APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon Wilkinson

•

0 likes•36 views

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 I KNOW WHAT YOU(r APIs) DID LAST SUMMER – Understanding and Identifying Threats Against APIs Shannon Wilkinson, Cybersecurity Founder | Women in Technology & STEM Advocate | Keynote Speaker | Board Member & Advisor

Internet

I Know What
You(r APIs) Did
Last Summer
Shannon Wilkinson
CEO, Tego Cyber Inc

• DDoS
• Injection Attacks
• Authentication Attacks
• Cross-Site Scripting (XSS)
• Parameter Tampering
• Man in the Middle (MiTM)
• Credential Stuffing
• Application Abuse
• Server-Side Request Forgery (SSRF)

Top 10 2023RC
• Broken Level Authorization
• Broken Authentication
• Broken Object Property Level Authorization
• Unrestricted Resource Consumption
• Broken Function Level Authorization
• Server Side Request Forgery
• Security Misconfiguration
• Lack of Protection from Automated Threats
• Improper Asset Management
• Unsafe Consumption of APIs
Top 10 2019
• Broken Level Authorization
• Broken User Authentication
• Excessive Data Exposure
• Lack of Resource & Rate Limiting
• Broken Function Level Authorization
• Mass Assignment
• Security Misconfiguration
• Injection
• Improper Asset Management
• Insufficient Logging & Monitoring

Where Do API
Threats Come
From?
• Bad Coding – QA, we don’t need
no stinking QA!
• Poor Validation – Do you validate
your SSL certs to protect
traffic/data?
• Poor Authentication – Do you
require authentication?
• Automated Threats
• BOTSSSSSSSSSSSSSSSSSS!
• API Utilization – How much data
should be going out?

Where Are Your
APIs?
• How can you protect what you
don’t know?
• You need to or you need
someone to perform a thorough
analysis of what APIs you have in
your environment.
• It’s not a One-And-Done
assessment, you need
continuous validation/testing

• Data Flow
• What is the normal flow of data?
• User Behavior
• Who/where/when/how?
• Expected Level of Errors
• KYAPIs – Know Your APIs
• What data is exposed?
• Are the endpoints secured?
• Do we have SSL and no HTTP redirects?

That’s Not Normal -
Anomaly Detection
• Unusual Traffic
• Increased Traffic
• Unexpected API Calls
• Vulnerability Scanning
• 404/500 Errors
• Unusual User Behavior
• Extraordinary Traveler
• Repeated Failed Attempts

API Specific Rules
• Excessive API Calls
• Exceed Rate Limits
• You Do Rate Limit, Right?
Right?
• Unusual User/Data Behavior
• Schema Validation
• Add to Cart & Buy in Less
than X Timeframe (Bots!)
• Configuration Changes
• Suspicious Payloads/File
Transfer
• Scan with AV/EDR

• Developers
• Code Reviews
• Code Repository Reviews
• Code Vulnerability Scanning
• Documentation of API Endpoints
• SBOM (Software Bill of
Materials)
• Unmanaged APIs
• Vulnerable APIs (Log4j anyone?)
• What do 3rd Party APIs have access to?
• Protecting
Credentials/Authentication
• Public vs Private APIs

• Security Team / Audit & Compliance
• Policies & Procedures
• Assessments
• Attack Surface Management Tools
• AV/EDR on Endpoints/Servers
• WAFs
• Security Operations Center (SOC)
• Ingestion of API Security Logs
• Monitoring of API Activity through
SIEM/Data Lake

Nope, Not On My Watch!
• Monitoring
• OWASP Top API 10 – Insufficient Logging & Monitoring
• 200+ Days to Detect
• Detection by 3rd Party (Ouch, Embarrassing!)
• SIEM/Data Lake Platforms
• Comprehensive View – Attack Surface, WAFs, Endpoints
• Threat Intelligence / Correlation Tools

…If You
Enjoyed the
Presentation
Shannon Wilkinson – CEO – Tego Cyber Inc
https://tegocyber.com
shannon.wilkinson@tegocyber.com

Similar to APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon Wilkinson

Speech of Dmytro Shapovalov, Infrastructure Engineer at Cossack Labs, at Ruby Meditation #25 Kyiv 08.12.2018 Next conference - http://www.rubymeditation.com/ Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database. Announcements and conference materials https://www.fb.me/RubyMeditation News https://twitter.com/RubyMeditation Photos https://www.instagram.com/RubyMeditation The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation

Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...

