Positive Security for APIs: What it is and why you need it!
Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or output validation. Here are a few illustrative real-life examples on this:
(1) Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated.
(2) Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email.
(3) CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value.
(4) Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication.
To protect APIs from such issues, an API-native, positive security approach is required: we create a allowAccess List of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above?
What you’ll learn:
• Why WAFs fail in protecting APIs
• How an allowAccess List protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples)
• How to build a proper allowAccess List for API security
🔴 Subscribe for more webinars on API security: https://www.youtube.com/c/42Crunch?sub_confirmation=1
✅ Webinar Follow-up and Free API Security Tools:
Webinar Follow-up Materials: https://42crunch.com/webinar-positive-api-security-model/
API Security News: https://apisecurity.io/
Free API Security tools: https://42crunch.com/free-tools/
✅ OWASP API Security Top 10 Tools:
42Crunch OWASP Solutions Matrix: https://42crunch.com/wp-content/uploads/2022/04/42Crunch-OWASP-Datasheet.pdf
OWASP API Security Top 10 Cheat Sheet: https://42crunch.com/wp-content/uploads/2022/04/owasp-api-security-top-10-Cheat-Sheet-A4.pdf
✅Keep up with 42Crunch:
LINKEDIN: https://www.linkedin.com/company/42crunch
TWITTER: https://twitter.com/42crunch
FACEBOOK: https://www.facebook.com/42crunch
Видео Positive Security for APIs: What it is and why you need it! канала 42Crunch
(1) Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated.
(2) Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email.
(3) CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value.
(4) Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication.
To protect APIs from such issues, an API-native, positive security approach is required: we create a allowAccess List of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above?
What you’ll learn:
• Why WAFs fail in protecting APIs
• How an allowAccess List protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples)
• How to build a proper allowAccess List for API security
🔴 Subscribe for more webinars on API security: https://www.youtube.com/c/42Crunch?sub_confirmation=1
✅ Webinar Follow-up and Free API Security Tools:
Webinar Follow-up Materials: https://42crunch.com/webinar-positive-api-security-model/
API Security News: https://apisecurity.io/
Free API Security tools: https://42crunch.com/free-tools/
✅ OWASP API Security Top 10 Tools:
42Crunch OWASP Solutions Matrix: https://42crunch.com/wp-content/uploads/2022/04/42Crunch-OWASP-Datasheet.pdf
OWASP API Security Top 10 Cheat Sheet: https://42crunch.com/wp-content/uploads/2022/04/owasp-api-security-top-10-Cheat-Sheet-A4.pdf
✅Keep up with 42Crunch:
LINKEDIN: https://www.linkedin.com/company/42crunch
TWITTER: https://twitter.com/42crunch
FACEBOOK: https://www.facebook.com/42crunch
Видео Positive Security for APIs: What it is and why you need it! канала 42Crunch
api api security api security as code api security by design application security automated api security cyber security devops devsecops micro api firewall positive security model firewall owasp owasp api security top 10 enterprise security enterprise api security api code developer security operations kubernetes microservices microservice openAPI openAPI specification swagger api contract api design api development
Комментарии отсутствуют
Информация о видео
13 декабря 2019 г. 4:46:50
00:51:03
Другие видео канала
