APIs seem simple. It's just one program talking to another program over a network. However, behind that seeming simplicity lies a
complex landscape full of landmines, foot guns and sharp edges.
How do you navigate the API terrain without exposing yourself to
attack? This talk will cover the API landscape and point out where
'there be dragons'. If you don't have a large number of APIs, you will soon enough so do yourself a favor and follow the map provided in this talk.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays
apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023
API First Paradigms That Help Secure Your APIs
Raj Umadas, Sr Platform Security Manager at ActBlue
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays
apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023
API First Paradigms That Help Secure Your APIs
Raj Umadas, Sr Platform Security Manager at ActBlue
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...CODE BLUE
The 2016 WWDC saw the dawn of Apple Pay Web, an API that lets websites embed an Apple Pay button within their web-facing stores. Supporting it required a complex request flow, complete with client certificates and a custom session server. This proved detrimental, since Apple failed to caution against important side effects of taking in untrusted URLs. As a result, many new SSRF vulnerabilities entered the world. Worse yet, while they were exploitable and discoverable in similar ways, they were spread across distinct codebases in several programming languages, so could not be patched in any generic way.
Apple is not alone - in the process of gluing the web together, Twilio, Salesforce, and others have all created similarly broad attack surfaces. When companies fail to take an honest, empathetic look at how clients will use a product, they shove along hidden security burdens. Those who integrate with an API have less context than those who create it, so are in a worse position to recognize these risks.
Engineers have been talking about defensive programming for decades, but top companies still have trouble practicing it. In this talk we explore these mistakes with demos of affected software, and introduce a powerful model for finding broad classes of bugs.
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity.
After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
From ONUG Fall 2022:
"Shift Left'' and automation have turned from ideals to meaningless buzzwords. Instead of riding the hype train, let's get real and cover practical and real-world examples taken from actual product security successes. Not every business is the same, neither will their DevSecOps program.
In this talk, I'll cover the fundamentals of common to successful DevSecOps programs as well as a grab bag of useful techniques to consider. These are lessons learned doing AppSec at a wide variety of companies including Rackspace, Pearson, a fortune 500 financial, Duo Security and Cognizant Healthcare. Bruce Lee said "Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own". The goal of this talk is to provide you with enough examples to build your own pragmatic and practical DevSecOps program or maybe absorb a new technique or two into your existing program.
[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...CODE BLUE
The 2016 WWDC saw the dawn of Apple Pay Web, an API that lets websites embed an Apple Pay button within their web-facing stores. Supporting it required a complex request flow, complete with client certificates and a custom session server. This proved detrimental, since Apple failed to caution against important side effects of taking in untrusted URLs. As a result, many new SSRF vulnerabilities entered the world. Worse yet, while they were exploitable and discoverable in similar ways, they were spread across distinct codebases in several programming languages, so could not be patched in any generic way.
Apple is not alone - in the process of gluing the web together, Twilio, Salesforce, and others have all created similarly broad attack surfaces. When companies fail to take an honest, empathetic look at how clients will use a product, they shove along hidden security burdens. Those who integrate with an API have less context than those who create it, so are in a worse position to recognize these risks.
Engineers have been talking about defensive programming for decades, but top companies still have trouble practicing it. In this talk we explore these mistakes with demos of affected software, and introduce a powerful model for finding broad classes of bugs.
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity.
After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
From ONUG Fall 2022:
"Shift Left'' and automation have turned from ideals to meaningless buzzwords. Instead of riding the hype train, let's get real and cover practical and real-world examples taken from actual product security successes. Not every business is the same, neither will their DevSecOps program.
In this talk, I'll cover the fundamentals of common to successful DevSecOps programs as well as a grab bag of useful techniques to consider. These are lessons learned doing AppSec at a wide variety of companies including Rackspace, Pearson, a fortune 500 financial, Duo Security and Cognizant Healthcare. Bruce Lee said "Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own". The goal of this talk is to provide you with enough examples to build your own pragmatic and practical DevSecOps program or maybe absorb a new technique or two into your existing program.
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
This is not your normal DevSecOps presentation. We’re going to take on the most difficult aspect of security automation, the dreaded and pitfall prone, dynamic testing. You want to shift left and automate all the things, but DAST specifically has many thorns. How do you ensure what you’re testing matches production? Do devs own the environment? On metal, docker, kubernetes, or docker-compose? Test coverage? Balancing all these elements and more is not easy. Especially if you want to create a single, scalable, standard for your entire org. In this talk, we’ll cover what is needed to start automating your dynamic security testing, how to navigate the trade-offs you’ll have to consider, and finally how best to fit automated DAST testing into your software delivery pipelines. We’ll discuss simple and easy steps to gain efficiency and how to scale to mature pipelines that require little to no human intervention.
