The document discusses the rising security challenges posed by APIs, highlighting common attack vectors such as DDoS, injection, and business logic abuse. It emphasizes the importance of understanding API exposure and implementing protective measures to prevent attacks, similar to past mistakes made with web security. The takeaway is that APIs are a primary target for attacks, and organizations must ensure adequate security and inventory management of their API landscape.

1. From Chaos
to Calm:
Navigating Emerging API
Security Challenges
Eli Arkush | Principal Solutions Engineer, API Security

2. Traditional vs Modern Apps
GET /dashboard.aspx
Fetch messages/notifications/news
Returns HTML
view
GET /api/v2/messages
GET /api/v2/notifications
GET /api/v2/news
Returns RAW data
Fetch messages/notifications/news
User Service

3. APIs are Oversharing
image credit: NYTimes

4. See the full report, which
sheds more light on API
attack trends and remedies.
akamai.com/lp/soti/lurking-in-the-shadows

5. API Attacks By Vertical - 2023
5

6. API Focussed Attacks By Region - 2023
6

7. We’re making all the same mistakes
with API security that we made with
web security 20 years ago.
Chris Eng - Chief Research Officer - Veracode
Akamai State of the Internet (SOTI) API - The Attack Surface that Connect Us All.
7

8. API Common Attack Vectors
DDoS Injection Logic Abuse

9. DDoS Attacks - Global

10. Availability helps create Trust
10
https://xkcd.com/932

11. Daily Web Application Attacks (millions)
11

12. Loyalty Program Fraud
Travel | Airlines | Ecommerce
Device
Loyalty Account 1
Loyalty Account 2
Loyalty Account 3
Loyalty Account 4
Loyalty Account 5
Loyalty Account 6
2
1 See this behaviour in your APIs
Investigate these
accounts for fraud

13. Loyalty Program Fraud
Travel | Airlines | Ecommerce
Device
Loyalty Account 1
Loyalty Account 2
Loyalty Account 3
Loyalty Account 4
Loyalty Account 5
Loyalty Account 6
See this behaviour in your APIs
Investigate these
accounts for fraud
2
1

14. Case Study - Ride Sharing Company
14
(1) POST /addDriver
(1) Error message with UUID
(2) POST /getConsentScreenDetails
(2) PII and access token
Ride Sharing
Company

15. Ride Sharing Company: Account Takeover
(1)
(2)

16. Ride Sharing Company: Excessive Data Exposure
API3:2023 — Broken Object Property Level Authorization
The APIs exposed much more data than required to operate

17. Ride Sharing Company: BOLA
API1:2023 —
Broken Object
Level Authorization
Users can access
resources that are
not owned by them

18. BOLA Detection - Relationship Violation
A violation of those relationships => BOLA
UserID: 1337
UserID: 430
Account: 7331
Account: 835
Account: 908
UserID: 777

19. © 2022 Akamai

20. OWASP API Top 10

21. Goal Is Quality Code In Production
Write Code
Commit Code
Build
Deploy
Maintain
Detect ALL APIs:
Zombie / Shadow
Classify ALL
Exposed Data
Triage Critical Issues
Feedback into
Mitigation Tooling
Test Code
Detect Common
Security & Posture
Issue

22. DDoS
attacks
OWASP
attacks
CVE
exploits
Known API
attacks
Bot
attacks
1
DDoS
protection
Rate
Limiting
Cloud
-based
Solutions
Web Application Firewall
Virtual patching of
vulnerabilities
Blocks known attack
patterns
Bot
Protections
Block
known bots
Built-in App
protection
Shadow
API
Auth.
partner
!
compromised
Logic
attacks
Mitigation
Behavioural Analysis
Detect:
Business Logic abuse
Zombies
Shadow API
Corp
Cloud
On-prem

23. API Security Maturity Levels
Coverage across the entire enterprise API estate
Discover shadow APIs
and ensure each one is
documented or
decommissioned
Organize your API
inventory
Look at common alert
types and identify
strategies and priorities to
reduce risk
Create response plans to
address possible attacks
from adversaries
Establish a formal API
threat hunting discipline
1
Shining a light
on the shadows
2
Getting
organized
3
Hardening the
API posture
4
Sharpening
threat detection
and response
5
Developing a
proactive
approach

24. Takeaways
1. APIs are a primary target
1. Ensure sufficient protections are in place for DDoS,
Injection attacks and Business Logic abuse
1. Ensure you know where ALL your APIs are located
1. Ensure you know what ALL your APIs are exposing

25. Come and meet the team!
Marc Sandell Bergqvist
Major Account Executive
Akamai Technologies
Anders Persson
Regional Sales Leader EMEA North
Akamai Technologies
Sebastian Moradi
Senior Major Account Executive
Akamai Technologies
Eli Arkush
Principal Solutions Engineer, API Security
Akamai Technologies