Principal Security Advisor

The Consumer

Of consumers are willing to

6/10 share information in lieu of
personalization

Of consumers have a
80% smart phone and high-
speed internet

Of consumers look forward

80% to services from big tech
and fintech

Source: TWIMBIT
• Consolidated View of Finances
• Trusted for Impartiality
• Achieve Discrete Financial Goals
 Suntrust’s Bank A/C Cash Out Method
This method will take about one week to complete. You will need the following:
1) Hacked SunTrust’s Bank account
2) An email account
Open a mint.com account and add the bank account using the
3) PayPal account
4) AccountNow account (or any internet bank account)
username/password. This will:
First off get yourself a hacked bank account from somewhere. Even though this is a small
1) Check if the account is still live
cash out amount, buy a larger balance account around $5,000. People with plenty of cash in
the bank tend to check up on it less often. You do not need to enter the actual account.
2) Let you seeOpen
thea mint.com
balance ofandthe
account add accounts, andthe username/password. This
the bank account using
will
3) If needed, let you check for deposits from PayPal to connect a new account.
1) Check if the account is still live,
2) Let you see the balance of the accounts, and
3) If needed, let you check for deposits from PayPal, as well as to keep an eye on it.
Research the background of account holder and get their SSN from
ssnvalidator.com
Real names, usernames and shoe size combo was sold for USD 300

https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/
Data Driven Transformation

Propelling Partnership

Agile Technology Platform

Application Market Place

Monetization
#apinetworks
#openbanking
We Live in a World of Breaches! Oct 2018
Github
Oct 2018
Dec 2018
Facebook
Quoine Jun 2019
Nov 2018
Apr 2019
Venmo
City of New York Tchap
Sep 2018
Attack Basic Security Fails Messaging App
Facebook Nov 2018
Apr 2019
1. Mobile Apps 1. Authentication Urban Massage Nagios XI
Sep 2018
2. Direct APIs 2. Injection British Airways Feb 2019
Uber
Mar 2018
Apr 2019
3. Permissions Binance Portainer Docker Tool
Aug 2018
SalesForce Feb 2019
Drupal’s RESTful

2011 2012 2013 2014 2015 2016 2017 2018 2019

Oct 2018
Sep 2011 Mar 2015 Jan 2018 Jul 2018 Girl Scouts Feb 2019

Westfield Tinder Tinder Venmo Nov 2018

Pandora & Viper
Feb 2017 Aug 2018
SKY Brasil Feb 2019
Wordpress T-Mobile Kubernetes
Aug 2017 Mar 2018 Sep 2018 Mar 2019
Instagram Google Apple Nov 2018 63red Safe
MDM Brazil Fed Feb 2019 Apr 2019
Nov 2017
Apr 2018 of Indus LandMark Shopify
API
Security
Vuln
A vulnerable
Access researchers
Information
vulnerability
leaks
control to Facebook
information
leakage
invuln
the were
of
REST
Uberable
API to
APIallowed US Postal RSA
Service Conference Nov 2018 White Limited Apr 2019
US Postal JustDial Link
credential
download
1.5
leaves
million
DMs 200
spoofing
million
websites
open attack
tocustomer
that was
be hacked. App Service Apr 2019
Dec 2018 Jun 2019
used for atransactions
payment prank on Tinder
via public
users.API. Kubernetes
Facebook
Marketplace
GateHub
Dec 2018 Jun 2019
Twitter OnePlus
Mobile App
When someone in the ecosystem falters !

API

API REQ/RESP API REQ/RESP

Merchant

API

Attacker
2019 - 2020
OWASP API Top 10 2019
25

20

15

10

0
Broken Broken Object Broken Function Lack of Security Excessive Data Mass Improper Assets Injection Insufficient
Authentication Level Level Resource and Misconfiguration Exposure Assignment Management Logging and
Authorization Authorization Rate Limits Monitoring
• Stolen API keys used to
compromise clouds
• Unauthenticated Internal APIs
led to loss of confidential data
• APIs allowed validation of
stolen credentials
• Administrative API endpoint
could be guessed and
accessed without proper
authorization
Secure APIs Authentication Validate
Rate Limit
equally & Authorization Payload

Lookout for
Version Log and
Confidential Encryption
Control Monitor
Information

Automate
 • Consumer wants to finds a
Data Holder new a application to manage
funds

• Application needs user data

Consumer (monthly cash in/ out etc. )

• Banks Enforces user consent

before sharing
Data Recipient
• Application can/will expose
the intelligence back to the
bank
Authentication Consent Management Transaction Security

- Web/ Mobile - OAuth/ OIDC - Encryption

- Username/ - JWT - BOTS
Password - Edit consent - Malicious
- One Time Payloads
Passwords - Transaction
- Phishing/ Fraud Anomaly
Detections
- UEBA
Traditional Approach to Enforcing Trust

• API Gateway caters for

API API API
• TLS Termination
A A A • Client authentication
• Fine Grained Access
API API API
Control
GW
B B B • Request Routing
Client • Rate Limiting
API API API
• Request Response
C C C Manipulation
Application Are Getting Decomposed
Microservices are eating the world!

A A
GW GW

A
B B
GW GW
B

GW GW
C C
C

CP

Micro Gateway Sidecar Gateway Service Mesh

 • Tier 1 Performs (Security
Gateway)
D • Web Application Firewall
API
A E
• DDoS and Bot Mitigation
Service
GW GW
• Rate Limits
Client F G
• Authentication
API
H
• Tier 2 Performs
API
B C • JWT validation
• Request routing
• Circuit breaking
• Web Application Firewall for
Internal Traffic
 Edge Gateway
A • Web Application Firewall
• BOT/DDOS Defense
• Authentication / Consent
Management
B
Two Tier Gateway
GW
• JWT Validation
• Request Routing/ Circuit breaking
C • Rate limits

Side Car Gateway

D • JWT validation
• East West Traffic Enforcement

New Protocol Support

E F G
• GraphQL etc.
API Product Manager API Architect Security and
privacy team
Turns his vision into Plan, design and review the
action by managing each construction of the APIs Govern APIs
stage of the API product exposed to internal
lifecycle and external devs

API Developer API Evangelist Manage the PII life

cycle of data
Produce intuitive and He is the voice of API exposed via API
highly consumable API consumers (devs). Manage
the devs portal. Enforce
consistent
security policies
API Champion

Connect an org’s API program

to the business value.
Translate technical data
points into business metrics.
 Retain a critical mass of developers

Developers move quicker with

- Self Service (Keys and Tokens)
- Documentation on APIs
- API Versioning
- Sample Code
- Sample Applications
- Meetups and Community Sharing

DEVELOPERS
Measuring Success For #apinetworks

Value to end- Value to

user Developer Cost

ROI Applications Visibility

F5 Vision:

VISIBILTY,
INSIGHTS &
ORCHESTRATION

TELEMETRY TELEMETRY

PLATFORM CONTROL PLANES

Future App / Web Ingress API Load App DNS DDoS CDN Device User Future
Service server controller gateway balancer security fingerprint identity & services
Code behavior Customer

Software Public Virtual Commodity Purpose-built

Containers Laptop Mobile IoT POS
as a Service cloud machines hardware hardware

ANY INFRASTRUCTURE ANY DEVICE

Silverline
NGINX BIG-IP F5 Cloud Services Future
Shape
 Read more about transformation Stay up-to-date.
in Banking and Financial Services Sign up for F5 Labs.

https://www.f5.com/solutions/banking-and-financial-services https://www.f5.com/labs