protect your apis from cyber threats

Report

Post on 15-Apr-2017

3.758 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Droid Wars: Protect your APIs from cyber threats

1©2015 Apigee. All Rights Reserved.

youtube.com/apigee

slideshare.net/apigee

@SubrakSubra Kumaraswamy

@DavidandrzDavid Andrzejek

5https://en.wikipedia.org/wiki/C-3PO

•Search engine indexing

•Health monitoring

•Performance testing

6http://ideas.wikia.com/http://starwars.wikia.com/

•Scrapers: Content, price data, inventory data

•Reconnaissance: probe for API security weakness

•Bruteforce bots: DDoS attacks, etc.

7http://ideas.wikia.com/http://starwars.wikia.com/

•Theft of data and business

•Promotion abuse

•Bot traffic skews analytics and KPIs

•Create performance overhead on Web Operations

There is also reputational risk!

8

What’s different about APIs?

9

10http://starwars..com/

11

API Security is Unique• Your APIs are vulnerable to the typical OWASP Top 10

attacks

• IN ADDITION, you have to worry about:– Hackers reverse engineering apps to access private APIs– API key theft—looks like legit usage!– Traffic spike protection by way of bots or DoS attacks– Identity tracking across API sessions– XML/JSON injection-type attacks– Token harvesting due to insecure communication or storage

Secure Your APIs

12

Users Apps APIs Backend

Mutual TLSIP access control

Spike arrestRate limits

Threat protectionIntrusion detection

DDoS

API keyOAuth2

TLSIP access control

OAuth2MFA

Federated login

13

Am I Secure Now?

Security Policies Configured

14

15

Need to rethink the “known known” security approach

15

Backend Service

Legitimate Traffic

API Bots

IP Blacklist

Apps

16

Data-driven approach to security

17

Vol

URI

+many other kinds…

VS.

Vol

URI Password guessers Screen scrapers

Data-driven approach to security

API Security: Data-Driven Approach

Closed Loop Protection: Analyze, Detect, Protect

API clients

Target Services

API

Dashboard

Machine learning models and rules

Action (Block/Throttle/Alert)

Blacklist

Your traffic System-

widepurchased

Key Takeaways

21

• If you have valuable data, you will be targeted.

• APIs bring unique challenges. Old approaches don’t work.

• Sophisticated rules and machine learning algorithms are the only way to discern bots from real traffic.

• An automated system is needed, to capture, analyze, report, and act.

Securing APIs: End-to-End

22

Thank you

top related

cyber threats from neibhouring countries
Technology
protecting yourself from cyber threats
Technology
financial cyber threats q1 2016
Internet
next generation cyber threats
Technology
cyber security emerging threats
Technology
cyber security (emerging threats)
Law
new threats to cyber-security
Internet
cyber threats to elections - hsdl.org
Documents
cyber threats landscape and defense
Internet
cyber threats and cyber deception in hybrid warfare
Documents
combatting cyber threats csirts
Documents
satellite infrastructures - principal cyber threats
Documents
outpacing cyber threats - nti
Documents
cyber threats - a romanian perspective
Documents
cyber security threats for 2017
Technology
cyber threats and national security:real vs. perceived...
Documents
cyber attacks, cybercrime, cyber warfare and cyber threats...
Documents
emran islam dg market infrastructure & payments via cyber...
Documents
different cyber threats & securitybsnlfinal
Documents
countering cyber threats through technical … cyber threats...
Documents