The Inconvenient Truth About API Security

© Information Security Media Group · www.ismgcorp.com© Information Security Media Group · www.ismgcorp.com

The Inconvenient Truth About API Security

Presented by

© Information Security Media Group · www.ismgcorp.com

About Information Security Media Group

• Focused on providing information security content, specifically for unique vertical industries

• Publish articles, interviews, blogs, regulation & guidance alerts, and whitepapers

• Educational webinars offered daily

Global network of

25 SITESSubscribers from over

175 COUNTRIES


Technical Support

(609) 356-1499 x115

Copyrighted MaterialUsed for individual study purposes only. If your institution is interested in

using this, or any of Information Security Media Group’s presentations, as part of an overall information security program, please contact us at (800)

944-0401.


About Our Sponsor

Distil Networks is the first easy and accurate way to defend your web applications against bad bots, API abuse and fraud.

To learn more, visit us at www.distilnetworks.com

http://www.citrix.com/

http://www.citrix.com/


Rami EssaidCEO and Co-Founder, Distil NetworksDistil Networks is the first easy and accurate way to identify and police malicious website traffic, blocking 99.9% of bad bots without impacting legitimate users. With over 12 years in telecommunications, network security, and cloud infrastructure management experience, Essaid continues to advise enterprise companies around the world, helping them embrace the cloud to improve their scalability and reliability while maintaining a high level of security.


Rik TurnerIT Security Analyst, Ovum ResearchRik is a senior analyst on the Infrastructure Solutions team, focusing primarily IT Security. Rik joined Ovum in January 2005 as European Bureau Chief of its ComputerWire daily IT news service. He covered fixed, wireless, and mobile networking and security. In February 2007 he moved across to become an analyst on the Financial Services Technology team, initially covering retail banking and writing reports on online and branch banking. He subsequently developed a specialization in capital markets infrastructure. In mid-2008 his team was grouped under the Ovum brand as part of its IT analyst arm. At the beginning of 2014 Rik moved across to the Infrastructure Solutions team, focusing on IT Security.


Shane WardSenior Director of Technology, GuideStarAs a nonprofit, GuideStar is committed to advancing transparency and driving innovation in the social sector. Ward leads a team that is responsible for data acquisition and distribution as well as architecture and technology strategy.


The Inconvenient Truth About API Security

Presented by


Agenda

API Security Primer

Ovum Survey Results and Analysis

GuideStar’s Field Guide to API Security

Q & A


API Security Primer


APIs are fundamentally hard to protect

APIs are built to give developers a uniform interface to applications

This allows for easy access to data

Returned in a standardized format

Generally self-documenting

Built to run at scale


This provides multiple vectors for abuse

API Malicious UsageThird parties aggressively using the API to pull data beyond their contracted limits

API Developer ErrorsAPI endpoints get hammered by runaway scripts or poorly designed interfaces

Web & Mobile API HijackingHackers dissect how web and mobile apps interact with their APIs

Automated API ScrapingMalicious bots pull down online content and data within minutes directly from the API


Attackers distribute their attacks across multiple IP addresses

Bots which dynamically rotate IP addresses, or distribute attacks are significantly harder to detect and mitigate


Unfortunately, most API security solutions track usage by IP

This makes them blind to a couple of key use cases

Server sourced API clients are hosted by cloud providers that can cycle IP’s at will

Mobile application sourced clients are behind Wireless provider proxy networks (many devices share an IP)

Web browser sourced clients can be behind a consumer ISP NAT - shared IP for many browsers


Modern API governance should include...

Country and organization fencing

Token spamming prevention

Token distribution prevention

Dynamic access control lists

Advanced rate limiting


Ovum Survey Results and Analysis


API Security: A Disjointed Affair

Ovum surveyed 100 midsize tolarge companies across NA, EMEA and APAC, and in a wide range ofverticals, about their use of APIs.


API usage is widespread


The majority were running public APIs

51% said they were running APIs to enable an external developer community or ecosystem

67% said their APIs were designed to enable partner connectivity


The majority are using an API management system

...and almost two thirds of those with an API management platform developed it in-house

Are you running an API management system?

Yes87%

No13%


Rate limiting was by no means universally available


Those with rate limiting were spending a lot of time on it


Now we asked what other API security features, namely protection from...

API malicious usage

API developer error

Automated API scraping

Web and mobile API hijacking


The results were not encouraging


Who is responsible for API security?


...and the stage at which IT security gets involved is frequently too late


So the final, troubling statistic is...

21% of APIs go live without any input from security professionals regarding the potential risks to the organization that is publishing them


Key takeaway...


GuideStar’s Field Guide to API Security


About GuideStar’s APIs

GuideStar is the world’s largest source of information on nonprofit organizations

We collect, aggregate, and distribute data about nonprofit results, financials, operations, and more

Our data is made available through APIs that power: workplace giving, donation disbursement, grants management, and charity validation applications


Why do we care so much about API security?

Integrated into payment processing systems

Misuse can have serious consequences

Validation and verification services

Investment in curation and dissemination of data

Ensure our data is being used in a manner that is consistent with our values


GuideStar technology stack

APIs hosted in GuideStar’s private cloud

Traditional data warehouse and datamart

NoSQL data repositories

APIs built on REST principles

Built our own middleware using open source

XML and JSON returns

Load balancers

WAF

Distil Networks for Bot Mitigation and API Security


API security challenges

Only as secure as your least secure customer

“Node hopping” off load balancers

Round-robin vs. sticky session load balancing

Developer errors and runaway scripts

Data protection and security

API key mismanagement


Lessons learned

Understand the technical capabilities of your API consumers

“Lightweight” approach vs. “heavy” API management suites

Map your business strategy to your API controls and segmentation strategy

Leverage machine learning and automation

Token-based over IP-based rate limiting


Questions

Please use the following form for any questions or comments:

http://www.bankinfosecurity.com/webinar-feedback.php

Or contact us at: (800) 944-0401



Thank You for Participating!Please use the following form for any questions or comments:


Or contact us at: (800) 944-0401


The Inconvenient Truth About API Security

Technology

Transcript of The Inconvenient Truth About API Security