Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, Graylog

APIdays_official 65 views 15 slides May 05, 2024
Slide 1
Slide 1 of 15
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15

About This Presentation

API Discovery - From Crawl to Run
Rob Dickinson, VP of Engineering - Graylog

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays...

Size: 11.09 MB
Language: en
Added: May 05, 2024
Slides: 15 pages

Slide Content

API DISCOVERY FROM CRAWL TO RUN 1

2

I am Rob Dickinson VP of Engineering at Graylog Based in Boulder CO 🏔️ 🇺🇸 [email protected] linkedin.com /in/robfromboulder 3 API discovery from crawl to run About me

4 Why does API discovery matter? API security starts with discovering your attack surface Need metrics to quantify risk & alert on changes in risk Can’t have metrics without agreeing what to count We currently have X APIs, where Y are new, and Z need immediate attention 🤩 API discovery from crawl to run

Track changes to your API inventory Create an API inventory Track changes in risk metrics for your API inventory 5 API discovery from crawl to run Stages of API Discovery

6 Challenges in counting APIs API best practices are not well-understood 🥇 APIs are dark compared to websites & email integrations 🔦 APIs often have a fast rate of change 🏎️ APIs have different development cultures 🤔 “API” is loosely defined, making them hard to quantify 🤮 API discovery from crawl to run

7 API discovery example POST coinbroker.io /user { " first_name":”Rob ", " last_name":”Dickinson ", " email":[email protected] ” } GET coinbroker.io /quote { "account_token":"4b86cd3f-ccaf-445b-b099", "amount_usd":"6", " coin_type":"BTC ” } POST coinbroker.io /order { "account_token":"4b86cd3f-ccaf-445b-b099", ”quote_token":"552cd9da-2ff4-4dfe-b2eb” } HOW MANY APIS ARE PRESENT HERE? ANSWER: 1 ANSWER: 3 🤔 😖 API discovery from crawl to run

8 Reasonable ways to count APIs Count fully qualified domain names (FQDNs) Count FQDN + method + path (unique routes) Count API hosts/containers (physical & virtual servers) Count vendor/supplier/customer integrations (internal vs external) Count specifications (OpenAPI) 💪 API discovery from crawl to run

9 OpenAPI to the rescue POST coinbroker.io /user { " first_name":”Rob ", " last_name":”Dickinson ", " email":[email protected] ” } GET coinbroker.io /quote { "account_token":"4b86cd3f-ccaf-445b-b099", "amount_usd":"6", " coin_type":"BTC ” } POST coinbroker.io /order { "account_token":"4b86cd3f-ccaf-445b-b099", ”quote_token":"552cd9da-2ff4-4dfe-b2eb” } HOW MANY APIS ARE PRESENT HERE? 1 API 3 PATHS 😎 API discovery from crawl to run

10 Tracking changes in APIs Now we need to count APIs by lifecycle state “Rogue” or “unmanaged” APIs are new & need review “Prohibited” or “banned” APIs are not approved for use “Monitored” or “supported” APIs are actively maintained “Deprecated” or “zombie” APIs have newer versions API discovery from crawl to run

11 For continuous discovery, self-describing APIs are best. Expose an introspection route that provides the API spec! GRAYLOG API SECURITY

12 Quantifying API risks How have recent changes affected the API attack surface? Runtime behaviors/configuration bring unforeseen risks Threats can arise from inside or outside the organization There is no standard way to calculate risk scores Request and response should be included in risk scores Risk scores should be calculated across lifecycle groups API discovery from crawl to run

13 Risk scoring with Graylog API discovery from crawl to run

14

THANK YOU. For additional information regarding Graylog API Security please visit: graylog.org/products/api-security/
Tags
apidays apidays new york graylog api discovery the new api management stack
Categories
Science Business Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 65
  • Slides 15
  • Age 576 days
Related Slideshows
Earthquakes_Type of Faults_Science G8.pptx 23
Earthquakes_Type of Faults_Science G8.pptx
OctabellFabila1
31 views
Quiz #1 Science 10 in the first quarter for jhs 15
Quiz #1 Science 10 in the first quarter for jhs
HendrixAntonniAmante
30 views
Astronomy history from long ago till doday 9
Astronomy history from long ago till doday
ssuserbd9abe
29 views
Great history of astronomy from long ago till today 9
Great history of astronomy from long ago till today
ssuserbd9abe
27 views
EARTHQUAKE-DRILL.powerpoint............. 20
EARTHQUAKE-DRILL.powerpoint.............
chalobrido8
30 views
History of astronomy from old times to the present times 9
History of astronomy from old times to the present times
ssuserbd9abe
30 views
View More in This Category