protect your apis from cyber threats
TRANSCRIPT
Droid Wars: Protect your APIs from cyber threats
1©2015 Apigee. All Rights Reserved.
youtube.com/apigee
slideshare.net/apigee
@SubrakSubra Kumaraswamy
@DavidandrzDavid Andrzejek
5https://en.wikipedia.org/wiki/C-3PO
•Search engine indexing
•Health monitoring
•Performance testing
6http://ideas.wikia.com/http://starwars.wikia.com/
•Scrapers: Content, price data, inventory data
•Reconnaissance: probe for API security weakness
•Bruteforce bots: DDoS attacks, etc.
7http://ideas.wikia.com/http://starwars.wikia.com/
•Theft of data and business
•Promotion abuse
•Bot traffic skews analytics and KPIs
•Create performance overhead on Web Operations
There is also reputational risk!
8
What’s different about APIs?
9
10http://starwars..com/
11
API Security is Unique• Your APIs are vulnerable to the typical OWASP Top 10
attacks
• IN ADDITION, you have to worry about:– Hackers reverse engineering apps to access private APIs– API key theft—looks like legit usage!– Traffic spike protection by way of bots or DoS attacks– Identity tracking across API sessions– XML/JSON injection-type attacks– Token harvesting due to insecure communication or storage
Secure Your APIs
12
Users Apps APIs Backend
Mutual TLSIP access control
Spike arrestRate limits
Threat protectionIntrusion detection
DDoS
API keyOAuth2
TLSIP access control
OAuth2MFA
Federated login
13
Am I Secure Now?
Security Policies Configured
14
15
Need to rethink the “known known” security approach
15
Backend Service
Legitimate Traffic
API Bots
IP Blacklist
Apps
16
Data-driven approach to security
17
Vol
URI
+many other kinds…
VS.
Vol
URI Password guessers Screen scrapers
Data-driven approach to security
API Security: Data-Driven Approach
Closed Loop Protection: Analyze, Detect, Protect
API clients
Target Services
API
Dashboard
Machine learning models and rules
Action (Block/Throttle/Alert)
Blacklist
Your traffic System-
widepurchased
Key Takeaways
21
• If you have valuable data, you will be targeted.
• APIs bring unique challenges. Old approaches don’t work.
• Sophisticated rules and machine learning algorithms are the only way to discern bots from real traffic.
• An automated system is needed, to capture, analyze, report, and act.
Securing APIs: End-to-End
22
Thank you