►
From YouTube: #DevOpsSpeakeasy at #kongsummit22 with Giora Engel
Description
Restream helps you multistream & reach your audience, wherever they are.
A
B
My
talk
was
about
API
security.
It's
you
know
it's
a
topic
where
you
know.
If
everybody's
implementing
apis,
it's
you
have,
everybody
is
creating
all
sorts
of
capabilities
on
apis.
Everybody
has
some
security
capabilities
during
the
development
life
cycle,
but
typically
the
monitoring,
the
actual
product
after
it's
implemented
is
missing.
So
so
we
had
that
that
was
the
the
main
topic
of
the
discussion.
How
to
monitor
it.
A
A
B
It's
not
enough,
but
not
because
you
know
Kong
is
good
or
not.
Good.
I
mean
it's
a
it's
a
matter
of
layers
that
you
need
to
build
on
one
hand,
you
need
to
implement
the
basics,
you
need
to
implement
authentication
authorization,
SSL
termination,
like
all
these
policies,
and
for
that
you
need
an
API
Gateway,
but
even
your
authenticated
apis
can
be
compromised,
can
be
abused,
and
for
that
you
need
to
be
able
to
see
how
these
apis
are
being
used
and
and
what's
the
what's
going
to
happen
as
a
result.
B
So,
even
if
your
API
is
authenticated,
it
means
that
you're,
Kong
or
the
whole
stack
basically
will
pass
it
through,
but
it
doesn't
feel
you
know.
It
doesn't
mean
that
it's
that
it's
good
it
can
still
abuse
your
platform.
B
Let
me
give
you
an
example:
one
common
example
is
a
account
takeover
where
somebody's
stealing
your
token
or
your
credentials
right
and
it
can
be
an
end
user
or
it
can
be
a
business
partner
like
a
B2B
API
type
of
thing.
But
even
if
it's
a
if
even
if
it's
the
legitimate
user,
there
could
be
all
sorts
of
scraping
attacks,
and
you
know
just
using
the
apis
in
a
way
that
they're
not
intended
for
no,
which
are
still
you
know,
attacks,
so
even
perfectly
written
apis
can
be
abused.
B
The
business
and
that's,
of
course,
on
top
of
all
these,
you
know,
vulnerabilities
and
other
ways
of
exploiting
the
apis
that
can
be
solved.
I
mean
there
are
the
way
that
can
be
solved
by
improving
the
apis,
and
there
are
some
aspects
of
it
that
can
never
be
solved.
B
Apis
is
I,
mean
the
concept
of
developing
and
and
creating
more
apis
is
really
in
order
to
create
more
and
more
services
that
people
can
consume.
So
we
we
deliver
all
these
Services.
We
expose
them
to
the
outside,
it's
all
by
Design,
but
we
need
to
remember
that
it
exposes
our
Core
Business
I
mean
patient
data
Financial
transactions,
all
these
critical
things,
which
can
be.
A
Used
for
good
or
bad
okay,
so
what
can
we
do?
It
sounds
like
you
know:
I
did
what
I
could
I
took
the
best
and
more
secure
Gateway,
API,
icon
and
I
use
the
correct
providers
for
authentication
authorization,
I
secured
everything
as
needed,
and
it's
just
being
abused.
It's
not
something
that
we
can
prevent.
Can
we.
B
So
it's
possible
to
actually
prevent
the
abuse
and
it
all
starts
with
the
right
visibility
or
I
mean
some
people
call
it
observability
and
it,
but
you
know
the
term
doesn't
really
matter
in
the
end
of
the
day.
You
need
to
be
able
to
see
all
these
API
calls
and
not
just
see
logs.
That
don't
mean
anything.
You
need
to
see
the
right
user
context
and
you
know
be
able
to
go
back
and
you
know
see
what
happened
when
you
have
that
level
of
visibility.
You
can
build
additional.
B
You
know
controls
on
top
of
it,
so
the
the
first
one
is
API
discovery.
Discovering
your
API
is
basically
meaning
it
means
creating
your
inventory
of
apis.
So
it's
a
it's
very
common
to
see
that
you
have
many
different
apis,
but
they're
not
static.
They
change
every
day,
so
creating
the
full
inventory
and
understanding
where
new
apis
are
being
introduced
is
critical
to
securing
the
apis.
So
API
Discovery
is
one
aspect.
B
Then.
The
second
aspect
is,
is
about
finding
your
posture
issues,
like
you,
know,
sorts
of
vulnerabilities,
misconfigurations
and
so
on,
and
that
you
can
do
by
observing
again
observing
the
traffic
and
finding
places
where
you
can
improve
the
API
so
that
you
can
reduce
the
attack
surface
and
then
the
third
component
is
behavioral,
analytics
understanding
the
user
Behavior
great.
B
B
You
still
need
it,
but
if
an
attacker
has
the
credentials
even
if
they
do
it
a
little
bit
slower
if
they
still,
you
know
siphon
out
the
you
know
the
sensitive
data,
it's
not
good,
so
learning
the
profile
that
the
normal
behavior
of
each
user
can
help
you
there
because,
for
example,
they're
typically
used
the
difficult
use
of
an
application
might
be
accessing
only
I.
Don't
know,
maybe
10
different
records
every
hour,
because
maybe
it's
a
doctor's
application
that
you
know
needs
to
retrieve
medical
records
or
something
like
that.
A
B
If
it's
all
of
a
sudden
accessing
a
hundred
records,
you
know
like
in
a
few
minutes,
it
doesn't
make
sense,
even
though
100
doesn't
sound
like
a
big
number
for
rate
limiting
for
a
minute.
For
example,
it's
still
completely
above
and
beyond
the
normal
use
case,
and
you
know
that's
how
behavioral
analytics
can
can
be
much
more
accurate
than
just
Trading.
A
B
So
that's
exactly
the
the
combination
of
what
we
call
a
peer
profile
versus
individual
user
profile,
so
you
can
profile
each
user
and
their
behavior,
and
you
can
also
profile
the
peer
group,
all
the
different
users
of
the
same
kind
and
what
is
a
normal,
you
know
average
or
normal
user
or
bounds
of
usage
of
you
know
this
API
and
if
you
take
into
account
both
the
specific
user,
individual
user
and
the
peer
group,
you
can
have
a
very,
very
robust.
You
know,
detection,
you
know
that
can
only
yield.
A
B
So
they
can
go
on
our
website
music.com.
We,
you
know
we
have
a
lot
of
good
content
and
and
even
some
educational
content
about
how
to
build
apis,
how
to
secure
apis.
You
know
different
flavors
of
apis
and
so
on
and
so
forth.
So
you
know
definitely
go
there
and
learn
more
excellent.