Hello, everyone. Good day. This is Pavan Vovveti. Welcome to Conf42 Incident Management 2024. Today, I'm going to talk about the role of API security in modern enterprise platforms. Let us explore the challenges, the security challenges, best practices, and future trends in securing APIs. Before I even go there, I have a disclaimer to say the views and opinions expressed in this presentation are my own. and do not represent the views or official position of my current and previous employers. The content is based on general industry knowledge and publicly available information. No proprietary or confidential information will be shared during this talk. Thank you. A little bit background about me. I'm a seasoned technology professional with over 15 years experience in application development across diverse industries. Academically, I hold a master's degree in computer science from Staffordshire University, England, UK. My expertise lies in blending robust security measures with cutting edge development practices, ensuring the seamless integration of security into the development life cycle. With over 10 years of focused experience in security, particularly in application security, platform architecture, and API security. What I'm going to talk about today Introduction to API security challenges, what are the best practices, industry guidelines for API security, implementing security across the API lifecycle, what are the various tools and technologies available in the industry to enhance the security posture within the organization. I have two case studies to talk about. One is the. a large financial organization, how they implemented successfully the security, by following the security guidelines, the lessons learned from a security breach, the future trends in API security, and then conclusion. Let's deep dive into the introduction to API security. APIs have become the backbone of modern enterprise platforms, playing a pivotal role in enabling seamless. integration and communication between the component to component or system to system. They allow business to connect applications, services, platform efficiently, supporting a range of operations from cloud computing to mobile app integrations. However, this is very interconnectedness, exposing the organizations to a significant security risk. Often handling sensitive data like personal user information or business intelligence can become prime targets for any cyber attacks if not adequately secured. Saying that, as APIs become more integral to business processes, ensuring their security is not just a technical concern but a critical business priority. The APIs can be severe, ranging from data breaches and huge financial losses. Sometimes it even damages the reputation of the company or organization and even regulatory penalties. What are the challenges we have in the industry? So these are the main challenges I put just to discuss here, within the timeframe available. The authentication and authorization, ensuring only authorized users can access resources. What does it mean? So any user interacting with any of our system to have the data, the user is, have access to the data, which we are going to provide from the company APIs or any service we provide to retrieve the data from our data servers or data storage. So user allowed is, does he have, does that person has. Permissions are related to the groups, belong to the groups or policies. So how do we make sure this user is the right user to have the, to have these data which we are providing to the user? And also, of course, the authentication methods can expose APS to unauthorized access. Before even we authorize the user, we need to authenticate the user. is that person is the same person which we have registered or which registered with us and the second one is the data encryption. Data in transit must be encrypted to prevent interception. Weak encryption protocols can leave data vulnerable to man in the middle attacks. Any API to API communication at a data encryption at rest will prevent the man in the middle attack. Any. Say example, API 1 is calling API 2, a bad actor in the middle, intercept the, intercept over the network, the HTTP request or response to have the data. So if we encrypt the data, that will be more difficult for a bad actor to, to have the data, to process the data. And there is one more rate limiting preventing abuse. a denial of service attacks by controlling the number of API requests made within a time frame. Misconfigured rate limits can either throttle legitimate traffic or expose APIs to overload. what is the rate limit? So any API I have, I can configure how many requests per second or per minute I can have it as per my business requirements or business, needs. to have the, to have the interaction with my, the lowest possible, data storage or, any other system to retrieve the data I can configure, I can configure the rate limit. My API is going to have only 50 requests per second or a hundred seconds, a hundred requests. So that I know when any number increased all of a sudden, that means that's an abuse. That's maybe a distributed denial of service attack so that I can shut off my API and prevent the security loss and the API versioning. Managing multiple API versions securely, especially when older versions are deprecated. Ensures the outdated versions don't become security vulnerabilities. What does it mean? The API is over the period. My business might be growing. My customer's base is increasing. So I may need to provide the more features. I may need to provide the more functionality to the user to have the best user experience. So in that journey, I might create more APIs. When I create more APIs, my, my surface attacks will be more, my risk is going to increase. So how do I make sure my APIs are not vulnerable by having so many APIs implementation in, in, in that journey? So the API versioning is crucial in that manner. Say I have a feature one implemented in V1 version of API one. And I have feature two and feature three implemented with the API version two. So instead of having V1 and V2, and there is a need of V3 again in the future. So I deprecate my V1, I clubbed all my feature, feature one, feature two, feature three, and feature four in API version three, and I have N minus one for support