API 101 discusses how to secure web applications and APIs. APIs are used extensively in web and mobile applications to allow communication between services but this can introduce security weaknesses if not implemented properly. API attacks are a growing threat, with 90% of breaches targeting web applications and APIs projected to become the most common attack vector by 2022. The document outlines security best practices for securing APIs throughout the development lifecycle from design to testing to runtime, and how one company implemented API security testing to improve their compliance and privacy posture.

1. API 101 : How to secure your web
applications
Simon Roe and Dan Barahona
26th May 2021

2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Complete Application security for DevSecOps
Crest certificated penetration testing.

3. What is an API?
• Application programming interface
• Essentially governs the communication between services
• Used in almost all web applications today
• Heavily used in mobile app development
• You use them every day
• By 2019 83% of web traffic passed through one or more API’s
3

4. How API’s work
4
However, these interactions with services can lead to security weaknesses and breaches

5. Interactions lead to security risk
Source: APISec
5

6. How APIsec are tackling the API security
challenge
6

7. APIs are everywhere
APIs, microservices, CI/CD have transformed how apps are built and
run
7
of all internet
traffic is from
APIs
83%
of web app attack
surface area
are APIs
90%
of breaches
targeted
web applications
90%
APIs will become
“most frequent attack
vector”
2022

8. Why attackers target API layer
APIs:
•Direct access to sensitive data
•Often “over-permissioned”
•Vulnerable to logic flaws
8

9. API Breaches in the News
API returned full
transaction details.
200M transactions
harvested.
Allowed API access
with no
authentication.
API allowed User A to
access User B data.
60M accounts
accessed.
API required 6-digit
code for account reset
but did not prevent
brute force.
API allowed user to
enable unrestricted
premium features.
API breaches exploiting logic flaws in the application
9

10. OWASP API Security
#1 Broken Object Level Authorization Can User A access User B
#2 Broken User Authentication
Lack of authentication
Weak password policies
#3 Excessive Data Exposure
Does the API return more data
than necessary
#4 Lack of Resources & Rate Limiting
Is the API subject to DoS
Does API limit requests
#5 Broken Function Level Authorization
Does the API allow
unauthorized operations
10

11. Securing the API Lifecycle
DesignTime TestTime RunTime
Security
Vulnerabilities
Business
Logic Flaws
Static ApplicationTesting:
CodeVulnerabilities
Dynamic ApplicationTesting
Common attacks:
SQL Injection, XSS, DDoS
Manual Testing
Pen-Testing, RedTeams
Burp Suite, ZAP
Speed, coverage limitations
Gateways & Firewalls
Anomaly-based detection
Bots, DDoS
11

12. Securing the API Lifecycle
DesignTime TestTime RunTime
Security
Vulnerabilities
Business
Logic Flaws
Automated API
Test Platform
• Security & Logic flaws
• Continuous visibility
• Complete test coverage
• Speed of DevOps
• Zero touch deployment
12

13. APIsec — How it works
• No source code access
• No agents
• Nothing inline, no latency
Zero Touch Deployment
API Gateway
AWS, Apigee, Mulesoft
API Definition
OpenAPI, Swagger,
RAML, Postman
User Credentials
Register the API
Create API attack playbooks
Run attacks, find vulnerabilities
Integrate with CI/CD
API
Endpoints
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . .
13

14. APIs: Privacy & Compliance
Privacy Compliance
14

15. Case Study
Streamlined API pen testing. ROI of
3 months.
About Seismic
Seismic is a leader in sales and marketing
enablement. They hold confidential data from their
customers.
Challenges
● Engineers adding extensive API support
● API could expose customer private data hosted
on the Seismic application
● Wanted to respond to customer data privacy
queries
“Our customers ask us what we are doing to
protect their sensitive data on Seismic, and once
they see what we have done with APIsec, their
confidence in us grows.”
Tim Dzierzek, VP of Information Security
Solution
● APIsec deployed into staging
● APIsec builds and executes new attack playbooks
● APIsec automatically identifies new vulnerabilities
● Now being integrated into the development
toolchain
15

16. Demo

17. Thank you!
Simon Roe
sro@outpost24.com
Dan Barahona
dan@apisec.ai
Free API Pen-Test
• Live test against yourAPI
• Full OWASPTop 10 coverage
• Includes Pen-Test report
apisec.ai/outpost24
17

18. Simon Roe, sro@outpost24.com
Questions?