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program.
DefectDojo grew out of a Product Security program 8 years ago and was created by AppSec people for AppSec people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 80 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.
My talk from Secure Coding Virtual Summit (2021-03-24)
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Serverless is here so why not use it to make your life better. This talk discussing ways to use serverless to add automation to your application and cybersecurity work.
Originally presented at Global AppSec DC 2019
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.
AppSec Pipelines and Event based SecurityMatt Tesauro
Presented at AppSec California 2017, this is a continuation of earlier talks about AppSec Pipelines and demonstrates 1st and 2nd Gen Pipelines, how OWASP is creating a pipeline for its projects and how several companies have benefited from combining DevOps, Agile, CI/CD and Security into an AppSec Pipeline to move beyond traditional AppSec testing.
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
Presented at AppSec USA 2016 - Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
Curious how DevOps, Agile and CI/CD ideas can speed up your AppSec program? Here's how it can be done and an example where it lead to a 5x speed/flow improvement.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
Slide deck from AppSec California 2016 + some additional slides.
Abstract:
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.
The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Building an Open Source AppSec PipelineMatt Tesauro
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
2. TABLE OF CONTENTS
01 Intro
Quick background
and such
03 Finding Landmines
How to attack and what
those attacks look like
02
Why Attack APIs?
What makes APIs
interesting to attackers
04
Conclusion
Key takeaways and
your questions
3. Who is this guy?
● Reformed programmer & AppSec Engineer
● Noname Security -
Distinguished Engineer, Noname Labs
● 14 years in the OWASP community
○ OWASP DefectDojo (core maintainer)
○ OWASP AppSec Pipeline (co-leader)
○ OWASP WTE (leader)
● 22+ years using FLOSS and Linux
● Currently a Go language fanboy
● Ee Dan in Tang Soo Do Mi Guk Kwan
(2nd degree black belt)
● Founder 10Security
7. Even if you have a solid AppSec program
App Sec Tooling API Sec Tooling
SAST
SCA
DAST
API Gateway
API Inventory
SDLC
API Management
API Specs
WAF
Threat Modeling
Rate Limiting
Anti-Bot Protection
Developer Training
App
Inventory
Service to Service Auth-n
Anomaly Detection
JWTs
OpenID Connect
OAuth2
8.
9. It’s All About the Data
“Data is the new oil”
Clive Humby
British Mathematician
“APIs are data pipelines”
Matt Tesauro
Your presenter
10. As browsers and web apps get hardened…
B
r
o
w
s
e
r
I
m
p
r
o
v
e
m
e
n
t
s
M
F
A
,
C
A
P
T
C
H
A
APIs
11. Types of API attacks Testing
Blackbox
Simulate an attacker
with zero knowledge
Whitebox
Test with full knowledge,
some controls turned off
Greybox
Like blackbox but with
limited info on the target
Crystalbox
Full knowledge including
source code, only the
APIs controls in place
13. Defining the 3 Pillars of API Security
1. API Security Posture
a. Full inventory of all APIs
b. Who is calling the API? What data is sent/received? Where did the call originate?
