Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io

There’s no AI without
API, but what does this
mean for security?
Apidays Helsinki | Timo Rüppell

About Me.
VP of Product at FireTail. A former researcher
in theoretical high energy physics. Now
focused on API security.
Earlier
●CTO @ Mapita
●Founder @ Sideric
●Lead Dev @ PiggyBaggy

timo@ﬁretail.io

Overview.
What we’ll cover today.
-The Rise of AI & API Proliferation: Why
there is no AI without APIs.
-Understanding the Security Risks: How the
emergence of AI is changing the game
when it comes to API security.
-Best Practices for Securing API in an Age of
AI: The core principles of an effective API
security strategy given the emergence of
AI.
-The Bottom Line: A quick recap of today’s
key takeaways.
-Q&A: Time to answers any burning
questions you may have.
Effective API security is a
must for organizations who
want to harness the power
of AI.

The Rise of AI &
API Proliferation.

In November 2023, OpenAI announced a
massive expansion of API calling
capabilities available via ChatGPT

What Changed?
AIs have been around for
decades?
The “assistant” has been
around even longer (just ask
Jeeves)?
Inﬂection point in available
computation resources,
mathematical advances, and a
direct-to-platform business
model.

Not Just LLMs.
Most news is about LLMs. And most (valid)
criticism regarding capabilities is aimed at
LLMs.
But LLMs are “just” one niche.
Speciﬁc types of models can be far more
adept at interacting with APIs.
-LAM: Translating human intentions into actions.
Example: Rabbit AI and service integrations.
Integrates AI with API communications.
-LCBM: Optimizing LLM output to achieve a desired
behaviour. Example: Lirio LBMs aim to make
people healthier.
OpenAI’s expansion on API calling
capabilities announced in November.

Long term optimism.
Commoditization of Large
Models can be relatively fast.
-Compute: Moore’s law is (still) in
effect.
-Maths: More eﬃcient training
methods. Example: Mamba a linear
RNN is nLog(n) compared to
Transformers n^2.
Traits of commodities are
interchangeability, availability.

Emerging LLM Tech Stack.
There’s no AI without APIs
Source: a16z Enterprise

Now (or very soon) everyone,
everywhere, regardless of expertise
will have the ability to prod and
probe APIs across the globe, at
pace and at scale. This will be a
game changer for those charged
with protecting APIs.
In November 2023, OpenAI announced a
massive expansion of API calling
capabilities available via ChatGPT

Understanding the
Security Risks.

AI & API Security.
AI risks impacting APIs
-Unsafe AIs: Intentionally or
accidentally unsafe AIs ﬁnding
vulnerabilities in application or
business logic, authentication,
authorization.
-Bots and data spooﬁng: APIs
processing human generated
content need to make provisions
for both large scale abuse and
individual vetting.

AI & API Security.
API risks impacting AIs.
-Injection attacks: You need to
carefully sanitize user provided
content that is going to be handed
of to an AI integration.
-Resource consumption: You need
to protect expensive endpoints
from overuse and have robust
usage metering.
-Access control: You need to ensure
that any data returned by an AI
model is correctly authorized.

Best Practices for
Securing APIs in
an Age of AI.

6 Pillars of API Security.
Enforcement.
Authentication, authorization,
validation and sanitization directly
in your code.
Visibility.
Get a complete view of your entire
API landscape across your IT
ﬂeet.

Assessment.
APIs analyzed for conﬁguration
settings & security policy. API
security posture management.
Discovery.
Finding APIs not running FireTail
library via network traﬃc, code
repos & cloud APIs
Observability.
Commercial version sends
conﬁguration and success /
failure events to cloud backend.
Audit.
Full & centralized audit trail of all
APIs with FireTail library. Search &
alert capabilities.

Existing approaches just don’t cut it.
API Call Log Visibility

Where to spend your time.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
AuthN
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
Third party API

1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BOLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
AuthN
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BFLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Third party API
Where to spend your time.

1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BOLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
AuthN
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BFLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
2
Third party API
Where to spend your time.

1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BOLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
AuthN
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BFLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
2
Third party API
4
6
6
4
6
4
Where to spend your time.

1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BOLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
AuthN
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BFLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
1
2
3
5
Third party API
4
6
6
4
6
4
Where to spend your time.

1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BOLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
AuthN
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BFLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
1
2
3
5
7
10
Third party API
4
6
6
4
6
4
Where to spend your time.
7

1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BOLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
Consumer Server
Internet
GW/Proxy
WAFRate
limiting
SanitizeValidateAuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
1.BOLA.
2.Broken AuthN.
3.BOPLA.
4.Unrestricted Resource Consumption.
5.BFLA.
6.Unrestricted Process Access.
7.SSRF.
8.Misconﬁguration.
9.Improper Inventory Management.
10.Unsafe consumption of APIs.
AuthN
1
2
3
5
7
10
Third party API
4
6
6
4
6
4
Where to spend your time.
10

The Bottom Line.

The scale of the risk and the
frequency of attacks are growing
due to AI. The nature of the threat
is evolving but the same core
risks persist.

Questions.

FireTail is headquartered in Northern Virginia, USA, with
additional oﬃces in Dublin, Ireland and Helsinki, Finland.
FireTail is backed by leading cybersecurity investors
Paladin Capital, Secure Octane, General Advance and
Zscaler. For more information, please visit www.ﬁretail.io.

Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Apidays Helsinki &amp; North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io

About This Presentation

Slide Content

Slide 1

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx

Apidays Helsinki & North 2024 - There’s no AI without API, but what does this mean for Security? by Timo Rüppell, FireTail.io