API Security & Legal Risk Workshop Series

In collaboration with FRSecure, and TeejLab, ISACA San Diego is excited to announce our interactive online workshop series on API Security. Consisting of 4 workshops in total, each workshop is designed to help individuals and organizations understand the importance of Web APIs in today's digital economy, and various business risks they pose to organizations.

Web APIs benefit organizations immensely through accelerated innovations, newer business models, competitive differentiation. Their growing significance can be measured based on the fact that APIs contribute 83% of the Internet traffic today. This growing API usage also means increased cybersecurity risks for enterprises. Given the importance of APIs in digital transformation and the risk they pose to enterprises, it is imperative for Security, Compliance and Audit professionals to better understand various API risks.

In this 4-series workshop, we'll discuss various risks that originate from enterprise API ecosystems. In particular, we'll talk about business risks that are tied to the underlying API security problems. We’ll then provide an overview of an API Governance framework that effectively manages API business risks. This framework is inspired by Software Composition Analysis (SCA) and Zero Trust model. Throughout these workshops, we’ll highlight the best industry practices and hands-on examples for API Risk Management.

Dr. Baljeet Malhotra is an award-winning researcher and a global tech leader known for his work in Open Source and API Risk Management. He founded TeejLab in 2019 and steered the team to build API Discovery and Security™, world's first end-to-end API Risk Management platform. Prior to TeejLab, he established the R&D unit of Black Duck Software in 2016 (acquired by Synopsys for $565 million). He also served as Research Director at SAP and Senior Software Engineer at MahindraTech. He received a PhD in Computing Science from the University of Alberta and won several awards including NSERC (Canada) scholar and Global Young Scientist (Singapore). He concurrently holds Adjunct Professor positions at the University of British Columbia, University of Victoria and University of Northern BC. He has given numerous ISACA, ISSA, IIA, ISC2, OWASP talks globally, and published several papers, patents and articles.

Visit Baljeet on LinkedIn: https://www.linkedin.com/in/baljeetmalhotra/

API Security & Legal Risk Workshop #1: API Security & Legal Risk Management for Organizations

Click Here for a copy of the presentation

WORKSHOP #1 DETAILS

  • 30 mins: Global and Enterprise API Ecosystems

    • Global View of APIs

    • Enterprise View of APIs

  • 30 mins: Classification of API Risks

    • Security and Legal Risks

    • Financial and Operational Risks

  • 10 mins: {Break}

  • 30 mins: Zero Trust Model

    • Zero Trust Resources

    • Zero Trust Tenets

  • 30 mins: Software Composition Analysis (SCA)

    • Why and how SCA?

    • Security and Legal Aspects

  • 10 mins: {Break}

  • 10 mins: Account Setup:

    • https://apidiscovery.teejlab.com/accounts/login/

  • 50 mins: Building the API Risk Management Program

    • Identifying API Security Risks

    • Identifying API Legal Risks

    • Continuous API Monitoring and Assessment

  • 10 mins: {Break}

  • 30 mins: Summary and Conclusions

    • Consolidating API Risk Due Diligence Process

    • Questions and Answers

    • Take Home Exercises

API Security & Legal Risk Workshop #2: The API Security Blueprint - From Basics to Advanced Defense

Click Here for a copy of the presentation

WORKSHOP #2 DETAILS

Section 1: Setting the Foundation

  • 30 mins: Introductions and Overview

    • Importance of APIs in Digital Ecosystem

    • Motivations for Securing APIs

  • 30 mins: Basics of API Security

  • - Examples of API Breaches/Impacts - Understanding API Attacks/Patterns

  • 20 mins: Break (account setup assistance)

Section 2: Hands-On Basics

  • 25 mins: Advanced API Security

    • OWASP Top 10: Authentication and Authorization

    • OWASP Top 10: Injections and Rate Limits

  • 25 mins: Hands-on API Security

    • Hands-on: Configuring API Security Tests

    • Hands-on: Executing API Security Tests

  • 10 mins: {Break}

Section 3

  • 50 mins: API Security Program

    • Role of API Gateways

    • Preventing API Attacks

    • Continuous API Monitoring

30 mins: Summary and Conclusions

  • Take Home Exercises

  • Questions and Answers

API Security & Legal Risk Workshop #3 - API Security & Legal Risk Management for Organizations

Click Here for a copy of the presentation

WORKSHOP #3 DETAILS

Section 1:

20 mins: The Basis of Legal Framework

  • What is an API – Definition and the importance of backend/frontend

  • API compliance for businesses, developers, and legal teams

25 mins: The Legal Landscape of APIs and Data

  • Key API Agreements & Policies: ToS, EULA, SLAs, DPAs, Privacy Policy, Platform Policy

  • Data privacy (GDPR, CCPA, HIPAA) and Security compliance (authentication, encryption)

30 mins: API Types, Ownership and Intellectual Property Rights

  • Open-source APIs vs. proprietary APIs; Licensing models (e.g., open API licenses, restrictive licenses)

  • Who owns the APIs and the data it processes? Intellectual property (ownership of API code and data)

15 mins: {Account Setup/Help and Break}

Section 2: 50 mins: Key Considerations for API Producers

  • Understanding API Monetization Models

  • Legal Considerations for API Monetization

  • Intellectual Property (IP) & Licensing

10 mins: {Break}

Section 3:

50 mins: Key Considerations for API Consumers

  • Understanding API Restrictions: Rate Limits, Fair Use, and Quotas

  • The Hidden Risks of Third-Party APIs: Legal Liabilities You Need to Know

  • Avoiding API Integration Nightmares: Legal and Compliance Strategies

30 mins: Summary and Conclusions

Section 4:

  • Take Home Exercises

  • Questions and Answers