apidays LIVE Helsinki & North: API Ecosystems - Connecting Physical and Digital March 16 & 17, 2022 Future proofing API Security Chuck Herrin, CTO at WIB

1. Chuck Herrin
CTO, Wib API Security
Future -Proofing
API Security

2. Today’s Session
What
● API Security Is Different - How and Why
So What
● Traditional Approaches Fall Short
○ History doesn’t repeat, but it rhymes
Now What
● How to Address API Security
○ Visibility
○ Traffic
○ Code
○ Dev, Test, and Production
Key Takeaways
What We’ll Cover Today:

3. Why is API security different?

4. The architecture
a nd a t t a c k s ur f a c e
is dif f e r e nt .
APIs, by design, directly
expose application logic ,
and often change rapidly.
The attacks are
different.
Attacking APIs is mostly about
making unexpected requests
and failures to scope
authorization to resources.
The defenses are
different.
Traditional rule - based
defenses like WAFs can
neither detect nor defend
against logic - based
attacks.
1 2 3
These factors combined made APIs the #1 attack vector in 2021
Why API Security Differs From Traditional Web Application Security

5. 2022 SERIES OF EVENT
New York
JULY
(HYBRID)
Australia
SEPTEMBER
(HYBRID)
Singapore
APRIL
(VIRTUAL)
Helsinki & North
MARCH
(VIRTUAL)
Paris
DECEMBER
(HYBRID)
London
OCTOBER
(HYBRID)
Hong Kong
AUGUST
(VIRTUAL)
JUNE (VIRTUAL)
India
MAY
(VIRTUAL)
APRIL (VIRTUAL)
Dubai & Middle East
JUNE
(VIRTUAL)
Check out our API Conferences here
Wa nt t o t a lk a t one of our conference?
Apply t o spea k here

6. NEW API BEST
PRACTICES
50% of mature API
organizations plan to
focus on increased API
security and governance
during 2022 and beyond
Dedicated API Security
solutions are gaining
widespread adoption.
“Discover your APIs before
attackers, add specialist
API Security products, and
design API Security into the
full cycle from
development to delivery.”
API SECURITY
A FOCAL POINT
"APIs expose application
logic and sensitive data
such as Personally
Identifiable Information
(PII) and because of this
have increasingly
become a target for
attackers.”
APIs EXPOSE
LOGIC
DIRECTLY
What the Analysts and Industry are Saying:

7. https://securityboulevard.com/2022/02/api - se c urity- tip p ing - p oint- g a rtn e r- just- c re a te d - the - c a te g ory/
Ga rtne r just m od ifie d the ir re fe re nc e a rc hite c ture 1 to inc lud e API
se c urity a s a d e d ic a te d la ye r
This is ha p p e ning in re a l tim e :

8. What We’re Seeing in the Wild:

9. Why Do Current Defensive Approaches Fall Short?

10. The Main Reason is That Collectively, We’re Fig hting the La st Wa r
As De fe nd e rs, We ’re Alm ost ALWAYS Fig hting the La st Wa r
1914 1930 1940

11. 1) Te c hnolog ie s c ontinuously a d va nc e
2) Com p a nie s a nd g ove rnm e nts suc c e e d or fa il b a se d on
a d op tion of ne w te c h
● The world d id n’t m e c ha nize just to c re a te m a c hine
g uns, b ut a rm ie s without the m c ould no long e r
c om p e te on the b a ttle fie ld
1) Atta c ke rs ta ke a d va nta g e of ne w c a p a b ilitie s, a tta c k
surfa c e s, or we a kne ss
2) De fe nd e rs m ust sc ra m b le to urg e ntly c a tc h up .
Key Principle -
API Se c urity is just the la te st e xa m p le of a ‘rhym e ’ throug hout hum a n history:
Key Takeaway -
Your De fe nse Must b e Consta ntly Inform e d By The
Offe nse in Ord e r to Quic kly Ad a p t
Key Takeaway

12. Some More Mod e rn Exa m p le s:
Mic rose rvic e s Dra m a tic a lly Cha ng e the Atta c k Surfa c e . We Must Ad a p t.
1970s - 1980s: Ma infra m e Com p uting
(Ce ntra lize d )
1990s - 2000s: Inte rne t
(Glob a l)
1980s - 1990s: Clie nt / Se rve r
(Distrib ute d )
~2012 - 2015: >50% of Com p a nie s Ag ile (Fa st,
Ite ra tive Cyc le s)
2000s - 2010s: Cloud
(Sa a S, Pa a S, Ia a S)
~2015 - 2020s: Mic rose rvic e s
(Gra nula r, Re usa b le )
}Security
Model
Lagging
}Security
Model
Lagged
}Security
Model
Lagged

