APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io)

LEARNING FROM A DECADE OF API BREACHES
JEREMY SNYDER, FOUNDER
JEREMY@FIRETAIL.IO

JEREMY SNYDER
MY STORY
▸ UNC BA ’97, GMU MBA ‘04
▸ 1998-2004 TRADOS (lang tech)
▸ 2005-2006 Rivermine (telecom)
▸ 2006-2010 Twinity (metaverse)
▸ 2010-2011 AWS (30x MRR)
▸ 2014 REAN Cloud ($1M in 6 mos)
▸ 2016-2020 DivvyCloud (20x ARR+)
▸ 2020-2021 Rapid7 M&A (3 deals)

APIS ARE EVERYWHERE
EVERY MOBILE APP
EVERY IOT DEVICE
MODERN WEB APPS
REFACTORED ENTERPRISE
APPS
CLOUD-NATIVE APPS
are all just frontend UIs
talking to a backend API.
This is the backbone of the
modern web.

Source: https://iot-analytics.com/2021-global-iot-spending-grow-24-percent/, https://nordicapis.com/tracking-the-growth-of-the-api-economy/, https://www.goodbarber.com/blog/the-growth-of-mobile-apps-what-do-statistics-say-
a1095, https://www.forbes.com/sites/tomtaulli/2020/01/18/api-economy--is-it-the-next-big-thing/?sh=711ec09842ff, https://cisomag.eccouncil.org/api-security/, https://www.globenewswire.com/news-release/
2020/10/22/2112642/0/en/API-Management-Market-to-reach-US-21-68-billion-By-2028-Global-Insights-on-Trends-Expansion-Plans-New-Product-Launch-Growth-Opportunities-Key-Players-Value-Chain-Analysis-and-Futur.html,
Tyler Jewell, MD Dell Technologies Capital
THE RISE AND RISE OF APIS
▸ Private API volumes are predicted to overtake public APIs
▸ F5 estimates 200M APIs exist already, growing to 1.7B active APIs by 2030
▸ API economy (Twilio, Plaid, data-as-a-service): Currently > 50,000 public APIs
in the world, with 40 more public API services per week
“THE WORLD IS ON COURSE TO HAVING A TRILLION
PROGRAMMABLE ENDPOINTS. THE MOMENTUM BEHIND
CONTAINERS, SERVERLESS, MULTI-CLOUD AND APIS IS INCREASING
INTO THIS YEAR, SO THE WORLD WILL PROBABLY DOUBLE THE
NUMBER OF ENDPOINTS THAT ARE GENERATED. THIS IS GOING TO
CREATE ALL SORTS OF NEW PROBLEMS THAT NEED TO BE SOLVED.”

Source: Akamai State of the Internet Report 2021

CRAWL -> WALK -> RUN
EVOLUTION TO OUR CURRENT STATE
90s 2000s Today
App EDI SOAP & XML REST / GraphQL &
JSON
Model Web 1.0 Client / server Distributed, API-
centric
Infrastructure Data center / co-lo Virtual machines Serverless
functions /
containers
©2022 FireTail Inc, All rights reserved.

LEARNING FROM
A DECADE OF API
DATA BREACHES

AND SO… APIS ARE ALSO A PROBLEM
▸ API sprawl is a looming threat to our economy - APIs are becoming
the low-hanging fruit for attackers
▸ API Attacks grew 348% in Q3/Q4 2021
▸ Close to 1 billion (with a B) records have been breached
▸ “Vulnerabilities in apps handling API data are the direct cause of
these breaches. Nothing else is to blame.”
https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/, https://web.archive.org/web/20210127101627/https://www.cloudvector.com/api-data-breaches-in-2020/, https://devops.com/api-
sprawl-a-looming-threat-to-digital-economy, https://devops.com/api-sprawl-a-looming-threat-to-digital-economy, Gartner
BY 2022, API ABUSES WILL MOVE
FROM AN INFREQUENT TO THE
MOST FREQUENT ATTACK VECTOR

SURVEY RESULTS
TOP 6 PROBLEMS WITH APIS, REPORTED BY CISOS
1. Lack of API inventory
2. Enforcing perimeter security (gateway+logic, not
fi
rewall)
3. End-to-end tracing of code to API
4. Number of required security con
fi
gs per API
5. API change management, security implications
6. Gap between developers and security teams

BREACH DATA ANALYSIS
HIGH LEVEL STATISTICS
577M+ records breached
13M records per breach event
43 unique, documented breach/research events
Top attack vectors can be broken down into a few categories

ATTACK VECTORS FOR APIS

BUT THERE’S MORE…

ALMOST ALL
BREACH EVENTS
ARE MULTI-VECTOR

BREACH VECTORS

A LITTLE BIT MORE…
Not industry-speci
fi
c - APIs are everywhere
But some industries have had a huge breach impact recently
Manufactoring (automotive)
Technology (software)
Hospitality (airlines, hotels, rental cars)

PROJECTIONS FOR 2023
Year
% breach
accelera
ti
on
# breach events
# average
records
2021 117% 7 11,167,142.86
2022 172% 12 1,347,045.67
2023 227% 17 2,901,174.71