to the customers and basically giving them, giving our clients, consumers. Some time frame to migrate to the V2 to V3 so that I always have n and n 1 in the, in basically a live API calls provides, from, for the consumers. So let's talk about the best practices for API security. So implementing OAuth2, TLS and encryption, API gateway, regular audits. So what does it mean? OAuth2 is a token based authentication protocol, enables secure access by allowing users to authenticate without exposing passwords. So what does it mean? So before I even hit any API, I hit a token server, the token server, the token management system gives a token with a minimum, minimum expiry time, say one minute or 30 seconds. We can configure that according to the organizational policy or organizational, situations. Then we can basically the token management system provides two things. One is. generation of the tokens and destroy the tokens once the operation is completed by the user. And the TLS encryption, the transport layer security should be enforced for all API traffic to protect data in transit from interception or manipulation. The TLS communication, a component to component or system to system. If there is no API or even API involved, we can have the mutual TLS. The one dot one dot three is the latest but most of widely used Dls encryption version is a one dot two is most secure nowadays Everyone is moving to one dot three. It is more Enhanced version of security and then api gateway the api gateway provides A centralized way to provide the policies or to enforce the policies in between Whatever the apis or sys services available under the api gateway. So what does it do? Basically, I have my api deployed in any platform I don't need to expose the endpoint url with where by looking at the api endpoint url Backend service url I can say is this deployed in aws? Is this deployed in azure? You is deployed in any other, platform, or any cloud platform or any, Pivotal cloud, platform. without exposing the API endpoint details, I can mask that endpoint URL with the API gateway URL so that it will be generic for them. Internally, I configure my backend service. into the API gateway URL so that any public user or any internet exposed to service may not have where did I deploy my service in the backend. And then logging, rate limit, logging, what data, what kind of data I'm logging into the, any logging servers. enterprise way. So am I logging any sensitive data? am I masking the data or how are we maintaining the logging, the levels, the info, warn, debug, errors? how am I logging my data based on my environments, based on my log levels? The regular audits are nothing but continuous monitoring and regular security audits help identify and resolve the vulnerabilities before even they exploited by attackers. Regular audits helps us to even go further in the design. Sometimes in the audits, we can even think of the redesigning of any system or within the ecosystem, any component. Let's talk about the implementing. security across API lifecycle, the security by design. So security by design means in previous days, 10 years ago or five years ago, the security is a part of NFR, the non functional requirement. But nowadays, shifting left to even further at the design level, we think of the security posture and we integrate the security from the earliest stages of development So that it ensures we build any API which is secure and stable and, basically we do not want to have that afterthought after the development, we go and see review or proactively we wanted to move that shift left to the design level so that we do not miss or we do not expose our APIs after the development code reviews and penetration testing. Regular code reviews helps us to identify the vulnerabilities even before by, by having the penetration testing or scanning like static scans or dynamic scans, or even any manual audits or manual scans by a security experts before even if we deploy or even we basically move to the higher environments within the ecosystem. Any static code analysis on dynamic testing in development and pre production environments helps us to reduce the security, to reduce the security vulnerabilities. DevSecOps collaboration. Adopting a DevSecOps approach integrates security into the entire API development lifecycle. By fostering collaboration between development, security, operations team, organizations can ensure the continuous security improvements throughout the lifecycle. Thank you. So how do we achieve the, how do we achieve that through the CICD pipelines in the CICD pipelines while building the source code itself, I can integrate so many things in the pipeline. Say example, do I have any codes or static codes or secrets or passwords in, in the source code, in my code, I can even have that through many tools are available in the market. I can even say, Is my dot class or Java class or whatever the technology you're using any of these classes have the constants or secrets or passwords exposing in the source code. So that is one level we can even stop the deployment to the development environment or QA environment, even before we make it. We build and jar it, make a jar to available as a, as an API or further products or third party vendors or third party products. So we can integrate the automation test suits or security automation test suits to see the API endpoints, the implementation of the tokens. How are the tokens, configurations happened at the API properties level. The configuration reading and the integration testing or any testing suits, we can run it and then move to the further, higher environment. Then finally, into production deployment so that we can reduce the any vulnerable or any threats happening at the core level by CACD automation integration or scans, we can avoid those. The post deployment monitoring is very important even after deployment. API security requires constant vigilance, like putting alerts or notifications or warnings. what is the threshold or what is the throughput we have at the API level? Implement real time monitoring tools to detect suspicious activity. Anomaly detection, we can have this so many, we have so many tools available to see the anomaly or bot detections. like any potential threats before they cause significant damage. Let's