This document discusses API security risk management through the use of bug bounty programs. It begins by outlining some key risks of exposing APIs, such as fraudulent transactions, privacy leaks, and denial of service attacks. It then presents bug bounty programs as an agile way to discover vulnerabilities by paying security researchers to report issues. The benefits of bug bounties are that they encourage early reporting of bugs, are cost-effective if only real issues receive payment, and increase trust through transparency. The document provides advice on setting up different types of bug bounty programs and managing the process of receiving and addressing reports.

1. https://www.linkedin.com/company/hackrfi
@hackrfi
API Security Risk
Management
with Bug Bounties
5.6.2019
ladybug@hackr.fiLea Viljanen

2. APIS, BUSINESS AND
RISKS

3. © Hackrfi Oy 2018 - Julkinen5.6.2019 3
Getting the business value
• To get the business benefits,
you need to expose your APIs
o…to internal parties
o…to external partners
o…to the general public
• Exposure brings risks!

4. © Hackrfi Oy 2018 - Julkinen5.6.2019 4
Some key API risks
• Fraudulent transactions
oLoss of resources/reputation
• Leaks of personally
identifiable information (PII)
oCan lead to monetary
sanctions due to EU GDPR
• Denial of Service attacks
oMay have direct impact on
revenue

5. © Hackrfi Oy 2018 - Julkinen5.6.2019 5
Risks vs benefits
• Modern security is all about
saying YES and managing
the risk.
• What tools do we have to
get API risks to an
acceptable level?

6. SOLUTIONS
5.6.2019
© Hackrfi Oy 2018 – Julkinen

7. © Hackrfi Oy 2018 - Julkinen5.6.2019 7
The traditional M&M method
• Firewalls
• DMZs
• VPNs
But if we need co-operation
with changing number of API
consumers in the ecosystem?
Perimeter protection

8. © Hackrfi Oy 2018 - Julkinen5.6.2019 8
Defence in depth
• Perimeter protection
• Endpoint protection
• Software & API controls
• Processes
o Not just to prevent, but also to
detect!
People /
Processes
SW
HW
DATA
Multiple layers of security
Perimeter can be more open because of
other controls – this allows for co-
operation and ecosystem memberships

9. © Hackrfi Oy 2018 - Julkinen5.6.2019 9
Key processes for API security
•Secure coding
•Vulnerability management
•Audit management
•Intrusion detection
•Incident management
Tämä kuva, tekijä Tuntematon tekijä,
käyttöoikeus: CC BY-SA

10. AGILE VULNERABILITY
DISCOVERY

11. © Hackrfi Oy 2018 - Julkinen5.6.2019 11
How to discover vulnerabilities?
• Incidents … oops!
• Error reports from staff, users,
API consumers, third parties
• Security audits and reviews
• … and bug bounties!

12. © Hackrfi Oy 2018 - Julkinen5.6.2019 12
Bug bounty program – what?
• An organisation pays security
researchers (i.e. hackers) if they
report a vulnerability in a
responsible manner.
• Target can be from the whole
infrastructure to a platform to a
single app and its API
• Payment sum can vary, typically
from thousands to hundreds

13. © Hackrfi Oy 2018 - Julkinen5.6.2019 13
Key benefits
• A bug bounty encourages
hackers to report issues
before the criminals take
advantage
• Cost effective – only real
vulnerabilities get bounties
• Public programs increase
third party trust to your
services
• Much more agile than
traditional audits

14. © Hackrfi Oy 2018 - Julkinen5.6.2019 14
Audits vs bug bounties
• Is limited by time (work days)
• Is limited by money (pre-
approved budget)
• Is limited by expertise of the
couple of people doing the
testing
• Gives results at one point in
time
• Hackers don’t count hours
• Hackers are paid only if they
find results
• Community hackers have
variable expertise.
• Can be run continuously
Traditional audits Bug bounty

15. © Hackrfi Oy 2018 - Julkinen5.6.2019 15
Bug bounty cons
• Your processes need to be
mature to handle incoming
reports
oBad reputation for being a black
hole or not paying
• Setting up the program and
communicating with hackers
takes resources
• Works best with public targets

16. © Hackrfi Oy 2018 - Julkinen5.6.2019 16
Different types of programs
Private
Open
Public
Open
Private
Closed
Public
Closed
- Not disclosed in
public, need to
know only
- Invited
participants only
- Publicly visible
- Anyone can join
and submit reports
- Publicly visible
- Participants are
selected
- Invitation only
- By application

17. © Hackrfi Oy 2018 - Julkinen5.6.2019 17
How to go about it?
Decide
Target, rules,
payment
structure
Type of
program
Publish it
Receive
reports
Contact point Triage Evaluate
Acceptance
Decide
bounty
amount
Commu-
nicate
Pay
Remediate Prioritize
Assess risk
vs time &
costs to fix
Communicate


18. THANK YOU!
https://www.linkedin.com/company/hackrfiladybug@hackr.fi @leaviljanen