Catch up on this great session with Rob Jammes, Director, Professional Services, and John Dougherty, Principal Security Consultant, Professional Services for this in depth look at API security and how Imperva can help you solve the mystery of Hidden APIs. The team looks at the challenges faced by Stan, an intrepid security engineer, discovering an active mystery during a web attack. Watch this session to ensure that you have the the skills and tools required to discover and manage hidden APIs...
The team approaches this session by looking at the challenges faced by an intrepid security engineer discovering an active mystery during a web attack. Watch this session to ensure that you have the the skills and tools required to discover and manage hidden API’s
The topics covered during include:
Why APIs have grown in popularity within web app development
What is meant by ‘visibility’ in terms of APIs
How the ‘positive security’ model for APIs is different than the traditional IT Security approach
Some of the questions answered during the live Q&A include:
- So how do you discover API traffic?
- You can block an API. What can be done to "tune" to eliminate false positives?
- How does your API Security tools integrate with the companies applications? What is the process for setup and testing?
- Can we protect API using WAF?
- What's the minimum amount of traffic Imperva needs to discover an API?
- How can we protect API? I mean how to block API attack? Use on-prem WAF? or CWAF?
- What happens if the API is bespoke? Are you able to monitor traffic, Learn the common API use and then protect it? Can the traffic be exported and then used in a sandbox environment
- How would you protect API's that are hosted on a SaaS Provider? Would WAF protect only inhouse or hosted applications on a SaaS provider
- I want to hear more on API OWASP Top 10 attack side? How our CLOUD WAF api sec helps in that?
- Does API security work on dynamic API's? If yes, can policy enforcement be done on them?
- Will the API protection protect the origin site from API's which were not discovered during the two week discovery phase?
- How do we deal with certificate pinned mobile apps to process incoming API calls in CWAF?
Still got questions? Pop them in the comments below...