Forum Discussion

Admin

Apr 10, 2023

How's your API security strategy since last year?

Last year, API security was an overwhelming theme across the security events that I attended, RSA and BlackHat. As myself, PSilva and AubreyKingF5 head to RSA Conference 2023, I'm interested to see...

security

whisperer

MVP

We have seen an uptick in customers asking about API protections, primarily in the energy and rental areas of business. In many instances, there are resources in the field collecting data which has to be trasmitted over LTE or WIFI to the corporate offices for billing determination. Clearly, there is a financial component here that can be impacted due to any man in the middle or even abuse of an exposed API. The source IP changes, and many times these field devices dont support strong authentication or authorization. However, when it comes to IoT devices.... everything that runs in the house and has an IP address is laughable, and updates are non-existant. Wallgarden those devices on a dedicated ESSID / VLAN with isolation enabled, and firewall the living hell out of it on outbound access, lol. That is the only way there. So yeah, there is both a business and personal use case 😉

buulam

Admin

Jun 05, 2023

Yes - frightening to know that my TV can be compromised!

whisperer
MVP
Jun 05, 2023
A while back, we hosted a user group meeting in Manchester NH for the local maker space. In the presentation, we used some cheap electronics from eBay and showed how easy it was to grab electrical use values on a simple drive by. Absolutely no security. Do this at night, and you can see statistically who is either mining bitcoin or growing herb under grow lights. All of those APIs and communications are not protected. Same thing with home IoT like temp sensors, airthings radon, etc which use a type of bluetooth communication that can be read on the fly as it is transmitting to a users gateway or hub. Those are things that are a bit more scary than remote TV control. (That is also possible btw... I figured out how to remotely control the smart TVs at my parents house remotely over multicast which runs over an IPSEC VPN.) How about car APIs? Those bus communications are also not secured and you can bust out a headlamp, and inject messages into the CPU and open locks/start the car. Truly surprised enterprises are not investing into these technologies to better secure them. This is where F5 can help! 🙂

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

How's your API security strategy since last year?

Recent Discussions

SSL bridging without SSL proxy forward

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

Should config via cli rather than gui?

Related Content

ESRP Strategies: DNS Water Torture Attack

API Security Strategy - Discover and map APIs, block unwanted connection and prevent data leakage

How to Secure GraphQL APIs using F5 NGINX

How To Read An F5 Security Advisory

F5 2023 State of Application Strategy Report

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS