APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Time to Take the "F*^!" out of ShiFt Left Christine Bevilacqua, API Security Evangelist at APIsec University ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. 1
Take the "F*^!"
Out of ShiFt Left
Christine Bevilacqua, API Security Evangelist
APIsec University

2. 2
Shift Left API Security
• Why Shift Left?
• 3 Pillars of API Security
• Dev + Sec, Educate & Empower
• Real World Successes
• Best Practices

3. 3
Why Shift Left?

4. 4
API Security Requires Shifting Left
83% of all
internet traffic
is from APIs
Regulations mandate
privacy, vulnerability
detection, testing
Regulatory
Compliance
2022: APIs
“most frequent
attack vector”
Major Attack
Target
High-profile
API breaches
announced weekly
High Profile
Breaches
Explosive
Growth

5. 5
Your API Security Problem isn’t Shrinking
93% of professional developers use APIs
(that’s 21.9M developers using APIs in enterprise projects)
76% or 95% have experienced an API security incident in the past 12 months
34% lack any kind of API security strategy
Of 117,000 cybersecurity incidents, API insecurity was responsible for annual losses
of between $41- 75 billion globally and $12-23 billion in the US.

6. 6
Why Attackers Target APIs
Mobile
App
API
Web
App
Application
Public
API
Micro
Services
Internal
APIs:
• Direct access to sensitive data
• Often “over-permissioned”
• Vulnerable to logic flaws

7. 7
When do you want to find API
vulnerabilities?

8. 8
What’s Being Stolen?

9. 9

10. 10
3 Pillars of API Security

11. 11
The 3 Pillars of API Security
Developing
secure APIs
Ensuring APIs are
free of flaws
Detecting threats in
production
Governance Testing Monitoring

12. 12
Governance
• Goals:
• Consistency
• Setting expectations
Awareness
• Know your APIs
• Know your data
• Know your risks
Policy
• Engineering process
• API documentation
• Style guides
• Enforcing security
• Establishing standard processes

13. 13
Know Your APIs
• Get full inventory APIs
• Purpose, owner, documentation
• Standardize and enforce API deployment process
• Existence of “shadow/rogue” APIs sign of weak governance
• APIs only deployed in approved ways, with proper validation
• Enforce governance at Gateway, Marketplace
• Mandate API Documentation
• Make sure APIs are consistent and reusable
• Define documentation requirements
• Create API Development standards
• Style guides, authentication requirements, versioning, PII tracking

14. 14
Know Your Risks (Threat Modeling)
• Identify: APIs, data, access paths -> potential threats
• Assess: vulnerabilities, logic flaws, access controls, 3rd party risk
• Probability: examine the likelihood of an attack
• Impact: understand the damage, loss, consequences of an attack
• Mitigation: develop a plan to address the risk

15. 15
Style Guides: Promote Governance, Consistency
• Design Style and Specification – API type: REST, GraphQL
• Authentication and Authorization – how to implement (OAuth 2.0)
• Endpoint Naming – URIs as nouns, Methods as verbs, pluralization,
hierarchy, lowercase, language, naming (no jargon), no abbreviations
• Error Codes – status codes, reference ID, human readable messages
• Versioning – when to increment, when not, types of versions
• Units, Formats, Standards – date/times

16. 16
Style Guide
Example

17. 17
Style Guide
Example

18. 18
OpenAPI Specification (Swagger)
• De facto standard for API
documentation
• Aids development and 3rd party
integration
• Manually or auto-generated
• Used with REST APIs
• Machine-readable (YAML, JSON)
• Defines API capability (contract)
• Title, description, version
• Base-URL
• Endpoints, paths
• Parameters
• Methods
• Data types
• Request, response payloads
• Authentication requirements

19. 19

20. 20
Testing
• Where do you want to find API vulnerabilities?
• Pre-production
• Production
• “Standard playbook” test categories offer limited value
• Cross-site scripting, injection, buffer overflow
• Important to run these tests to avoid bot-based attacks
• API breaches rarely exploit these
• Major breaches typically business logic flaws

21. 21
The Need for
API-First Testing
21
Backend
API
Web
App
Mobile
App
Pen Test,
Web Scan
Attacker

22. 22
Testing Categories
API Security
• Unsecured Endpoints
• Authentication exploits
• Enumeration
• App DOS, rate limiting
• Missing TLS, SSL issues
• Injection, fuzzing
• Fuzzing, input validation
• Server-side resource forgery
• Server properties leaks
Business Logic
• Cross-account access
• API function abuse
• Role-based access control
• Pen-testing
Data Security
• Access control
• Excessive data exposure
• Sensitive data exposure
• Personal, health, bank data
• File, directory exposure
• Encryption at rest
• Data exfiltration

