Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Helsinki 2024 - Security Vulnerabilitie...

Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

Security Vulnerabilities in your APIs
Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific

Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

May 31, 2024
Tweet

More Decks by apidays

Other Decks in Technology

Transcript

  1. ABOUT ME • Slovakia • Software Engineer • ~10 years

    of experience in Software Engineering • Mostly in chemical analysis area, some side projects • Currently in Thermo Fisher Scientific • What am I interested in? • Distributed systems, DDD, Security, AI • Skiing, tennis, hiking, travelling
  2. “ ” SECURITY IS LIKE SPINACH. ONE KNOWS IT IS

    VERY BENEFICIAL BUT DOESN’T REALLY EAT IT THAT MUCH. It is the same with SW engineers and security. They mostly understand that their APIs should be secure, however active pursuit of that is not really their priority and they tend to neglect it.
  3. SECURITY NEGLIGENCE • „86 % of developers do not see

    security as a top priority“ • What might be the reason? • Deadlines - Knowledge - Management support • Misconceptions • It’s not my problem – DevSecOps department solves it • 3rd party stuff is secure • We are not target for hackers • Security slows down development • Why they should change their perception? • Save the product/company from a PR nightmare • Contribution to the product success • Do not be the hackers’ best friend • Proactive approach more efficient (time & money) than reactive • Security skills make you more valuable in the job market
  4. SECURITY NEGLIGENCE • What might go wrong? • Data breaches

    • Sensitive data • Unauthorized access • Resources, functionalities • Denial-of-service attack • Business logic abuse • Having one discount-code and using it multiple times • Removing good reviews of the competitor's restaurant • They’re usually hard to catch by some code-scanning tools
  5. REAL WORLD EXAMPLE • One famous application • Free account

    – limit of operations per day • Paid account – unlimited • Business logic abuse → No check when offline
  6. WHAT IS NECESSARY TO PREVENT SUCH THINGS TO HAPPEN IN

    YOUR APIS? • Knowledge • Regular checking of APIs for vulnerabilities • Tools • Code-reviews • Testing done by external company
  7. KNOWLEDGE. WHERE TO START? • „33% don’t know what makes

    their code vulnerable“ • OWASP - Open Web Application Security Project • Online community • Free resources, methodologies regarding SW security • Top 10 security vulnerabilities list • OWASP Cheat Sheet • CWE - Common Weaknesses Enumeration • Complement to OWASP
  8. OWASP VULNERABILITY EXAMPLE #1 • API6:2019 - Mass Assignment •

    https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/
  9. OWASP VULNERABILITY EXAMPLE #2 • API1:2023 Broken Object Level Authorization

    • https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level- authorization/
  10. KNOWLEDGE. VULNERABLE PLACES Where does the security “happen”? • Web

    browsers / other types of API clients • Network • API hosting machine • Application code – boundaries (middleware) • Application code – 3rd party libraries • Application code – “business code”
  11. TOOLS • Web browsers – Developer tools functionality • Static

    code analysis • CI pipeline – CodeQL • AI tools – explanation of piece of code by e.g., GitHub Copilot • Runtime (penetration) testing - FuzzAPI
  12. “ ” THE ONLY TRULY SECURE SYSTEM IS ONE THAT

    IS POWERED OFF, CAST IN A BLOCK OF CONCRETE AND SEALED IN A LEAD-LINED ROOM WITH ARMED GUARDS - AND EVEN THEN I HAVE MY DOUBTS. GENE SPAFFORD, SECURITY EXPERT • It is not black, nor it is white • Usability vs. security • X-factor authentication vs. fast login • Constant evolution • Code changes • Code - context changes • Library updates • New ways to attack
  13. A FEW “MUSTS”… • Authentication & authorization • Input validation

    & sanitization • Do not put secrets directly into the code • Regularly check for vulnerabilities in 3rd party libraries • Make use of API security testing tools
  14. HOW TO PROCEED? • Resources: • https://owasp.org/API-Security/ • https://cheatsheetseries.owasp.org/index.html •

    https://cwe.mitre.org/top25/ • Online courses • UDEMY: Hacking REST APIs - A beginner's guide • UDEMY: Website Hacking / Penetration Testing