DevSecCon24 is bringing together the best, the brightest, and the most curious minds of DevSecOps to share their expertise, real-world learnings, and advice for building out a DevSecOps practice to integrate security, ops, and development.
It’s time for API security as code!
Presenter: Isabelle Mauny, Field CTO, 42Crunch
Infrastructure as code has given us a way to automate and reliably deploy our applications. But defining API security is still very much a manual process: security policies are manually defined in multiple places like WAFs, API Management or even the code. How we reliably secure and deploy our APIs, several times per day ? How can we track how our security posture is evolving and enforce corporate security policies?
In this session, I want to propose an approach to describing security requirements and policies so that APIs can be reliably protected and tested each time they are deployed.
By relying on standard API descriptions like OpenAPI or AsyncAPI, we can today leverage many different tools, many of them OpenSource, to profile the API contract, automatically test for vulnerabilities, and even automatically inject security policies.
This session will introduce the API security as code concept and describe what can be achieved with current tooling as well as introduce current/future OpenAPI extensions that can be used for security.