2. API Runtime Security
a. Watching API traffic and understanding what is normal
b. Anomaly detection and alerting
3. API Security Testing
a. Assess the security state of APIs
b. DAST, not SAST ideally tested early and often
c. Feed results into the issue trackers used by dev teams
14. A better (security) definition of an API
An API consists of 3 parts:
(1) Hostname
e.g. example.com, uat.bigcorp.com
(2) Path
e.g. /api/v2/users/all , /v1/cart/addItem
(3) Method
e.g. POST, PUT, GET, PATCH, DELETE, …
GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all
POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
17. Passive Recon
Attacker
○ No interaction with the target
○ OSINT / Public information sources
○ Google Dorks
○ intitle: inurl: ext: site: filetype:
○ DNS / OWASP Amass
○ Shodan
○ Search engine of connected
devices
○ Search for APIs
○ www.programmableweb.com
○ apis.guru
○ Github issues/PRs (if FLOS)
○ Stack Overflow posts
Defender
○ Not much to do here - it’s public info
○ You may want to advertise your API
○ “Getting started” pages
○ curl examples, Postman collections
○ API docs behind a customer login
○ Support docs can help attackers too
○ Username format
○ Password complexity
○ Auth method (bearer token, …)
○ Posture & Runtime & Testing aren’t in
play since no traffic hits your infra
Gather all the public information you can on potential targets
18. Active Recon
Attacker
○ Interaction with the target is desired
○ Initially traffic looks harmless or clumsy
○ Start with basic nmap scans of target(s)
○ Listening ports esp http/https
○ Other clues to APIs
○ robots.txt - disallowed URLs
○ DevTools - network tab / XHR /
Memory / Performance
○ Local proxy (Burp/Zap) for API backed
websites / mobile apps
○ Bruteforce URLs (dirbuster, dirb,
Gobuster)
○ Kiterunner - API focused bruteforce
Defender
○ Pretty hard to filter from Internet
background radiation (noise)
○ For SPAs, DevTools are just a fact of life
○ Review items pointing to your API like
robots.txt
○ Nmap scans are detectable but VERY
common
○ Bruteforce activity stands out if real time
monitoring is sufficient
○ Kiterunner should trip API monitoring if
in place
○ Posture - focus efforts
Runtime - discover active recon
Testing - proactive, not much for Recon
Gather all the public information you can from a targets (play nice)
20. Discovery
Attacker
○ Learn how to make legitimate requests
○ Especially how to authenticate
○ Look for
○ API documentation
○ “Getting Started” guides
○ What the API does / why created
○ Spec files (Swagger, OpenAPI, RAML,
Postman collections, WADL, WSDL, …)
○ Clients (upstream proxy them)
○ Manually creating a list / Postman
collection based on:
○ Bruteforced URLs
○ SPA proxied traffic
○ Kiterunner
Defender
○ Traffic mostly looks like someone learning
your API
○ For SPAs & Mobile
○ Discovery may stand out
○ Your clients already know how to
make API calls
○ For undocumented APIs, there should be
many failed requests
○ Posture - focus efforts, define
internal-only APIs
Runtime - discover Discovery in
certain circumstances
Testing - proactive, not much for Discovery
You have target(s), now how to use them legitimately
26. Broken Object Level Authorization
Attacker
○ Look at how API resources are
structured
○ Change IDs within API calls
○ Can be names (non-numeric)
○ Make calls to other IDs/resources with
your Auth-N method / token
○ Create something as user 1
○ Try to access it as user 2
○ Response differences
○ HTTP Response code (404 vs 405)
○ Time to respond
○ Length of response (rare)
Defender
○ Detection requires fairly deep inspection
of the API calls
○ WAFs will generally fail
○ Shaped like legit request with IDs
swapped
○ Looking for BOLA can cause increased
Auth-Z errors
○ 2 similar requests from the same client
with different IDs can be found by ML
○ Posture - focus on most risky APIs
Runtime - detect BOLA attacks
Testing - Find BOLA early / pre-prod
One user can access another user’s data or take actions for them
27. Broken User Authentication
Attacker
○ Bruteforce credentials
○ No anti-automation on password resets
or MFA/CAPTCHA
○ Password Spraying
○ Base-64 “protections”
○ Low entropy tokens
○ JWT weaknesses
○ Captured JWTs
○ None algorithm, no signature
○ Key mismatch, blank password, …
○ Cracking JWT secrets
○ jwt_tool
Defender
○ Bruteforce attacks are noisy
○ Password spraying is very noisy
○ Ensure crypto is used correctly and
carefully
○ JWT Best Practices RFC
○ Consider removing Auth-N from the API
○ Only get tokens through web app
○ Posture - identify Auth-N APIs
Runtime -detect brute force, spraying,
JWT manipulation
Testing - identify poor practices early
Using poor practices in authentication to attack APIs
28. Excessive Data Exposure
Attacker
○ Look for API responses that provide
‘extra’ information
○ Mobile app APIs tend to trust
client to filter data
○ Look for ‘interesting’ responses
○ Profile pages
○ Linked users
○ Internal meta-data
○ Is the data expected part of a larger data
object or DB row?
○ Can be time consuming to check all
possible responses for excessive data
Defender
○ Single requests can’t be distinguished
from normal traffic
○ SAST can help here to avoid “to_json” or
similar
○ Don’t rely on clients filtering data
○ Separate data objects for app and API
○ Posture - Shows sensitive data, large
responses
Runtime - Detect multi-request data
scraping
Testing - Find verbose responses early
Sometimes developer productivity helps attackers too!
