apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023
A decade of API breaches, courtesy of application flaws
Jeremy Snyder, Founder at FireTail
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
3. BREACH DATA COLLECTION
METHODOLOGY
Google + alerts, notifications around data breaches
Breach events are reviewed – API as the breach vector?
Primary and secondary breach vectors, if applicable
Including responsible disclosure, but zero record count
Alignment to OWASP API Top 10 (2019) assessed as best fit
as possible
4. BREACH DATA COLLECTION
CAVEATS
Based on publicly reported data, with few exceptions
Examine as many sources as possible, but sometimes only
one source is available
In most cases, we do not try to replicate the results
Not yet recategorized based on OWASP Top 10 2023 RC
We did not (yet) finish analysis by API type (REST, graphQL,
gRPC, SOAP), cloud provider or code language
List is almost certainly incomplete
6. APIS ARE GROWING; APIS ARE A PROBLEM
▸API sprawl is a looming threat to our economy - APIs are becoming
the low-hanging fruit for attackers
▸API Attacks grew 348% in Q3/Q4 2021
▸Close to 1 billion (with a B) records at exposure risk since 2013
▸“Vulnerabilities in apps handling API data are the direct cause of
these breaches. Nothing else is to blame.”
https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/, https://web.archive.org/web/20210127101627/https://www.cloudvector.com/api-data-breaches-in-2020/, https://devops.com/api-sprawl-a-looming-threat-to-digital-economy, Gartner
By 2022, API abuses will move
from an infrequent to the most
frequent attack vector
7. BREACH DATA ANALYSIS
HIGH LEVEL STATISTICS
577M+ records breached
13M records per breach event
43 unique, documented breach/research events
Top attack vectors can be broken down into a few categories
10. BREACH DATA ANALYSIS
EXAMPLES OF BREACH LOGIC AROUND AUTHORIZATION
Authenticates once, but then doesn’t require subsequent authorization
to access additional functions
Authenticates, but doesn’t enforce server-side authorization; client is
responsible for (B)FLA
Conclusions:
Authentication ≠ authorization
Must be done server-side
Must be with EVERY call
Principal + resource + action; either all map to YES, or it’s NO
14. BREACH DATA ANALYSIS
DISCUSSION AROUND MULTI-VECTOR CONCLUSIONS
Almost all cases, more than one thing went wrong
Sequential numbering + no server-side authZ
No authZ + full data records returned (trimmed by client)
3rd party API access keys discovered + lack of encryption
Using common IDs (like VIN or SSN) as authN tokens +
second factor
15. BREACH DATA ANALYSIS
OTHER NOTES AROUND ATTACK VECTORS TRACKED
Enumeration – lab environment with hits within 5 min, return
callers, 90%+ traffic is probing (git.config, /.env, etc)
Data Exposure – returning too much data; leaving it to the
client to trim or remove
Injection – not super common, roughly ~10% of cases
Governance - general term, can refer to configuration in a
cloud environment, private -> public API, etc
17. BREACH DATA ANALYSIS
SYSTEMIC FLAWS CAN BE ATTACKED SYSTEMATICALLY
These flaws tend to affect the entire API / app logic
In responsible disclosures, researchers have often performed
very large POCs
Average number of records per breach is in the millions, but
has actually come down (more breach events)
18. BREACH DATA ANALYSIS
SOME OTHER OBSERVATIONS
Not industry-specific - APIs are everywhere
Not geography-specific – APIs are everywhere
But some industries have had a huge breach impact recently
Manufactoring (automotive)
Technology (software)
Hospitality (airlines, hotels, rental cars)
20. SURVEY RESULTS
TOP 6 PROBLEMS WITH APIS, REPORTED BY CISOS
1. Lack of API inventory
2. Enforcing perimeter security (gateway+logic, not firewall)
3. End-to-end tracing of code to API
4. Number of required security configs per API
5. API change management, security implications
6. Gap between developers and security teams
21. “ORGANIZATIONS THAT DEFEND
THEIR APIS WITH TRADITIONAL
NETWORK SECURITY SOLUTIONS
ARE HAVING MODERATE SUCCESS
AT BEST, IF THEY HAVE ANY
SUCCESS AT ALL.” - AKAMAI
22. TRACK OUR RESEARCH
DATA AND ANALYSIS SHARED ONLINE
FireTail’s API Data Breach Tracker:
https://firetail.io/api-data-breach-tracker
24. CORE PRINCIPLES OF API SECURITY
FIRETAIL
VISIBILITY OBSERVABILITY
POLICY AUDIT
DISCOVERY
ENFORCEMENT
Authentication,
authorization, validation,
sanitization in code
Commercial version
sends configuration and
success / failure events
to cloud backend
Full view of API
landscape across IT fleet
Finding APIs not running
FireTail library via
network traffic, code
repos & cloud APIs
APIs can be analyzed for
configuration settings
and security policy. API
security posture
management
Full and centralized audit
trail of all APIs with
FireTail library
implemented. Search
and set alerts.
25. THE SOLUTION - ADOPTION PATH
EMBRACING NEW TECH
DISCOVERY &
INVENTORY
POLICY AUDIT
ATTACK PREVENTION
1 2
3
A
3
4