apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/
API Security Breach Analysis & Empowering Devs to Make Secure APIs
Jeremy Snyder, Founder and CEO of FireTail
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
3. Overview.
What we’ll cover in the next 25 minutes
- Introduction
- A Decade of Breach Data
- Real Examples of High Profile Incidents
- Effective API Security Strategies
- Bridging the Gap: From Devs to DevSecOps
- Questions
- Bonus
4. About Me.
Career cybersecurity professional and
CEO of FireTail.
- 1998-2004 TRADOS (lang tech)
- 2005-2006 Rivermine (telecom)
- 2006-2010 Twinity (metaverse)
- 2010-2011 AWS (30x MRR)
- 2014-2014 REAN Cloud ($1M in 6 mos)
- 2016-2020 DivvyCloud (20x ARR+)
- 2020-2021 Rapid7 (M&A 3 deals)
6. Low Hanging Fruit.
APIs are now an increasingly attractive
target for attackers
- API sprawl is a looming threat to our
economy - APIs are becoming the
low-hanging fruit for attackers
- API Attacks grew 348% in Q3/Q4 2021
- APIs will become the #1 attack vector
- APIs represent 90% of the attack
surface of modern apps
https://www.firetail.io/api-data-breach-tracker
7. Top 6 Problems.
As reported by CISOs in response to CSO Magazine survey:
1. Lack of API inventory
2. Enforcing perimeter security
3. End-to-end tracing of code to API
4. Number of required security configs per API
5. API change management, security implications
6. Gap between developers and security teams
8. Examining Breaches.
Here are the top-level stats from our analysis of
API breaches:
- 577M+ 1.4B+ records breached / exposed /
risk of breach
- 13 22M records per breach event
- 43 62 unique, documented breach/research
events
- Huge acceleration in 2023
- Top attack vectors can be broken down into a
few categories
Numbers updated since May 2023 report; https://firetail.io/api-security-report-2023
15. Examples of breach logic
around authorization.
Authenticates once, but then doesn’t
require subsequent authorization to access
additional functions. Sequential numbering
made scraping very easy.
- Authentication ≠ authorization
- Must be done server-side
- Must be with EVERY call
- Principal + resource + action; either all
map to YES, or it’s NO
18. Examples of breach logic
around auth n/z +.
Another multi-vector breach. A number of
things went wrong.
- API URL landed in Google SERP
- API did not require authentication token
- API did not check for authorization
- API allowed CRUD functions
- Conclusions:
- Combo network configuration + more
- Poor API design on auth-N/Z
21. Example of breach with
server & data handling.
The starting point of this breach was a server
that gave overly verbose errors. Other stuff
went wrong too.
- Enumeration exposed routes
- Found undisclosed graphQL endpoint
- GraphQL endpoint allowed “select *”
- Conclusions:
- Poor server config
- Non-declarative API model
- Excessive exposure
22. “The internal API had an
exposed Microsoft Graph
instance which would’ve
allowed an attacker to exfiltrate
nearly 100 million user records
including names, emails, phone
numbers, and addresses”
Sam Curry
23.
24. Example of breach via
network / data / auth.
Yet another multi-vector breach. A number of
things went wrong.
- API made public with DNS / network
configuration change
- API had poor authN
- Incremental account IDs
- Conclusions:
- Poor network change mgmt
- Bad data handling
- Easy API access
26. Industry Analysis.
Where do breaches happen?
- Not industry-specific or
geography-specific
- APIs are everywhere
- But some industries have had a huge
breach impact recently
- Manufacturing (automotive)
- Technology (software)
- Hospitality (airlines, hotels, rental
cars)
30. Consumer Server
Internet
GW/Proxy
WAF
Rate
limiting
AuthN
Sanitize
Validate
AuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
Third party API
6. Unrestricted Process Access.
7. SSRF.
8. Misconfiguration.
9. Improper Inventory Management.
10. Unsafe consumption of APIs.
1. BOLA.
2. Broken AuthN.
3. BOPLA.
4. Unrestricted Resource Consumption.
5. BFLA.
1
2
3
5
7
6
6
6
4
4
4
Breaches look like normal requests.
10
10
8 9
31. Components of Effective API Security.
Visibility.
Get a complete view of your entire
API landscape across your IT
fleet.
Policy.
APIs analyzed for configuration
settings & security policy. API
security posture management.
Discovery.
Finding APIs not running FireTail
library via network traffic, code
repos & cloud APIs
Enforcement.
Authentication, authorization,
validation and sanitization directly
in your code.
Observability.
Commercial version sends
configuration and success /
failure events to cloud backend.
Audit.
Full & centralized audit trail of all
APIs with FireTail library. Search &
alert capabilities.