APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
I KNOW WHAT YOU(r APIs) DID LAST SUMMER – Understanding and Identifying Threats Against APIs
Shannon Wilkinson, Cybersecurity Founder | Women in Technology & STEM Advocate | Keynote Speaker | Board Member & Advisor
4. Top 10 2023RC
• Broken Level Authorization
• Broken Authentication
• Broken Object Property Level Authorization
• Unrestricted Resource Consumption
• Broken Function Level Authorization
• Server Side Request Forgery
• Security Misconfiguration
• Lack of Protection from Automated Threats
• Improper Asset Management
• Unsafe Consumption of APIs
Top 10 2019
• Broken Level Authorization
• Broken User Authentication
• Excessive Data Exposure
• Lack of Resource & Rate Limiting
• Broken Function Level Authorization
• Mass Assignment
• Security Misconfiguration
• Injection
• Improper Asset Management
• Insufficient Logging & Monitoring
5. Where Do API
Threats Come
From?
• Bad Coding – QA, we don’t need
no stinking QA!
• Poor Validation – Do you validate
your SSL certs to protect
traffic/data?
• Poor Authentication – Do you
require authentication?
• Automated Threats
• BOTSSSSSSSSSSSSSSSSSS!
• API Utilization – How much data
should be going out?
6. Where Are Your
APIs?
• How can you protect what you
don’t know?
• You need to or you need
someone to perform a thorough
analysis of what APIs you have in
your environment.
• It’s not a One-And-Done
assessment, you need
continuous validation/testing
7. • Data Flow
• What is the normal flow of data?
• User Behavior
• Who/where/when/how?
• Expected Level of Errors
• KYAPIs – Know Your APIs
• What data is exposed?
• Are the endpoints secured?
• Do we have SSL and no HTTP redirects?
8. That’s Not Normal -
Anomaly Detection
• Unusual Traffic
• Increased Traffic
• Unexpected API Calls
• Vulnerability Scanning
• 404/500 Errors
• Unusual User Behavior
• Extraordinary Traveler
• Repeated Failed Attempts
9. API Specific Rules
• Excessive API Calls
• Exceed Rate Limits
• You Do Rate Limit, Right?
Right?
• Unusual User/Data Behavior
• Schema Validation
• Add to Cart & Buy in Less
than X Timeframe (Bots!)
• Configuration Changes
• Suspicious Payloads/File
Transfer
• Scan with AV/EDR
10. • Developers
• Code Reviews
• Code Repository Reviews
• Code Vulnerability Scanning
• Documentation of API Endpoints
• SBOM (Software Bill of
Materials)
• Unmanaged APIs
• Vulnerable APIs (Log4j anyone?)
• What do 3rd Party APIs have access to?
• Protecting
Credentials/Authentication
• Public vs Private APIs
11. • Security Team / Audit & Compliance
• Policies & Procedures
• Assessments
• Attack Surface Management Tools
• AV/EDR on Endpoints/Servers
• WAFs
• Security Operations Center (SOC)
• Ingestion of API Security Logs
• Monitoring of API Activity through
SIEM/Data Lake
12. Nope, Not On My Watch!
• Monitoring
• OWASP Top API 10 – Insufficient Logging & Monitoring
• 200+ Days to Detect
• Detection by 3rd Party (Ouch, Embarrassing!)
• SIEM/Data Lake Platforms
• Comprehensive View – Attack Surface, WAFs, Endpoints
• Threat Intelligence / Correlation Tools