Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
https://www.linkedin.com/company/hackrfi
@hackrfi
API Security Risk
Management
with Bug Bounties
5.6.2019
ladybug@hackr.fi...
APIS, BUSINESS AND
RISKS
© Hackrfi Oy 2018 - Julkinen5.6.2019 3
Getting the business value
• To get the business benefits,
you need to expose your ...
© Hackrfi Oy 2018 - Julkinen5.6.2019 4
Some key API risks
• Fraudulent transactions
oLoss of resources/reputation
• Leaks ...
© Hackrfi Oy 2018 - Julkinen5.6.2019 5
Risks vs benefits
• Modern security is all about
saying YES and managing
the risk.
...
SOLUTIONS
5.6.2019
© Hackrfi Oy 2018 – Julkinen
© Hackrfi Oy 2018 - Julkinen5.6.2019 7
The traditional M&M method
• Firewalls
• DMZs
• VPNs
But if we need co-operation
wi...
© Hackrfi Oy 2018 - Julkinen5.6.2019 8
Defence in depth
• Perimeter protection
• Endpoint protection
• Software & API cont...
© Hackrfi Oy 2018 - Julkinen5.6.2019 9
Key processes for API security
•Secure coding
•Vulnerability management
•Audit mana...
AGILE VULNERABILITY
DISCOVERY
© Hackrfi Oy 2018 - Julkinen5.6.2019 11
How to discover vulnerabilities?
• Incidents … oops!
• Error reports from staff, u...
© Hackrfi Oy 2018 - Julkinen5.6.2019 12
Bug bounty program – what?
• An organisation pays security
researchers (i.e. hacke...
© Hackrfi Oy 2018 - Julkinen5.6.2019 13
Key benefits
• A bug bounty encourages
hackers to report issues
before the crimina...
© Hackrfi Oy 2018 - Julkinen5.6.2019 14
Audits vs bug bounties
• Is limited by time (work days)
• Is limited by money (pre...
© Hackrfi Oy 2018 - Julkinen5.6.2019 15
Bug bounty cons
• Your processes need to be
mature to handle incoming
reports
oBad...
© Hackrfi Oy 2018 - Julkinen5.6.2019 16
Different types of programs
Private
Open
Public
Open
Private
Closed
Public
Closed
...
© Hackrfi Oy 2018 - Julkinen5.6.2019 17
How to go about it?
Decide
Target, rules,
payment
structure
Type of
program
Publis...
THANK YOU!
https://www.linkedin.com/company/hackrfiladybug@hackr.fi @leaviljanen
Upcoming SlideShare
Loading in …5
×

APIdays Helsinki 2019 - API Security Risk Management with Bug Bounties with Lea Viljanen, Hackrfi

60 views

Published on

API Security Risk Management with Bug Bounties, Lea Viljanen, CEO, Security Consultant at Hackrfi

Published in: Technology
  • Be the first to comment

  • Be the first to like this

APIdays Helsinki 2019 - API Security Risk Management with Bug Bounties with Lea Viljanen, Hackrfi

  1. 1. https://www.linkedin.com/company/hackrfi @hackrfi API Security Risk Management with Bug Bounties 5.6.2019 ladybug@hackr.fiLea Viljanen
  2. 2. APIS, BUSINESS AND RISKS
  3. 3. © Hackrfi Oy 2018 - Julkinen5.6.2019 3 Getting the business value • To get the business benefits, you need to expose your APIs o…to internal parties o…to external partners o…to the general public • Exposure brings risks!
  4. 4. © Hackrfi Oy 2018 - Julkinen5.6.2019 4 Some key API risks • Fraudulent transactions oLoss of resources/reputation • Leaks of personally identifiable information (PII) oCan lead to monetary sanctions due to EU GDPR • Denial of Service attacks oMay have direct impact on revenue
  5. 5. © Hackrfi Oy 2018 - Julkinen5.6.2019 5 Risks vs benefits • Modern security is all about saying YES and managing the risk. • What tools do we have to get API risks to an acceptable level?
  6. 6. SOLUTIONS 5.6.2019 © Hackrfi Oy 2018 – Julkinen
  7. 7. © Hackrfi Oy 2018 - Julkinen5.6.2019 7 The traditional M&M method • Firewalls • DMZs • VPNs But if we need co-operation with changing number of API consumers in the ecosystem? Perimeter protection
  8. 8. © Hackrfi Oy 2018 - Julkinen5.6.2019 8 Defence in depth • Perimeter protection • Endpoint protection • Software & API controls • Processes o Not just to prevent, but also to detect! People / Processes SW HW DATA Multiple layers of security Perimeter can be more open because of other controls – this allows for co- operation and ecosystem memberships
  9. 9. © Hackrfi Oy 2018 - Julkinen5.6.2019 9 Key processes for API security •Secure coding •Vulnerability management •Audit management •Intrusion detection •Incident management Tämä kuva, tekijä Tuntematon tekijä, käyttöoikeus: CC BY-SA
  10. 10. AGILE VULNERABILITY DISCOVERY
  11. 11. © Hackrfi Oy 2018 - Julkinen5.6.2019 11 How to discover vulnerabilities? • Incidents … oops! • Error reports from staff, users, API consumers, third parties • Security audits and reviews • … and bug bounties!
  12. 12. © Hackrfi Oy 2018 - Julkinen5.6.2019 12 Bug bounty program – what? • An organisation pays security researchers (i.e. hackers) if they report a vulnerability in a responsible manner. • Target can be from the whole infrastructure to a platform to a single app and its API • Payment sum can vary, typically from thousands to hundreds
  13. 13. © Hackrfi Oy 2018 - Julkinen5.6.2019 13 Key benefits • A bug bounty encourages hackers to report issues before the criminals take advantage • Cost effective – only real vulnerabilities get bounties • Public programs increase third party trust to your services • Much more agile than traditional audits
  14. 14. © Hackrfi Oy 2018 - Julkinen5.6.2019 14 Audits vs bug bounties • Is limited by time (work days) • Is limited by money (pre- approved budget) • Is limited by expertise of the couple of people doing the testing • Gives results at one point in time • Hackers don’t count hours • Hackers are paid only if they find results • Community hackers have variable expertise. • Can be run continuously Traditional audits Bug bounty
  15. 15. © Hackrfi Oy 2018 - Julkinen5.6.2019 15 Bug bounty cons • Your processes need to be mature to handle incoming reports oBad reputation for being a black hole or not paying • Setting up the program and communicating with hackers takes resources • Works best with public targets
  16. 16. © Hackrfi Oy 2018 - Julkinen5.6.2019 16 Different types of programs Private Open Public Open Private Closed Public Closed - Not disclosed in public, need to know only - Invited participants only - Publicly visible - Anyone can join and submit reports - Publicly visible - Participants are selected - Invitation only - By application
  17. 17. © Hackrfi Oy 2018 - Julkinen5.6.2019 17 How to go about it? Decide Target, rules, payment structure Type of program Publish it Receive reports Contact point Triage Evaluate Acceptance Decide bounty amount Commu- nicate Pay Remediate Prioritize Assess risk vs time & costs to fix Communicate 
  18. 18. THANK YOU! https://www.linkedin.com/company/hackrfiladybug@hackr.fi @leaviljanen

×