API Management Security Webinar Tackles Thorny Issues

Share Article

Intel, Barracuda Networks and Blackhat collaborate to discuss API management related security vulnerabilities and mitigation strategies.

Intel Expressway API Manager

Intel Expressway API Manager

Enterprises are increasingly using API management platforms to send and receive data across multiple digital channels, including mobile applications, partner B2B services, internal applications servers, packaged applications, and desktop applications. As channels become more public, catering to zero-trust third party developers, Enterprises have to raise their security acumen around authentication, authorization, attack protection, perimeter security and API data leak protection.

"Abusing Web APIs: The Mobile and Server Side Dilemma for the Enterprise," will be held on Thursday, December 5th, at 9:00a PST / 12:00p EST. It is being presented jointly by Blake Dournaee, Senior Product Manager in Intel’s Datacenter Software Division, and Daniel Peck, research scientist at Barracuda Networks.

For more information on the one-hour webinar please visit register here.

Webinar Details:

APIs are quickly becoming the unifying language of data communication for mobile apps, carrying sensitive Enterprise information in each API call. One key area of concern is the use of embedded API keys, which can create a "DRM problem" for apps distributed to mobile devices, as access keys often come along for the ride. As Enterprise API adoption increases, applying consistent security policies and general corporate visibility into API security vulnerabilities from client to the server takes center stage.

To illustrate the issues, we dive into an example of abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. We'll conclude with examples server side API Gateway design patterns that can simplify management of API security through the use of step-up authentication such as one-time passwords, mutual SSL, 2-way OAuth, and confidential client credentials. The combination of evolving API access mechanisms with proven Enterprise security protocols and practices can mitigate API security risks.

Webinar Presenters

Daniel Peck is a research scientist and data junkie at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript. Peck has a Bachelor's of Science in Computer Science from the Georgia Institute of Technology.

Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and is frequent speaker at API and PCI-DSS conferences. Blake co-authored the first book on XML security "SOA Demystified" from Intel press. Blake blogs at Intel's Application Security site

About Intel’s Secure Enterprise API Gateway

Intel’s comprehensive API management platform includes the market-leading Expressway API Gateway and Tokenization Broker technology that provides proven strength in enterprise grade security, mobile-middleware, performance, service integration and data compliance. The security gateway functions provide robust API perimeter security, distributed denial of service protection, API attack protection, resource protection, high-assurance step-up authentication for API calls, authorization, and FIPS compliant cryptographic module support. The tokenization broker also offers data protection at the field level for personally identifiable information (PII) and payment card information (PCI ) as it flows between applications through the use of APIs. The gateway forms the basis of a robust governance layer that can help mitigate API related security threats at the Enterprise perimeter, private cloud, hybrid cloud, or as data is sent and received from public cloud API services.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Todd Cramer
Visit website