Ruby Meditation

Injecting simplicity not SQL RSA Europe 2010

Security Ninja

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Alexandre Morgaut

Checkmarx meetup API Security - Solving security at scale - Ante Gulam

Adar Weidman

API's are everywhere now. SOA, IoT, Mobile, and Thick clients all heavily rely on web services and API's. This talk will present a primer on how to assess these services/interfaces for developers and testers alike. The introduction will include topics such as API identification, common implementations and frameworks. The bulk of the talk will focus on a assessment checklist that anyone can use to test these technologies for security flaws covering topics such as: Authentication Verbose-ness Hidden Functions Lack of Access Control Transport Security Tampering/Trust Injection

The API Primer (OWASP AppSec Europe, May 2015)

Greg Patton

The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack. This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security. How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down: • Vulnerability anatomy – how they present themselves • Analysis of vulnerability root cause and protection schemas • Test procedures to validate susceptibility (or not) for each threat

How to Test for The OWASP Top Ten

Security Innovation

What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits. In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites. Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.

How to Harden the Security of Your .NET Website

DNN

Security audit

Nicholas Davis

Security Audit

Nicholas Davis

The OWASP Zed Attack Proxy

Aditya Gupta

Octogence Profile

Octogence

Web security and OWASP

Isuru Samaraweera

Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends. It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation. It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to . It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.

Spa Secure Coding Guide

Geoffrey Vandiest

Enhancing your Security APIs

Apigee | Google Cloud

Security testing presentation

Confiz

You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/PsuV50A5bSh You have SQL Server sprawl throughout your organization. There are SQL Servers installed on servers in all of your environments, some of which you may not even be aware of. IT personnel and developers also have SQL Servers installed; even if they are approved, there’s no guarantee of a minimal configuration. How do you get your arms around this situation? Join IDERA and K. Brian Kelley on Wednesday, July 26 at 11 AM CT as he looks at the various ways to detect SQL Server in your environment. He will take the next step to document what he finds, noting what’s approved and what’s not. Brian will also explore the various means to disable and uninstall unapproved SQL Servers. Finally, he will look at how you can configure existing, approved SQL Servers to a minimum standard. At each step of the way Brian will explain how to automate these tasks to reduce the amount of manual work required. This is a Geek Sync you will not want to miss!

Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl

IDERA Software

API security issues keep surfacing at big-name organizations. Data leaks, reputation is damaged, service is disrupted. APIs are innovation enablers but also have a downside: the sensitive data that flows through them make them prime target for hackers. Why is API security so hard? Francois ‘s presentation will explain how traditional API security is not bullet-proof, review recent API vulnerability examples, and discuss the role of AI and implicit security in detecting and stopping exploits of these specific vulnerabilities.

Hacker vs AI

Nordic APIs

API IN(SECURITY)

OWASP Khartoum

Web application security & Testing

Deepu S Nath

Make your Azure PaaS Deployment More Safe

Thuan Ng

Similar to APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon Wilkinson (20)

Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...

Injecting simplicity not SQL RSA Europe 2010

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Checkmarx meetup API Security - Solving security at scale - Ante Gulam

The API Primer (OWASP AppSec Europe, May 2015)

How to Test for The OWASP Top Ten

How to Harden the Security of Your .NET Website

Security audit

Security Audit

The OWASP Zed Attack Proxy

Octogence Profile

Web security and OWASP

Spa Secure Coding Guide

Enhancing your Security APIs

Security testing presentation

Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl

Hacker vs AI

API IN(SECURITY)

Web application security & Testing

Make your Azure PaaS Deployment More Safe

More from apidays

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

The secrets to Graph success, from inception to general availability Leah Hurwich Adler, Associate Director | Technical Strategist | Team Leader | Culture Builder | Skilled Communicator Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...

apidays

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

API Discovery - From Crawl to Run Rob Dickinson, VP of Engineering - Graylog Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...

apidays

Building with the Planet in Mind: Accelerating Green Software Delivery using SustainAgility Sandeep Joshi, Managing Director - Massivue Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...

apidays

Connecting Cross Border Commerce with Payments Gundeep Singh Malik, Product Head for Treasury Services & Payments, Singapore & ASEAN - JPMorgan Chase & Co. Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...

apidays

Privacy Enhancing Technologies for AI Mark Choo, Head, Federated Learning - AI Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...

apidays

Blending AI and IoT for Smarter Health Matthew Chua, Assistant Professor, Biomedical Informatives - National University of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...

apidays

OpenTelemetry for API Monitoring Danielle Kayumbi, Software Engineer - Capgemini Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...

apidays

Connecting Product and Engineering Teams with Testing API Tatiana Shepeleva, Staff QA Engineer - StashAway Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...

apidays

The Growing Carbon Footprint of Digitalization and How to Control it Faiz Mulla, Sustainability Software Technical Product Leader - IBM Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...

apidays

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

API Monitoring x SRE (Site Reliability Engineering) Ryan Ashneil, Software Engineer - Government Technology Agency of Singapore Eugene Wong, Senior DevOps Engineer - Government Technology Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...

apidays

A nuanced approach on AI costs and benefits for the environment Joanna Reijgersberg-Siew, Senior Director, Data & AI - Avanade Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...

apidays

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

How APIs drive business at BNP Paribas Quy-Doan Do, APAC Head of Data Services (Client Lines) and APAC Head of Digital Transformation and Innovation - BNP Paribas' Securities Services Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...

apidays

More from apidays (20)