29. Lack of Resource & Rate Limiting
Attacker
○ Add thousands of items, ask for a list
○ Lack of pagination
○ Denial of API use (client)
○ Fuzzing and bruteforce attacks can
discover these
○ Modify requests, different client,
different IP to bypass limits
○ CPU / Memory intensive requests
○ robots.txt or documentation
○ Other games to play
○ Switch cAsE
○ Null and other terminators
○ Encoding data
○ Too high to make a difference
Defender
○ Some requests will look normal but with
large responses
○ Unusual requests
○ Headers, encoding, terminators, …
○ Observability can show usage spikes
○ Many bypass methods stand out from
normal traffic
○ Posture - Determine APIs needing limits
Runtime - Detect anomalous traffic and
respond
Testing - Fuzzing request data can find
some issues early
Failure to provide limits is a recipe for DOS or worse
30. Broken Function Level Authorization
Attacker
○ Focus on APIs with multiple roles/groups
○ Potential for expose backplane
○ Most things have an ‘admin’
○ Try undocumented HTTP methods
○ PATCH, PUT, POST, DELETE (!)
○ Create items with one group/role
○ Interact with those items as a
different role
○ Bruteforce / guess potential backplane
operations
○ Experiment with headers, request data
to access admin functions
Defender
○ Affects APIs with 2+ roles, groups,
privilege levels
○ Calls to unsupported methods that fail
○ Same client, different roles within a
short period of time
○ Failures for backplane/admin paths
○ Unusual requests - headers, body
○ Posture - Determine APIs with groups,
roles, privilege levels
Runtime - Detect unusual, failing
requests or changes in role
from a client
Testing - Conduct Auth-Z testing early
Failure to restrict access by group or role leading to compromise
31. Mass Assignment
Attacker
○ Look for requests that appear to be
partial data
○ Make guesses at unsent items
○ Look at request/response difference
between roles/groups/privilege levels
○ Guess / bruteforce multiple values at
once (hail mary)
○ Error messages or required field
messages can provide clues
○ Fuzzing can also find issues
○ Combine with Broken Function Level
Auth-Z to change data for other users
○ Change email/contact details
Defender
○ Requests stand out from normal
requests with deep inspection
○ Large number of failed/invalid requests
○ Increased request size
○ Increased severity for APIs with different
roles/groups/privileges
○ Posture - Focus on APIs with multi-roles
or sensitive data
Runtime - Requests with extra data,
multiple failed/invalid requests
Testing - Add additional, valid fields to
discover early
Why not accept more data, what could go wrong?
32. Security Misconfiguration
Attacker
○ Check the basics
○ TLS config
○ Info leaks via headers, etc
○ Default credentials, EICAR
○ Use Recon and Discovery
○ Verbose errors
○ Purposefully make bad requests
○ Misconfigured framework settings
○ Debug mode
○ Intermediate devices
○ Determine if WAF, API Gateway,
etc is in line
○ Call ‘internal’ functions with origin
headers e.g. X-Remote-Addr
Defender
○ Basic network vuln scanners can find the
basics
○ Passive traffic monitoring can show
header issues, API gateway bypass,
many others
○ Client with many erroring or malformed
requests
○ Posture - Show weak configuration e.g.
API gateway bypass
Runtime - Unexpected client traffic,
multiple errors, malformed
or anomalous requests
Testing - Good for the basics, better if
fuzzing is included in tests
A little misconfiguration can go a long way
33. Injection
Attacker
○ Place injection strings into
○ Tokens / API keys
○ Headers (esp API specific ones)
○ Query data
○ Data in request body
○ Recon/Discovery can help focus what
types of injection to try
○ Error messages can also help
○ Many good online resources for
injections
○ Fuzzing lists
○ OWASP Testing Guide
○ 2nd order injections
Defender
○ Input validation AND output encoding
○ Many failed or malformed requests
○ Large number of errors or validation
failures at API
○ Overly trusting of East/West API calls
○ Posture - Focus on APIs with sensitive
data, East/West APIs
Runtime - Surge in errors, failed, invalid
or malformed requests,
control characters in requests
Testing - Attempt injections early in dev
cycle
Treat data like code and bad things happen
34. Improper Assets Management
Attacker
○ You find many misconfiguration issues
○ Internal APIs are publicly accessible
○ API documentation is inaccurate
○ “Hidden”/undocumented APIs
○ Dev/New APIs in production
○ Legacy APIs are not decommissioned
○ API v minus 1 or more available
Basically,
your pen test was productive and easy
Defender
○ Need to know all APIs (host, path,
method)
○ Classify all data received and sent by
