APIs, the Universe, and Everything

Presented by

Peter Bosch, Distinguished Engineer, Cisco

About this talk

Cloud-native application security involves balancing contradictory requirements: the benefits of cloud services in accelerating development, while at the same time handling security in an adverse environment where there are more attack surfaces and opportunities for data breaches. Today, tools exist that focus specifically on the security and vulnerability posture of cloud workloads. Container and configuration vulnerabilities are identified, and enforcement policies are enacted to protect the workloads if these are operating with such vulnerabilities. Unfortunately, many security tools do not address the vulnerabilities of APIs. Cloud-native applications expose many internal API services and developers are increasingly using external API services for their applications. Both internal and external API use expose the workload to new vulnerabilities; more strongly, workload security and API security are really two sides to the same coin. This talk specifically focusses on the security problems and vulnerabilities exposed through APIs. Questions we address include: • What does a developer know about a service before using it? • Does a poorly defined interface expose API service vulnerabilities? • Does the service perform well to begin with? • How does the developer get/maintain an access token? • Do API specs show critical use cases and dependencies? • Can the security impact of an external API service be estimated and managed? • Do the APIs violate the OWASP API top 10? • How can we test against the OWASP API top 10? • Can PII be shared with such services? We show how SecureCN addresses both sides of the security coin: container workload and API security in one tool, and we present actual issues with a live demonstration of SecureCN.

Related topics:

More from this channel

Upcoming talks (12)
On-demand talks (3457)
Subscribers (177640)
This channel features presentations by leading experts in the field of information security. From application, computer, network and Internet security to access control management, data privacy and other hot topics, you will walk away with practical advice for your strategic and tactical information security initiatives.