23. 23
API-First Testing
• Critical to attack simulate
• Examine business processes and
create attack scenarios
• Exercise all object/user/action
combinations
Unauthorized trading
Account data harvesting
Excess data exposure
Account takeover
Account tampering
SEC reporting
Ransom
3rd party exposure

24. 24
APIsec University
• API Pen-Testing course
• www.apisecuniversity.com

25. 25
Monitoring
• Critical to monitor API traffic
• Uncover anomalies and active attacks
• Identify resource abuse – harvesting, scraping
• Detect fraudulent transactions
• Alert on brute force attacks
• Identify distributed attacks
• e.g., rotating IPs to make thousands of disparate requests look legitimate
• Monitoring is reactive
• Tools typically used in non-blocking mode
• Best practice is to test wherever possible

26. 26
API Discovery
• API Discovery is not a point-in-time activity
• Monitoring can help
• However, organizations should discover APIs from multiple sources:
• Gateway
• Code repository
• Traffic analysis
• Web Application Firewall
• Application testing, crawling
• Monitoring
• Reliance on traffic based-discovery misses:
• Unexercised endpoints
• East-West APIs – internal API traffic not seen by traffic analysis tool

27. 27
Educate and Empower
Developers

28. 28
28
Regulatory Compliance Competing Challenges
Privacy:
• Consumer data protection
• Breach notification requirements
• Massive penalties for violations
(GDPR: 4% of company revenue)
Accessibility:
• Global push to make data accessible
• Ensure interoperability among providers
• “Information Blocking” penalties
• Banking:
FFIEC, OCC, Open Banking, FDX
• Payment Card Industry: PCI
• Healthcare:
HIPAA/HITRUST/Interoperability
• Privacy: GDPR, CCPA, PIPEDA
• Federal: FedRAMP
• Standards, Frameworks:
NIST 800-53, ISO 27001, SOC 2

29. 29
APIsec University
• API Security Fundamentals
• www.apisecuniversity.com

30. 30
2023 OWASP API Security Top 10
API1 Broken Object Level
Authorization
API2 Broken Authentication
API3 Broken Object Property Level
Authorization
API4 Unrestricted Resource
Consumption
API5 Broken Function Level
Authorization
API6 Server-Side Request Forgery
API7 Security Misconfiguration
API8 Lack of Protection from
Automated Threats
API9 Improper Assets
Management
API10 Unsafe Consumption of APIs

31. 31
Network Endpoint Application Data
Web/Messaging Identity Detection Cloud
Firewall
NAC
Threat Protection
Deception
EDR
Anti Malware/Virus
Vulnerability
Management
SAST, DAST
SCA, Container Security
WAF
API Security
Encryption
DLP
Access Control
Email Gateway
Web Gateway
Authentication
PIM
Identity Governance
SIEM
SOAR
Incident Response
CASB
Infrastructure Security
Cybersecurity Landscape

32. 32
Application Security
• How apps are tested typically:
• Code scanning – looking for poor coding practices, hygiene
• Library analysis – looking for vulnerable 3rd party code
• Dynamic testing (DAST) – looks for common vulnerabilities
• 2 key issues with these solutions:
1. Don’t look at what’s actually exploitable
2. Don’t evaluate the most exploited aspect – business logic

33. 33
Develop Deploy Operate
Static Code Analysis
• Coding weaknesses
• Injection flaws
• Weak authentication
• Configuration issues
Software Composition
Analysis
• 3rd party vulnerabilities
• Licensing issues
• Outdated components
API Security Testing
• OWASP testing
• Business logic
• Authentication testing
• Authorization testing
• Attack simulation
API Gateway
• Authentication
• Authorization (limited)
• Rate limiting
• Traffic filtering
• Logging
API Monitor/Firewall
• Attack detection
• API discovery
• Anomaly detection
• Traffic blocking
Production
Pre-Production
Recommendations:
• Shift Left: find issues as early as possible
• Validate security controls in production
• Automate as much as possible

34. 34
Real World Examples

35. 35

36. 36

37. 37

38. 38
Best Practices

39. 39
Best Practices
1. Enforce API governance and establish central API control
• Gateway, marketplace platform
• No API goes live without passing gates (docs, testing, security)
2. Create comprehensive testing program
• Test every endpoint across all OWASP attack types and more
• Evaluate every data object, user type and function for logic flaws
• Leverage automation for comprehensive test coverage

40. 40
Best Practices
3. Implement automated, continuous testing
• Although APIs rarely change, code & infrastructure does
• Every release needs functional AND security testing
• Integrate testing into CI/CD pipeline
4. Develop API security metrics and assess progress
• Total APIs managed – new, existing, retired
• Vulnerabilities identified, outstanding, fixed

41. 41
Thank you!
Contact me: christine@apisecuniversity.com
API Pen-Test course: www.apisecuniversity.com
API Fundamentals course: COMING SOON