DevOps Speakeasy at Kong Summit 2022 with Giora Engel

As heard on the DevOps Speakeasy Podcast.

Read below for the full transcript.

Interviewer: Me, Giora Engel. Welcome, Giora.

Giora: Thank you.

Interviewer: And thank you for joining. And I understand you're a speaker at Kong Summit, so let me start with the question, what your talk was about?

Giora: So, my talk was about API security. It's a topic where everybody's implementing APIs, everybody's creating all sorts of capabilities on APIs, everybody has some security capabilities during the development life cycle. But typically, monitoring the actual product after it's implemented is missing. So, that was the main topic of the discussion, how to monitor it.

Interviewer: And we heard just today in the opening keynote, Reza (VP Product Management at Kong),  mentioned some of the worst security breaches were done through unsecured APIs. So, I guess this is something that is on your mind as well. If I take an existing solution, not trying to reinvent the wheel, just go with the best, go with Kong Gateway, isn't it just enough for assuming that my security is airtight and I'm all set?

Giora: So, it's not enough, but not because Kong is good or not good. I mean, it's a matter of layers that you need to build. On one hand, you need to implement the basics. You need to implement authentication, authorization, SSL termination and all these policies. And for that, you need an API gateway. But even your authenticated APIs can be compromised and can be abused. And for that, you need to be able to see how these APIs are being used and what's going to happen as a result. So, even if your API is authenticated, it means that your Kong or the whole stack basically will pass it through, but it doesn't mean that it's good. It can still abuse your platform.

Interviewer: You mean by social engineering, by getting access to their privileges, and then use them to attack?

Giora: So, let me give you an example. One common example is account takeover where somebody's stealing your token or your credentials. And it can be an end user or it can be a business partner, like a B2B API type of thing. But even if it's the legitimate user, there could be all sorts of scraping attacks and just using the APIs in a way that they're not intended for, which are still attacks. So, even perfectly written APIs can be abused.

Interviewer: Oh, that makes sense. If you just use it for malicious intent instead of using them for good or for the business.

Giora: That's, of course, on top of all these vulnerabilities and other ways of exploiting the APIs that can be solved. I mean, there are ways that can be solved by improving the APIs, and there are some aspects of it that can never be solved, like, before it happens. Before it...

Interviewer: Because it's human behavior and not something the machine does.

Giora: Because API is...I mean, the concept of developing and creating more APIs is really in order to create more and more services that people can consume. So, we deliver all these services, we expose them to the outside. It's all by design. But we need to remember that it exposes our core business. I mean, patient data, financial transactions, all these critical things.

Interviewer: Which can be used for good or for bad.

Giora: For good or for bad.

Interviewer: Okay. So, what can we do? It sounds like I did what I could. I took the best and more secure gateway, API Kong, and I used the correct providers for authentication, authorization. I secured everything as needed, and it's just being abused. It's not something that we can prevent, can we?

Giora: So, it's possible to actually prevent the abuse, and it all starts with the right visibility. Or some people call it observability, but the term doesn't really matter. At the end of the day, you need to be able to see all these API calls, and not just see logs that don't mean anything, you need to see the right user context and be able to go back and see what happened. When you have that level of visibility, you can build additional controls on top of it.

So, the first one is API discovery. Discovering your API basically means creating your inventory of APIs. So, it's very common to see that you have many different APIs. But they're not static. They change every day. So, creating the full inventory and understanding where new APIs are being introduced is critical to securing the APIs. So, API discovery is one aspect. Then the second aspect is about finding your posture issues, like sorts of vulnerabilities, misconfigurations, and so on. And that you can do by, again, observing the traffic and finding places where you can improve the API so that you can reduce the attack surface. And then the third component is behavioral analytics, understanding the user behavior.

Interviewer: Great. Great. So, you need to look at what they're doing and understand in the context if that's legit behavior or there is something going on.

Giora: Exactly.

Interviewer: I guess, for example, rate limiting is one of those behavioral analyses, when you need to decide that 5 requests per period of time is fine, but 500, something fishy is going on.

Giora: Yes. So, what's really interesting about rate limiting is that just setting a threshold by itself is typically not enough. It's important for protecting your infrastructure of the application. You don't want to overwhelm, you know, a certain service behind it. That's fine. You still need rate limiting. But if an attacker has the credentials, even if they do it a little bit slower, if they still siphon out the sensitive data, it's not good.

So, learning the profile that the normal behavior of each user can help you there because, for example, the typical use of an application might be accessing only, I don't know, maybe 10 different records every hour. Because maybe it's a doctor's application that, you know, needs to retrieve medical records or something like that. But if it's all of a sudden accessing a hundred records, like, in a few minutes, it doesn't make sense. Even though a hundred doesn't sound like a big number for rate limiting for a minute, for example, it's still completely above and beyond the normal use case. And, you know, that's how behavioral analytics can be much more accurate than just rate limiting.

Interviewer: And behavioral analytics rings the bell, machine learning, right? So, you can see how all of the doctors don't do it, and then from there kind of understand what is acceptable behavior and what is outside of the realm of reasonable behavior.

Giora: Yeah. So, that's exactly the combination of what we call a peer profile versus individual user profile. So, you can profile each user and their behavior, and you can also profile the peer group, all the different users of the same kind, and what is a normal, you know, average or normal user or bounds of usage of, you know, this API. And if you take into account both the specific user, individual user, and the peer group, you can have a very, very robust detection that can only yield the right detections and completely disregard the noise.

Interviewer: This is fascinating. Well, yep, I mean, this is a very, very interesting topic. You got me excited. But when do people go if they wanna learn more?

Giora: So, they can go on our website, neosec.com. You know, we have a lot of good content and even some educational content about how to build APIs, how to secure APIs, you know, different flavors of APIs, and so on and so forth. So, you know, definitely go there and learn more.

Interviewer: Excellent. Excellent. Giora, thank you very much for taking the time and enlightening us on this fascinating topic. And we'll see you in the next episode of "DevOps Speakeasy." Thank you.

Giora: Thank you.