APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Time to Take the "F*^!" out of ShiFt Left
Christine Bevilacqua, API Security Evangelist at APIsec University
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
4. 4
API Security Requires Shifting Left
83% of all
internet traffic
is from APIs
Regulations mandate
privacy, vulnerability
detection, testing
Regulatory
Compliance
2022: APIs
“most frequent
attack vector”
Major Attack
Target
High-profile
API breaches
announced weekly
High Profile
Breaches
Explosive
Growth
5. 5
Your API Security Problem isn’t Shrinking
93% of professional developers use APIs
(that’s 21.9M developers using APIs in enterprise projects)
76% or 95% have experienced an API security incident in the past 12 months
34% lack any kind of API security strategy
Of 117,000 cybersecurity incidents, API insecurity was responsible for annual losses
of between $41- 75 billion globally and $12-23 billion in the US.
6. 6
Why Attackers Target APIs
Mobile
App
API
Web
App
Application
Public
API
Micro
Services
Internal
APIs:
• Direct access to sensitive data
• Often “over-permissioned”
• Vulnerable to logic flaws
11. 11
The 3 Pillars of API Security
Developing
secure APIs
Ensuring APIs are
free of flaws
Detecting threats in
production
Governance Testing Monitoring
12. 12
Governance
• Goals:
• Consistency
• Setting expectations
Awareness
• Know your APIs
• Know your data
• Know your risks
Policy
• Engineering process
• API documentation
• Style guides
• Enforcing security
• Establishing standard processes
13. 13
Know Your APIs
• Get full inventory APIs
• Purpose, owner, documentation
• Standardize and enforce API deployment process
• Existence of “shadow/rogue” APIs sign of weak governance
• APIs only deployed in approved ways, with proper validation
• Enforce governance at Gateway, Marketplace
• Mandate API Documentation
• Make sure APIs are consistent and reusable
• Define documentation requirements
• Create API Development standards
• Style guides, authentication requirements, versioning, PII tracking
14. 14
Know Your Risks (Threat Modeling)
• Identify: APIs, data, access paths -> potential threats
• Assess: vulnerabilities, logic flaws, access controls, 3rd party risk
• Probability: examine the likelihood of an attack
• Impact: understand the damage, loss, consequences of an attack
• Mitigation: develop a plan to address the risk
15. 15
Style Guides: Promote Governance, Consistency
• Design Style and Specification – API type: REST, GraphQL
• Authentication and Authorization – how to implement (OAuth 2.0)
• Endpoint Naming – URIs as nouns, Methods as verbs, pluralization,
hierarchy, lowercase, language, naming (no jargon), no abbreviations
• Error Codes – status codes, reference ID, human readable messages
• Versioning – when to increment, when not, types of versions
• Units, Formats, Standards – date/times
18. 18
OpenAPI Specification (Swagger)
• De facto standard for API
documentation
• Aids development and 3rd party
integration
• Manually or auto-generated
• Used with REST APIs
• Machine-readable (YAML, JSON)
• Defines API capability (contract)
• Title, description, version
• Base-URL
• Endpoints, paths
• Parameters
• Methods
• Data types
• Request, response payloads
• Authentication requirements
20. 20
Testing
• Where do you want to find API vulnerabilities?
• Pre-production
• Production
• “Standard playbook” test categories offer limited value
• Cross-site scripting, injection, buffer overflow
• Important to run these tests to avoid bot-based attacks
• API breaches rarely exploit these
• Major breaches typically business logic flaws
25. 25
Monitoring
• Critical to monitor API traffic
• Uncover anomalies and active attacks
• Identify resource abuse – harvesting, scraping
• Detect fraudulent transactions
• Alert on brute force attacks
• Identify distributed attacks
• e.g., rotating IPs to make thousands of disparate requests look legitimate
• Monitoring is reactive
• Tools typically used in non-blocking mode
• Best practice is to test wherever possible
26. 26
API Discovery
• API Discovery is not a point-in-time activity
• Monitoring can help
• However, organizations should discover APIs from multiple sources:
• Gateway
• Code repository
• Traffic analysis
• Web Application Firewall
• Application testing, crawling
• Monitoring
• Reliance on traffic based-discovery misses:
• Unexercised endpoints
• East-West APIs – internal API traffic not seen by traffic analysis tool
30. 30
2023 OWASP API Security Top 10
API1 Broken Object Level
Authorization
API2 Broken Authentication
API3 Broken Object Property Level
Authorization
API4 Unrestricted Resource
Consumption
API5 Broken Function Level
Authorization
API6 Server-Side Request Forgery
API7 Security Misconfiguration
API8 Lack of Protection from
Automated Threats
API9 Improper Assets
Management
API10 Unsafe Consumption of APIs
31. 31
Network Endpoint Application Data
Web/Messaging Identity Detection Cloud
Firewall
NAC
Threat Protection
Deception
EDR
Anti Malware/Virus
Vulnerability
Management
SAST, DAST
SCA, Container Security
WAF
API Security
Encryption
DLP
Access Control
Email Gateway
Web Gateway
Authentication
PIM
Identity Governance
SIEM
SOAR
Incident Response
CASB
Infrastructure Security
Cybersecurity Landscape
32. 32
Application Security
• How apps are tested typically:
• Code scanning – looking for poor coding practices, hygiene
• Library analysis – looking for vulnerable 3rd party code
• Dynamic testing (DAST) – looks for common vulnerabilities
• 2 key issues with these solutions:
1. Don’t look at what’s actually exploitable
2. Don’t evaluate the most exploited aspect – business logic
33. 33
Develop Deploy Operate
Static Code Analysis
• Coding weaknesses
• Injection flaws
• Weak authentication
• Configuration issues
Software Composition
Analysis
• 3rd party vulnerabilities
• Licensing issues
• Outdated components
API Security Testing
• OWASP testing
• Business logic
• Authentication testing
• Authorization testing
• Attack simulation
API Gateway
• Authentication
• Authorization (limited)
• Rate limiting
• Traffic filtering
• Logging
API Monitor/Firewall
• Attack detection
• API discovery
• Anomaly detection
• Traffic blocking
Production
Pre-Production
Recommendations:
• Shift Left: find issues as early as possible
• Validate security controls in production
• Automate as much as possible
39. 39
Best Practices
1. Enforce API governance and establish central API control
• Gateway, marketplace platform
• No API goes live without passing gates (docs, testing, security)
2. Create comprehensive testing program
• Test every endpoint across all OWASP attack types and more
• Evaluate every data object, user type and function for logic flaws
• Leverage automation for comprehensive test coverage
40. 40
Best Practices
3. Implement automated, continuous testing
• Although APIs rarely change, code & infrastructure does
• Every release needs functional AND security testing
• Integrate testing into CI/CD pipeline
4. Develop API security metrics and assess progress
• Total APIs managed – new, existing, retired
• Vulnerabilities identified, outstanding, fixed
41. 41
Thank you!
Contact me: christine@apisecuniversity.com
API Pen-Test course: www.apisecuniversity.com
API Fundamentals course: COMING SOON