apidays Australia 2023 - Platforms, Products, and People: The Power of APIs October 11 & 12, 2023 https://www.apidays.global/australia/ API Security Breach Analysis & Empowering Devs to Make Secure APIs Jeremy Snyder, Founder and CEO of FireTail ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. API Security.
Analysing Breaches &
Empowering Devs to Build
Secure APIs
Apidays Australia | Oct 2023 | Jeremy Snyder

3. Overview.
What we’ll cover in the next 25 minutes
- Introduction
- A Decade of Breach Data
- Real Examples of High Profile Incidents
- Effective API Security Strategies
- Bridging the Gap: From Devs to DevSecOps
- Questions
- Bonus

4. About Me.
Career cybersecurity professional and
CEO of FireTail.
- 1998-2004 TRADOS (lang tech)
- 2005-2006 Rivermine (telecom)
- 2006-2010 Twinity (metaverse)
- 2010-2011 AWS (30x MRR)
- 2014-2014 REAN Cloud ($1M in 6 mos)
- 2016-2020 DivvyCloud (20x ARR+)
- 2020-2021 Rapid7 (M&A 3 deals)

5. A Decade of Data

6. Low Hanging Fruit.
APIs are now an increasingly attractive
target for attackers
- API sprawl is a looming threat to our
economy - APIs are becoming the
low-hanging fruit for attackers
- API Attacks grew 348% in Q3/Q4 2021
- APIs will become the #1 attack vector
- APIs represent 90% of the attack
surface of modern apps
https://www.firetail.io/api-data-breach-tracker

7. Top 6 Problems.
As reported by CISOs in response to CSO Magazine survey:
1. Lack of API inventory
2. Enforcing perimeter security
3. End-to-end tracing of code to API
4. Number of required security configs per API
5. API change management, security implications
6. Gap between developers and security teams

8. Examining Breaches.
Here are the top-level stats from our analysis of
API breaches:
- 577M+ 1.4B+ records breached / exposed /
risk of breach
- 13 22M records per breach event
- 43 62 unique, documented breach/research
events
- Huge acceleration in 2023
- Top attack vectors can be broken down into a
few categories
Numbers updated since May 2023 report; https://firetail.io/api-security-report-2023

9. Breach Events by Primary Attack Vector.

10. Almost all
breach events
are multi-vector.

11. API Breaches by Secondary Root Cause.

12. Real Examples

13. Even the biggest
brands are at risk
of API breaches.

15. Examples of breach logic
around authorization.
Authenticates once, but then doesn’t
require subsequent authorization to access
additional functions. Sequential numbering
made scraping very easy.
- Authentication ≠ authorization
- Must be done server-side
- Must be with EVERY call
- Principal + resource + action; either all
map to YES, or it’s NO

16. “Vulnerabilities in apps
handling API data are the
direct cause of these
breaches. Nothing else
is to blame.”
archive.org

18. Examples of breach logic
around auth n/z +.
Another multi-vector breach. A number of
things went wrong.
- API URL landed in Google SERP
- API did not require authentication token
- API did not check for authorization
- API allowed CRUD functions
- Conclusions:
- Combo network configuration + more
- Poor API design on auth-N/Z

19. Almost all
breach events
are multi-vector.

21. Example of breach with
server & data handling.
The starting point of this breach was a server
that gave overly verbose errors. Other stuff
went wrong too.
- Enumeration exposed routes
- Found undisclosed graphQL endpoint
- GraphQL endpoint allowed “select *”
- Conclusions:
- Poor server config
- Non-declarative API model
- Excessive exposure

22. “The internal API had an
exposed Microsoft Graph
instance which would’ve
allowed an attacker to exfiltrate
nearly 100 million user records
including names, emails, phone
numbers, and addresses”
Sam Curry

24. Example of breach via
network / data / auth.
Yet another multi-vector breach. A number of
things went wrong.
- API made public with DNS / network
configuration change
- API had poor authN
- Incremental account IDs
- Conclusions:
- Poor network change mgmt
- Bad data handling
- Easy API access

25. "No authenticate
needed…All open
to internet for any
one to use."
The Attacker

26. Industry Analysis.
Where do breaches happen?
- Not industry-specific or
geography-specific
- APIs are everywhere
- But some industries have had a huge
breach impact recently
- Manufacturing (automotive)
- Technology (software)
- Hospitality (airlines, hotels, rental
cars)

27. 2B+ at risk in 2023
Recent
disclosures

28. Effective API Security

29. Traditional
security
doesn’t work.

30. Consumer Server
Internet
GW/Proxy
WAF
Rate
limiting
AuthN
Sanitize
Validate
AuthZ
Fetch Data / Modify
Data / Execute
Function
Request
Response
Third party API
6. Unrestricted Process Access.
7. SSRF.
8. Misconfiguration.
9. Improper Inventory Management.
10. Unsafe consumption of APIs.
1. BOLA.
2. Broken AuthN.
3. BOPLA.
4. Unrestricted Resource Consumption.
5. BFLA.
1
2
3
5
7
6
6
6
4
4
4
Breaches look like normal requests.
10
10
8 9

31. Components of Effective API Security.
Visibility.
Get a complete view of your entire
API landscape across your IT
fleet.
Policy.
APIs analyzed for configuration
settings & security policy. API
security posture management.
Discovery.
Finding APIs not running FireTail
library via network traffic, code
repos & cloud APIs
Enforcement.
Authentication, authorization,
validation and sanitization directly
in your code.
Observability.
Commercial version sends
configuration and success /
failure events to cloud backend.
Audit.
Full & centralized audit trail of all
APIs with FireTail library. Search &
alert capabilities.

32. Focus on API
security at the
application layer.

33. Existing approaches just don’t cut it.
API Call Log Visibility

34. Bridging the Gap

35. Pave a clear path
for developers.

36. Embracing New Tech.

37. DevSecOps & APIs. Define standards and
enforce policy to ensure
consistent security. Use API
Security posture
management to keep
everyone aligned.
- API Specifications.
- Security Configurations.
- Governance &
Enforcement.

38. DevSecOps & APIs. Empower developers.
Provide clear guidance:
- Where is the
problem?
- What is the
problem?
- What is the risk?
- How do I fix it?

39. DevSecOps & APIs. Empower developers.
Provide clear guidance:
- Where is the
problem?
- What is the
problem?
- What is the risk?
- How do I fix it?

40. DevSecOps & APIs. Empower developers.
Provide clear guidance:
- Where is the
problem?
- What is the
problem?
- What is the risk?
- How do I fix it?

41. Bridging the Gap.
Code & design phase:
1. Secure source code
2. Vulnerability elimination
Pre-launch testing:
1. Fuzzing test
2. Logic test
Runtime protection:
1. Cover top 4 attack vectors
2. D&R on central logs
Contextual Awareness
1. Feed into CNAPP / AppSec
2. Integrate with SecOps
Pre-production (dev / test / staging) Production
APP
SEC

42. Questions

43. Get this Deck.
If you would like your
own copy of the slides
from this presentation,
just scan the code.

44. Discount. Competition.
Win a free API Security
Assessment.
60% Off FireTail
Enterprise Plan.

45. Thanks