13. Specific Changes for APIs - OWASP Top 10 (2003+) vs API Top 10 (2019+)
API01:2021 Broken Object Level Authorization
API02:2021 Broken Authentication
API03:2021 Excessive Data Exposure
API04:2021 Lack of Resources & Rate Limiting
API05:2021 Broken Function Level Authorization
API06:2021 Mass Assignment
API07:2021 Security Misconfiguration
API08:2021 Injection
API09:2021 Improper Assets Management
API10:2021 Insufficient Logging & Monitoring
Mostly Logic based
API Top 10 - Published in 2019
A0 1:2 0 2 1 Broke n Acce ss Con trol
A0 2 :2 0 2 1 Cryp tog rap h ic Failu re s
A0 3 :2 0 2 1 In je ction
A0 4:2 0 2 1 In se cu re De sig n
A0 5:2 0 2 1 Se cu rity Miscon fig u ration
A0 6 :2 0 2 1 Vu ln e rab le an d Ou td ate d Com p on e n ts
A0 7:2 0 2 1 Id e n tification an d Au th e n tication Failu re s
A0 8 :2 0 2 1 Softw are an d Data In te g rity Failu re s
A0 9 :2 0 2 1 Se cu rity Log g in g an d Mon itorin g Failu re s
A10 :2 0 2 1 Se rve r-Sid e Re q u e st Forg e ry
Mostly Ruled based
Web Top 10 - Published in 2003

14. 2019 OWASP API Security Top 10 Threats WAFs API Gateways
Broken Object Level Authorization
Broken Authentication
Excessive Data Exposure
Lack of Resources & Rate -Limiting
Broken Function Level Authorization
Mass Assignment
Security Misconfiguration
Injection
Improper Assets Management
Insufficient Logging & Monitoring
Logic based
Rule based
Dedicated API Solution
Key Takeaway -
Traditional Tools Lack the Context Needed to Defend Against Modern Logic Based Attacks

15. How to Address API Security?

16. API threats emerge in development, testing, and production.
Cove rin g th e fu ll API life c yc le is c ritic a l!
Ke y Princ ip le - Your API Se c urity Prog ra m Must Cove r the Full API Life c yc le

17. The API Lifecycle
First Principle - You Can’t Defend An Asset You Can’t See
Development
Testing
Production
Identify Protect Detect Respond Recover

18. Defend right by simulating
a tta c ks on p rod uc tion APIs to
und e rsta nd e xp osure to
re a l- world a tta c ks a nd
d e te c t hid d e n d e p e nd e nc ie s
Shift le ft b y g iving d e vs
tools to d e te c t a nd
re solve issue s in the ir
norm a l workflow
Development
Testing
Production
True Visibility Requires Multiple Lenses - Defend Right While Shifting Left
Uncover blind spots by continually monitoring inbound and
outbound traffic AND code repositories for direct references
to APIs and Endpoints you can’t see elsewhere

19. In Conclusion:
Key Takeaways
● APIs e xp ose a p p lic a tion a nd b usine ss log ic d ire c tly,
c re a ting a nove l a nd c om p le x a tta c k surfa c e
● Mic rose rvic e s offe r m ultip le a d va nta g e s for
b usine sse s a nd g ove rnm e nts, a nd re g ula tors a re
m a nd a ting inc re a se d API usa g e a nd d a ta sha ring
(FHIR, Op e n Ba nking , PSD2).
○ Ad op tion is ine vita b le . Sa fe a d op tion is not.
● Tra d itiona l we b se c urity a p p roa c he s we re d e sig ne d
for m onolithic we b a p p s a nd the 2003+ OWASP Top 10
● Ma ny te a m s up d a te APIs m ultip le tim e s p e r we e k (or
d a y)
● API se c urity re q uire s a holistic solution to p rovid e
b roa d visib ility from c od e to p rod , a s we ll a s
p rod uc tion m onitoring to find hid d e n a tta c k p a ths
a nd d isc ove ry of slow a nd low a tta c ks.

20. 1. http s:/ / se c urityb oule va rd .c om / 2022/ 02/ a p i- se c urity- tip p ing - p oint- g a rtne r- just- c re a te d - the -
c a te g ory/
2. 1930 Ma g inot Line - Philip p e Truttm a nn, La Mura ille d e Fra nc e , Gé ra rd Klop p , Thionville , 1985.
(http s:/ / c om m ons.wikim e d ia .org / wiki/ File :Ca rte Lig ne Ma g inot.p ng ), „Ca rte Lig ne Ma g inot“,
http s:/ / c re a tive c om m ons.org / lic e nse s/ b y- sa / 2.0/ fr/ d e e d .e n
3. 1940 Ma g inot Line - Ca rd e na s, Jorg e & Jr, Jorg e & Ca rd e na s, Cristia n. (2021). Cyb e rse c urity; Wa r &
Che ss r1.
Re sourc e s & Links a ttrib ution