talk about the tools and technologies api security testing tools so The wasp job can identify vulnerabilities while fuzzers test the robots robustness of api endpoints how are we going to test I can even integrate any of the test scanners Like like gitlab provides a gitlab duo or we can actually put into our source code itself You We have the security management report, security tools, or how are we maintaining the, dependency managements, what are the versions we are, what are the, patches, available, or versions available. So we can have those by integrating these security testing tools so that we will not be vulnerable. Our code is not vulnerable to the bad actors. Web application firewalls tools like AWS or Azure also provides. The WAF protect APIs from SQL injections cross site scripting on and many other attacks the API management platforms solutions like API gateway products like Google has many API gateway or AWS Have or new soft or congo So these kind of API management platforms provide the centralized security controls and we can even enforce the So we can enforce the common policies in consistent manner within the ecosystem in the organization. We can enforce these policies like rate limit or streaming. How are we streaming any of the bigger data like in any, any order management where I have 20 MB more than 20 MB through the API gateway. I can stream that by having a few security policies enforced. Threat intelligence platforms, the real time threat intelligence platforms help detect and block threats specific to API vulnerabilities. Let us touch upon the case study one, the successful implementation, how a large financial services company implemented by using the OAuth2, the authentication API gateway by, by doing these security controls, having the TLS and also continuous monitoring, whatever we discussed earlier. They resulted over two years, the measures resulted 70 percent reduction in API related security incidents, significantly improving the company's overall security posture. The case study two does what are the lessons we learned from a breach? There is a API breach in social media platform recently on unsecured API endpoint. So this is where it is very important to have the API Security from defining the API endpoint, where am I configured in API gateway, how my API is retrieving the data from the data store and to whom I'm giving, are they authorized, are they authenticated before we give the data, is this data belong to the same user requested, we need to verify that before we even pass, we even share over the network. Lessons learned, the breach highlighted several key issues, the importance of strong authentication and authorization mechanisms, such as OAuth2 and prevent unauthorized access. The need for regular security audits and API endpoint reviews to identify exposed or weakened points. Implementing rate limiting and IP filtering could have reduced the scale of breach by limiting the number of requests from ambitious actors. The future trends in API security. We can make use of the AI and ML. The artificial intelligence and machine learning can be used to detect anomalies in real time and predict potential vulnerabilities. And even further, there are so many elements available in the market. Any cloud platform exposes an AI. we can basically send our source code in a string format. Hey, give me the we can prompt the llms Give me the security analysis of this api As is this api Has any potential vulnerabilities? give us this give us the risk analysis of authentication and authorization is my tokens properly implemented in this class. So I can even get the report, a security analysis report by prompting the LLMs having, is there any code is vulnerable for the bad actors? I can even say that. So zero trust architecture, the quantum computing, zero trust architecture. what is zero trust architecture? So if I have a three tier architecture in my company. I have a front line, I have a API gateway, I have a backend service, and then data store or any data centers. So any requests come from the front lines, any user logged into any website or company's website, authenticating, authorizing through the API gateway and hitting the API, APIs behind backend services like API 1 is calling API 2 and API 3, and maybe my API 3 is calling multiple third party services. Get the data, pull the data or manipulated, massage the data to give the response back to the API one, which serves the frontline web page. So in this case, layer to layer security is very important. How am I protecting each layer by implementing the tokens or by having any public private key pair? How am I doing the token, am I doing the tokens with my signature with the private key so that the other system can validate my tokens or, can see my signature with the public key? And then allow the request to serve me or to serve my API request or so API 1 to API 2 to API 3. If I protect that I'm narrowing down my risk by implementing the zero trust architecture within this ecosystem. So how do I do that? Any bad actor comes into the network. even if the bad actor comes to the network, we are minimizing the risk by having layer to layer security, layer to layer implementation of the tokens. The API composition security. As APIs are chained together in complex systems, securing these composite APIs will be crucial. The conclusion. In conclusion, API security is more than just a technical requirement. It is a critical business imperative that ensures the integrity, confidentiality, and availability of data systems powering modern enterprises. So these case studies, whatever we discussed so far must prioritize within the organization to achieve the highest level of security at every stage of API lifecycle. Look at to the future, staying ahead of emerging threats like quantum computing, using the AI technologies or several API security testing tools. And AI into security strategies will be essential for maintaining secure and scalable API infrastructures. The balance between innovation and security is key to driving long term business growth. With this, I hope you enjoyed my talk. you listened to some of my guidelines, make use of it in your organization. Thank you so much for joining me. And enjoy the rest of the talks in CONF42 in this season. Thank you so much.