Security

5

How APIs are Protected?

OAuth Quota Rate Limit Threat Protection0

10

20

30

40

50

60

70

80

90

Page 6: Data-driven API Security

Apigee Edge – Take Care of the Basics

6

Security & Identity Capabilities

Threat Protection

Traffic Protection

Backend Service

Apps

Security for API Consumption

Authentication & Authorization

TLS

Page 7: Data-driven API Security

Hide the Complexity of API Security

7

Backend Service

Authentication & Authorization

Identity Services

Logging & Auditing

Security Analytics

Authentication & Authorization

Secure API Exposure

TLS

AppsSecurity & Identity

Capabilities

Page 8: Data-driven API Security

Take Security away from Developers

8

Communication Security

Backend Service

Security for App Developers

Single Sign-On

Developers

TLS

Security & Identity Capabilities

Application Key Security

Page 9: Data-driven API Security

Configure and Not Code Security

9

Authentication & Authorization

Identity & Authentication

Data Masking

Logging & Auditing

Security for API Developers

Developers

API Team

TLSRBAC

Security & Identity Capabilities

Apps

Page 10: Data-driven API Security

API Data Driven Approach

Page 11: Data-driven API Security

11

Am I Secure Now?

Security Policies Configured

Page 12: Data-driven API Security

12

Need to rethink the traditional coarse control security

12

Backend Service

Legitimate Traffic

API Bots

IP Blacklist

Apps

Page 13: Data-driven API Security

13

We need a new approach…

Page 14: Data-driven API Security

Continuous Data Driven API Threat Management

14

Activity Bursts

Anomalous Behavior Patterns

Data Scraping Geo Location

BotContent Scraping

Information Theft

Bot Bot

Bot

Analyze API Requests

TagThrottleBlock

Detect Anomalies

Page 15: Data-driven API Security

15

Apigee enables:

API security hygiene

Continuous data driven security that scales!

Page 16: Data-driven API Security

Thank you


Cucumber Driven Web API Calculator

Cucumber Driven Web API Calculator

Software
API Driven Development

API Driven Development

Technology
CA API Gateway: Web API and Application Security

CA API Gateway: Web API and Application Security

Technology
API Integration Tutorial: Testing, security and API management

API Integration Tutorial: Testing, security and API management

Documents
Data Driven Security Challenges

Data Driven Security Challenges

Documents
Intelligence Driven Security

Intelligence Driven Security

Technology
API-Driven DevOps

API-Driven DevOps

Documents
OAuth2 + API Security

OAuth2 + API Security

Technology
Security in API and API managers - UOC

Security in API and API managers - UOC

Documents
Complete API Security: Inside and Out API Security For M2M

Complete API Security: Inside and Out API Security For M2M

Documents
Rest API Security

Rest API Security

Software
Api security-eic-prabath

Api security-eic-prabath

Technology
INTRODUCTION Credited with pioneering Controller-less Wi ... · API-driven and microservices based solving for scalability, reliability, programmability, and security (ISO 27001,

INTRODUCTION Credited with pioneering Controller-less Wi ... · API-driven and microservices based solving for scalability, reliability, programmability, and security (ISO 27001,

Documents
FIREEYE ENDPOINT SECURITY POLICY API TOOL · FIREEYE ENDPOINT SECURITY POLICY API TOOL Authored by Erin Hughes (erin.hughes@fireeye.com) FireEye’s Endpoint Security Policy API provides

FIREEYE ENDPOINT SECURITY POLICY API TOOL · FIREEYE ENDPOINT SECURITY POLICY API TOOL Authored by Erin Hughes ([email protected]) FireEye’s Endpoint Security Policy API provides

Documents
Agile API Securitycqi611.weblog.esaunggul.ac.id/wp-content/uploads/sites/... · 2019-02-20 · Agile API security 11 API First Architecture with built-in Security Data Security governance

Agile API Securitycqi611.weblog.esaunggul.ac.id/wp-content/uploads/sites/... · 2019-02-20 · Agile API security 11 API First Architecture with built-in Security Data Security governance

Documents
API-driven Legacy Migration: Results from Project Winterfell

API-driven Legacy Migration: Results from Project Winterfell

Technology
Intelligence-Driven Security Strategy

Intelligence-Driven Security Strategy

Documents
PEACH API SECURITY · Peach API Security, a dynamic application security testing tool, was designed to fill the gaps left by other API security testing tools. The tool is designed

PEACH API SECURITY · Peach API Security, a dynamic application security testing tool, was designed to fill the gaps left by other API security testing tools. The tool is designed

Documents
DataPower Restful API Security

DataPower Restful API Security

Technology
Security Driven by Intelligence

Security Driven by Intelligence

Documents
BUSINESS-DRIVEN SECURITY MANAGEMENT - AlgoSec · BUSINESS-DRIVEN SECURITY MANAGEMENT The leading provider of business-driven security management solutions, AlgoSec helps the

BUSINESS-DRIVEN SECURITY MANAGEMENT - AlgoSec · BUSINESS-DRIVEN SECURITY MANAGEMENT The leading provider of business-driven security management solutions, AlgoSec helps the

Documents
Data-Driven Security

Data-Driven Security

Health & Medicine
Design Driven API Development

Design Driven API Development

Technology
#DataUnlimited - API-Driven Development & Data Privacy

#DataUnlimited - API-Driven Development & Data Privacy

Technology
BUSINESS-DRIVEN SECURITY POLICY MANAGEMENT · BUSINESS-DRIVEN SECURITY POLICY MANAGEMENT SOLUTION BROCHURE Security today must align with business processes. AlgoSec’s unique business-driven

BUSINESS-DRIVEN SECURITY POLICY MANAGEMENT · BUSINESS-DRIVEN SECURITY POLICY MANAGEMENT SOLUTION BROCHURE Security today must align with business processes. AlgoSec’s unique business-driven

Documents
Smits security driven development

Smits security driven development

Government & Nonprofit
Web Application & API Security

Web Application & API Security

Documents
API Platform and Symfony: a Framework for API-driven Projects

API Platform and Symfony: a Framework for API-driven Projects

Software
Chris Mwangi - MEF...Security, Policy OSS/BSS/ Orchestration Fulfillment, Control, Performance, Assurance, Usage, Analytics, Security, Policy 9 Adaptive API driven Dynamic Automation

Chris Mwangi - MEF...Security, Policy OSS/BSS/ Orchestration Fulfillment, Control, Performance, Assurance, Usage, Analytics, Security, Policy 9 Adaptive API driven Dynamic Automation

Documents
OWASP Enterprise Security API

OWASP Enterprise Security API

Documents