APIs
○ API Gateway enforced, East/West traffic
○ Public vs internal APIs
○ Posture - Solved with solid posture
management
Runtime - Updates posture as
environment changes
Testing - Not particularly useful here
Know what you have if you want to protect it adequately
35. Insufficient Logging & Monitoring
Attacker
○ Fuzzing does not cause a reaction /
blocking
○ Assumes control is in scope for
testing
○ Attacks, especially blatant injections go
unnoticed
○ Phone numbers never look like:
<script>alert(XSS)</script>
○ Mostly, external testers / attackers can
only infer the level of logging and
monitoring
Defender
○ No attacks are seen / noticed
○ Diagnosing API issues is difficult
○ Unplanned downtime or resource
consumption
○ Posture - Determine the appropriate
level of logging per API
Runtime - Monitoring is what this
provides, also can retain traffic
for analysis aka quasi-logging
Testing - Validate logging is working
(at best)
Change guesses to decisions with data
37. Fuzzing
Attacker
○ Send requests altering
○ Values to the extreme
(large/small)
○ Negative numbers
○ Decimals for integers
○ Letters for numbers and vice
versa
○ Control characters
○ Unicode / non-native characters
○ Target fuzzing strings if possible
○ Look for changes in
○ Response code
○ Response size
○ Timing
○ Error messages
Defender
○ LOTS OF REQUESTS FROM A SINGLE
CLIENT OVER A SHORT PERIOD OF
TIME
○ Fuzzing is very noise on the network
○ Spikes in CPU, RAM, request traffic,
errors, validation failures
○ Posture - Not much for Fuzzing
Runtime - Easily detect fuzzing traffic
Testing - Fuzzing as a normal part of
testing to find issues early (pre-prod)
When crafted attacks don’t work, throw the kitchen sink at your target
38. Structural vs Data Attacks
Structural Attacks
○ Modifying the structure of a request
○ Repeating data structures
○ Adding non-printing characters
e.g. spaces, tabs, null characters
between data elements
○ Removing portions of the data
structure
○ Messing with the structure of the
request only - data provided is legit
○ QA / HTTP testing tools generally
normalize the structure so won’t work
○ Custom craft HTTP requests (Python
requests library) or use a local proxy like
Zap or Burpsuite
Data Attacks
○ Modifying the data in a request
○ Substituting fuzzing / injection data
for legit data values
○ Providing unexpected or overly large
/ small data values
○ Structure of the request is not modified
○ What most fuzzing and injections attacks
look like - changing data without changing
the structure
○ QA / HTTP testing tools can be leveraged to
automate these attacks
2 fundamental ways to be naughty with APIs
39. Special Notes on GraphQL
Same from GraphQL
○ Recon (Passive / Active)
○ Discovery
○ Bruteforcing API paths
○ Using a local proxy e.g. Burpsuite /
Zap
○ Install GraghQL plugins
○ Documentation / “Getting Started”
Different for GraphQL
○ Introspection to learn the APIs schema
○ Often disabled at the API
○ GraphQL is a query language
○ Clients define the data they want
○ Opposite of defined requests &
responses of REST APIs
○ Gaining popularity as clients aren’t
bound to fixed data structures
○ Client can change without need for
API changes
GraphQL is a special beast but many things are the same
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
40. GraphQL - left as an exercise for the student
Googling
“GraphQL”
42. Key Takeaways for API testers
(1) Knowledge of how to test web apps prepares you for most of API testing
If you need some help, look at the OWASP Testing Guide
(2) Some special knowledge and tools are needed for parts of API testing
More on this later
(3) Gaps in AppSec controls coverage and framework shortfalls lead to security
shortfalls
API testing is likely to be “productive”
43. Key Takeaways for API testers
https://owasp.org/www-community/api_security_tools
44. Key Takeaways for API defenders
The existing AppSec program and controls have API Security gaps to fill
Risk Posture Runtime Testing
Broken Object Level Authorization
Broken User Authentication
Excessive Data Exposure
Lack of Resource & Rate Limiting
Broken Function Level Authorization
weak
weak
weak
45. Key Takeaways for API defenders
The existing AppSec program and controls have API Security gaps to fill
Risk Posture Runtime Testing
Mass Assignment
Security Misconfiguration
Injection
Improper Assets Management
Insufficient Logging & Monitoring
weak
47. CREDITS: This presentation template was created by
Slidesgo, including icons by Flaticon, infographics &
images by Freepik
THANKS!
Do you have any questions?
matt.tesauro@owasp.org
www.defectdojo.org
https://owasp.org/www-community/api_security_tools