apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 A decade of API breaches, courtesy of application flaws Jeremy Snyder, Founder at FireTail ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. A DECADE OF API BREACHES,
COURTESY OF APPLICATION FLAWS
JEREMY SNYDER, FOUNDER & CEO
JEREMY@FIRETAIL.IO

2. LEARNING FROM
A DECADE OF API
DATA BREACHES

3. BREACH DATA COLLECTION
METHODOLOGY
Google + alerts, notifications around data breaches
Breach events are reviewed – API as the breach vector?
Primary and secondary breach vectors, if applicable
Including responsible disclosure, but zero record count
Alignment to OWASP API Top 10 (2019) assessed as best fit
as possible

4. BREACH DATA COLLECTION
CAVEATS
Based on publicly reported data, with few exceptions
Examine as many sources as possible, but sometimes only
one source is available
In most cases, we do not try to replicate the results
Not yet recategorized based on OWASP Top 10 2023 RC
We did not (yet) finish analysis by API type (REST, graphQL,
gRPC, SOAP), cloud provider or code language
List is almost certainly incomplete

5. Source: Akamai State of the Internet Report 2021

6. APIS ARE GROWING; APIS ARE A PROBLEM
▸API sprawl is a looming threat to our economy - APIs are becoming
the low-hanging fruit for attackers
▸API Attacks grew 348% in Q3/Q4 2021
▸Close to 1 billion (with a B) records at exposure risk since 2013
▸“Vulnerabilities in apps handling API data are the direct cause of
these breaches. Nothing else is to blame.”
https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/, https://web.archive.org/web/20210127101627/https://www.cloudvector.com/api-data-breaches-in-2020/, https://devops.com/api-sprawl-a-looming-threat-to-digital-economy, Gartner
By 2022, API abuses will move
from an infrequent to the most
frequent attack vector

7. BREACH DATA ANALYSIS
HIGH LEVEL STATISTICS
577M+ records breached
13M records per breach event
43 unique, documented breach/research events
Top attack vectors can be broken down into a few categories

8. BREACH DATA ANALYSIS
ATTACK VECTORS FOR APIS

9. ALMOST ALL
BREACH EVENTS
ARE LOGIC FLAWS

10. BREACH DATA ANALYSIS
EXAMPLES OF BREACH LOGIC AROUND AUTHORIZATION
Authenticates once, but then doesn’t require subsequent authorization
to access additional functions
Authenticates, but doesn’t enforce server-side authorization; client is
responsible for (B)FLA
Conclusions:
Authentication ≠ authorization
Must be done server-side
Must be with EVERY call
Principal + resource + action; either all map to YES, or it’s NO

11. “VULNERABILITIES IN APPS
HANDLING API DATA ARE THE
DIRECT CAUSE OF THESE
BREACHES. NOTHING ELSE IS
TO BLAME.” – ARCHIVE.ORG PAGE

12. ALMOST ALL BREACH
EVENTS ARE MULTI-
VECTOR

13. BREACH DATA ANALYSIS
BUT THERE’S MORE…

14. BREACH DATA ANALYSIS
DISCUSSION AROUND MULTI-VECTOR CONCLUSIONS
Almost all cases, more than one thing went wrong
Sequential numbering + no server-side authZ
No authZ + full data records returned (trimmed by client)
3rd party API access keys discovered + lack of encryption
Using common IDs (like VIN or SSN) as authN tokens +
second factor

15. BREACH DATA ANALYSIS
OTHER NOTES AROUND ATTACK VECTORS TRACKED
Enumeration – lab environment with hits within 5 min, return
callers, 90%+ traffic is probing (git.config, /.env, etc)
Data Exposure – returning too much data; leaving it to the
client to trim or remove
Injection – not super common, roughly ~10% of cases
Governance - general term, can refer to configuration in a
cloud environment, private -> public API, etc

16. API FLAWS HAVE
BROAD IMPACT

17. BREACH DATA ANALYSIS
SYSTEMIC FLAWS CAN BE ATTACKED SYSTEMATICALLY
These flaws tend to affect the entire API / app logic
In responsible disclosures, researchers have often performed
very large POCs
Average number of records per breach is in the millions, but
has actually come down (more breach events)

18. BREACH DATA ANALYSIS
SOME OTHER OBSERVATIONS
Not industry-specific - APIs are everywhere
Not geography-specific – APIs are everywhere
But some industries have had a huge breach impact recently
Manufactoring (automotive)
Technology (software)
Hospitality (airlines, hotels, rental cars)

19. SO WHAT ARE
API SECURITY
RECOMMENDATIONS?

20. SURVEY RESULTS
TOP 6 PROBLEMS WITH APIS, REPORTED BY CISOS
1. Lack of API inventory
2. Enforcing perimeter security (gateway+logic, not firewall)
3. End-to-end tracing of code to API
4. Number of required security configs per API
5. API change management, security implications
6. Gap between developers and security teams

21. “ORGANIZATIONS THAT DEFEND
THEIR APIS WITH TRADITIONAL
NETWORK SECURITY SOLUTIONS
ARE HAVING MODERATE SUCCESS
AT BEST, IF THEY HAVE ANY
SUCCESS AT ALL.” - AKAMAI

22. TRACK OUR RESEARCH
DATA AND ANALYSIS SHARED ONLINE
FireTail’s API Data Breach Tracker:
https://firetail.io/api-data-breach-tracker

23. HOW TO PROTECT
YOUR ORG FROM
API BREACHES

24. CORE PRINCIPLES OF API SECURITY
FIRETAIL
VISIBILITY OBSERVABILITY
POLICY AUDIT
DISCOVERY
ENFORCEMENT
Authentication,
authorization, validation,
sanitization in code
Commercial version
sends configuration and
success / failure events
to cloud backend
Full view of API
landscape across IT fleet
Finding APIs not running
FireTail library via
network traffic, code
repos & cloud APIs
APIs can be analyzed for
configuration settings
and security policy. API
security posture
management
Full and centralized audit
trail of all APIs with
FireTail library
implemented. Search
and set alerts.

25. THE SOLUTION - ADOPTION PATH
EMBRACING NEW TECH
DISCOVERY &
INVENTORY
POLICY AUDIT
ATTACK PREVENTION
1 2
3
A
3
4

26. t
Pre-production (dev / test / staging) Production
Code & design phase:
1. Secure source code
2. Vulnerability elimination
Pre-launch testing
1. Fuzzing test
2. Logic test
Runtime protection
1. Cover top 4 attack vectors
2. D&R on central logs
Contextual awareness
1. Feed into CNAPP / AppSec
2. Integrate with SecOps
©2022 FireTail Inc, All rights reserved.

27. FOCUS ON API
SECURITY AT THE
APPLICATION LAYER

29. BREACH DATA ANALYSIS
REMINDER FOR WHY THE APP LAYER (APP LOGIC) IS CRUCIAL

30. THANK YOU!
JEREMY@FIRETAIL.IO
https://firetail.io
START A FREE TRIAL WITH US SOON TO GET FULL API VISIBILITY & SECURITY