TRACK OUR RESEARCH
DATA AND ANALYSIS SHARED ONLINE
FireTail’s API Data Breach Tracker:
https://
fi
retail.io/api-data-breach-tracker

API SECURITY BY DESIGN
INTRODUCING FIRETAIL
▸ FireTail delivers hybrid API security - agentless and agent-based
▸ FireTail delivers API security libraries that can drop into application code
▸ The library enforces strong security posture and con
fi
g
▸ Authentication (public vs non-public)
▸ Authorization (who can access what)
▸ Validation (what routes, methods and queries are allowed)
▸ Sanitization (Allowed data/types in and out)
▸ Enterprise use cases for info sec teams are discovery and central audit, plus API
security policy analysis (API security posture management) and integration with
standard systems (ticketing, alerting, etc)

CORE PRINCIPLES
FIRETAIL
VISIBILITY OBSERVABILITY
POLICY AUDIT
DISCOVERY
ENFORCEMENT
Authentication,
authorization, validation,
sanitization in code
Commercial version
sends con
fi
guration and
success / failure events
to cloud backend
Full view of API
landscape across IT
fl
eet
Finding APIs not running
FireTail library via
network traf
fi
c, code
repos & cloud APIs
APIs can be analyzed for
con
fi
guration settings
and security policy. API
security posture
management
Full and centralized audit
trail of all APIs with
FireTail library
implemented. Search
and set alerts.

THE SOLUTION - ADOPTION PATH
FIRETAIL
DISCOVERY &
INVENTORY
POLICY AUDIT
ATTACK PREVENTION
1 2
3
A
3
4

t
Pre-production (dev / test / staging) Production
Code & design phase:
1. Secure source code
2. Vulnerability elimination
Pre-launch testing
1. Fuzzing test
2. Logic test
Runtime protection
1. Cover top 4 attack vectors
2. D&R on central logs
Contextual awareness
1. Feed into CNAPP / AppSec
2. Integrate with SecOps
©2022 FireTail Inc, All rights reserved.

WHY EMBED API
SECURITY IN THE
APPLICATION LAYER?

FIRETAIL LIBRARY LOGIC FLOW
▸ API calls are incoming
▸ Valid route/method evaluation
▸ Authentication check
▸ Payload inspection pass/fail
▸ Authorization (coming soon)
▸ Timestamps captured
▸ Entire event logged to SaaS backend

FIRETAIL API EVENT LOG
▸ Full logging of
API call
▸ HTTP response
code, error or
success case
▸ Request payload
logged (option)
▸ Timestamp
telemetry
{
"_index" : "ps-epr-66046bc8-1531-4f75-b758-86d9d968b454771c5f92-2d0a-423a-a4b7-3ce61eb0b95444edcdd8-d30e-4fd7-a461-5423e9f2f72d",
"_type" : "apirequest",
"_id" : "X0LvQoABjrgaKFimMDRn",
"_score" : 1.0,
"_source" : {
"request" : {
"url" : "http://127.0.0.1:8080/yyy",
"headers" : {
"Host" : "127.0.0.1:8080",
"Connection" : "keep-alive",
"Sec-Ch-Ua" : "" Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"",
"Cache-Control" : "no-cache",
"Sec-Ch-Ua-Mobile" : "?0",
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari
"Sec-Ch-Ua-Platform" : ""Windows"",
"Postman-Token" : "74c2d7fc-9e46-6220-07b6-257bf3f8c698",
"Accept" : "*/*",
"Sec-Fetch-Site" : "none",
"Sec-Fetch-Mode" : "cors",
"Sec-Fetch-Dest" : "empty",
"Accept-Encoding" : "gzip, deflate, br",
"Accept-Language" : "en-US,en;q=0.9,ar;q=0.8"
},
"path" : "/yyy",
"method" : "GET",
"oPath" : "/<post_title>",
"arguments" : { },
"ip" : "127.0.0.1"
},
"response" : {
"status_code" : 200,
"content_length" : 3,
"content_encoding" : null,
"body" : "{}",
"headers" : {
"Content-Type" : "application/json",
"Content-Length" : "3",
"test" : "test"
},
"content_type" : "application/json"
},
"orgUUID" : "66046bc8-1531-4f75-b758-86d9d968b454",
"apiUUID" : "44edcdd8-d30e-4fd7-a461-5423e9f2f72d",
"appUUID" : "771c5f92-2d0a-423a-a4b7-3ce61eb0b954",
"tokenUUID" : "e23fc787-52e0-427b-abc7-4ed318e84b88",
"associated_user" : “riley@firetail.io”
}
}

FIRETAIL - FULLY HYBRID ARCHITECTURE
FIRETAIL LIBRARY + SAAS

FIRETAIL OPEN-
SOURCE &
COMMERCIAL OFFERS

GET TO KNOW FIRE TAIL
COMMERCIAL (FIRETAIL.APP) OR OPEN SOURCE (GITHUB)

THANK YOU!
JEREMY@FIRETAIL.IO
https://firetail.io - Coming soon!
START A FREE TRIAL WITH US SOON TO GET FULL API VISIBILITY & SECURITY

APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io)

Similar to APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io) (20)

More from apidays

More from apidays (20)

Recently uploaded

Recently uploaded (20)

APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io)