Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Australia 2023 - API Security Breach An...

apidays
October 24, 2023

apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to Make Secure APIs, Jeremy Snyder, FireTail

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/

API Security Breach Analysis & Empowering Devs to Make Secure APIs
Jeremy Snyder, Founder and CEO of FireTail

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

October 24, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. API Security. Analysing Breaches & Empowering Devs to Build Secure

    APIs Apidays Australia | Oct 2023 | Jeremy Snyder
  2. Overview. What we’ll cover in the next 25 minutes -

    Introduction - A Decade of Breach Data - Real Examples of High Profile Incidents - Effective API Security Strategies - Bridging the Gap: From Devs to DevSecOps - Questions - Bonus
  3. About Me. Career cybersecurity professional and CEO of FireTail. -

    1998-2004 TRADOS (lang tech) - 2005-2006 Rivermine (telecom) - 2006-2010 Twinity (metaverse) - 2010-2011 AWS (30x MRR) - 2014-2014 REAN Cloud ($1M in 6 mos) - 2016-2020 DivvyCloud (20x ARR+) - 2020-2021 Rapid7 (M&A 3 deals)
  4. Low Hanging Fruit. APIs are now an increasingly attractive target

    for attackers - API sprawl is a looming threat to our economy - APIs are becoming the low-hanging fruit for attackers - API Attacks grew 348% in Q3/Q4 2021 - APIs will become the #1 attack vector - APIs represent 90% of the attack surface of modern apps https://www.firetail.io/api-data-breach-tracker
  5. Top 6 Problems. As reported by CISOs in response to

    CSO Magazine survey: 1. Lack of API inventory 2. Enforcing perimeter security 3. End-to-end tracing of code to API 4. Number of required security configs per API 5. API change management, security implications 6. Gap between developers and security teams
  6. Examining Breaches. Here are the top-level stats from our analysis

    of API breaches: - 577M+ 1.4B+ records breached / exposed / risk of breach - 13 22M records per breach event - 43 62 unique, documented breach/research events - Huge acceleration in 2023 - Top attack vectors can be broken down into a few categories Numbers updated since May 2023 report; https://firetail.io/api-security-report-2023
  7. Examples of breach logic around authorization. Authenticates once, but then

    doesn’t require subsequent authorization to access additional functions. Sequential numbering made scraping very easy. - Authentication ≠ authorization - Must be done server-side - Must be with EVERY call - Principal + resource + action; either all map to YES, or it’s NO
  8. “Vulnerabilities in apps handling API data are the direct cause

    of these breaches. Nothing else is to blame.” archive.org
  9. Examples of breach logic around auth n/z +. Another multi-vector

    breach. A number of things went wrong. - API URL landed in Google SERP - API did not require authentication token - API did not check for authorization - API allowed CRUD functions - Conclusions: - Combo network configuration + more - Poor API design on auth-N/Z
  10. Example of breach with server & data handling. The starting

    point of this breach was a server that gave overly verbose errors. Other stuff went wrong too. - Enumeration exposed routes - Found undisclosed graphQL endpoint - GraphQL endpoint allowed “select *” - Conclusions: - Poor server config - Non-declarative API model - Excessive exposure
  11. “The internal API had an exposed Microsoft Graph instance which

    would’ve allowed an attacker to exfiltrate nearly 100 million user records including names, emails, phone numbers, and addresses” Sam Curry
  12. Example of breach via network / data / auth. Yet

    another multi-vector breach. A number of things went wrong. - API made public with DNS / network configuration change - API had poor authN - Incremental account IDs - Conclusions: - Poor network change mgmt - Bad data handling - Easy API access
  13. Industry Analysis. Where do breaches happen? - Not industry-specific or

    geography-specific - APIs are everywhere - But some industries have had a huge breach impact recently - Manufacturing (automotive) - Technology (software) - Hospitality (airlines, hotels, rental cars)
  14. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate

    AuthZ Fetch Data / Modify Data / Execute Function Request Response Third party API 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 1 2 3 5 7 6 6 6 4 4 4 Breaches look like normal requests. 10 10 8 9
  15. Components of Effective API Security. Visibility. Get a complete view

    of your entire API landscape across your IT fleet. Policy. APIs analyzed for configuration settings & security policy. API security posture management. Discovery. Finding APIs not running FireTail library via network traffic, code repos & cloud APIs Enforcement. Authentication, authorization, validation and sanitization directly in your code. Observability. Commercial version sends configuration and success / failure events to cloud backend. Audit. Full & centralized audit trail of all APIs with FireTail library. Search & alert capabilities.
  16. DevSecOps & APIs. Define standards and enforce policy to ensure

    consistent security. Use API Security posture management to keep everyone aligned. - API Specifications. - Security Configurations. - Governance & Enforcement.
  17. DevSecOps & APIs. Empower developers. Provide clear guidance: - Where

    is the problem? - What is the problem? - What is the risk? - How do I fix it?
  18. DevSecOps & APIs. Empower developers. Provide clear guidance: - Where

    is the problem? - What is the problem? - What is the risk? - How do I fix it?
  19. DevSecOps & APIs. Empower developers. Provide clear guidance: - Where

    is the problem? - What is the problem? - What is the risk? - How do I fix it?
  20. Bridging the Gap. Code & design phase: 1. Secure source

    code 2. Vulnerability elimination Pre-launch testing: 1. Fuzzing test 2. Logic test Runtime protection: 1. Cover top 4 attack vectors 2. D&R on central logs Contextual Awareness 1. Feed into CNAPP / AppSec 2. Integrate with SecOps Pre-production (dev / test / staging) Production APP SEC
  21. Get this Deck. If you would like your own copy

    of the slides from this presentation, just scan the code.