When it comes to the surge in API hosting and usage, I can’t say it better than OWASP:
A foundational element of innovation in today’s app-driven world is the API. From banks, retail and transportation to IoT, autonomous vehicles and smart cities, APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.
When you start digging into it, it’s amazing how many APIs are out there, how many different APIs a given business process may involve, and the speed at which they are updated.
This subject is important even if you aren’t aware of any APIs your organization hosts – because we all use APIs.
In this real training for free session, I will start with explaining and providing some examples of simple REST APIs. REST is an architectural style – not a tightly specified protocol – that uses http requests to accomplish stateless function calls.
In the old days, API were usually accomplished by linking to a partner-supplied DLL and making c-style function calls into the library. Today, APIs typically don’t run on the local system but somewhere out there in the cloud at a DNS endpoint. And instead of a clang function call we make an HTTP GET, POST, PUT, or DELETE to the API endpoint. The function is usually identified in the URL and the parameters may be sub components of the URL path or in query parameters that appear after the ? in the URL. I’ll demonstrate some simple examples in the webinar.
Next comes security. And API security has many facets. Using a combination of recent API breaches and elements from the OWASP API Security Top 10, I will introduce you to issues including
- API authentication
- API authorization at the function, object and property level
- Input validation – just like with a web application – you can’t trust anything coming into your application
- Output filtering – there are more and more tools out there to automatically generate API code for you but I’ll show you the disastrous consequences of unsupervised use of such tools
- Call limits – it’s not just about resource utilization
- Differentiation between admin and user APIs
This will be a technical webinar where you’ll see the actual HTTP back and forth between AI client and server. A10 Networks is our sponsor and Carlo Alpuerto, Systems Engineering Manager at A10, will briefly discuss different approaches to API security and do a high-level demo of the A10 TX Protect WAAP solution. The topic of API security is often looked at from two angles:
- A protective stance: Where we will apply our focus today
- Addressing vulnerabilities in the APIs themselves
The ultimate goal is to keep the applications running. Maintain the bottom line.
We will also discuss how API protection differs from general web application protection, covering topics such as:
- Users vs. integrations
- Behavior tracking and a risk-based approach
- Continuous discovery of APIs
- Keeping up with it all: DDoS, bots, and WAF functionality
- Defense in Depth
- How and where to get help
Please join us for this real training for free session.