A presentation given by Axel Grosse, Global Head of PreSales, 42Crunch, at our 2024 Austin API Summit, March 12-13. Session Description: What are the best practice approaches to address both the immediate impact of an API attack and to implement a longer term remediation strategy. This is a real-world example of a leading on-line retailer who was the victim of a recent API-targeted attack. Learn how an immediate plan of action was implemented to ensure business continuity and how in parallel, a longer-term strategy was adopted designed to prevent a recurrence of the damage and to protect the company’s overall API estate. Based on his real-world experience, the presenter will walk us through the step-by-step measures that needed to be immediately undertaken to stem the damage impacting the business, but he also expands on how the company adopted a longer-term approach to protecting their assets. Attendees will walk away with a step-by-step guide to implementing an API Protection action plan for today and tomorrow.

1. 1 │ 42Crunch.com
A real world example
You’ve had an API breach
NOW WHAT?

2. 2 │ 42Crunch.com
Axel Grosse
42Crunch
•Passionate about API Security since 2009
•Head of presales @ 42Crunch
•Scuba diver & Crossfitter

3. 3 │ 42Crunch.com
Attacker used valid tokens
to gain access to user data
Login via PhoneNo and OTP
bypassing SPA
Data exfiltration
Situation

4. 4 │ 42Crunch.com
Immediate counter measures
STOP ACCESS TO APP -> No luck
DISABLE ACCESS ON WAF … breach stopped
result:
Lost of sensitive data
Lost revenue due to disabled loyalty app
Situation

5. 5 │ 42Crunch.com
• SPA developed by full stack developers
• Low awareness of APIs involved in the application flow
• SPA allows attacker to understand business flow
• Login via Phone Nr and OTP seam to be compromised
• Full Account takeover possible
• Finding: Business Object Level Authorization (OWASP API1:2023 BOLA)
https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/
TRIAGE

6. 6 │ 42Crunch.com
A. OpenAPI Specification standard
B. Validate the security of the OAS
and remediate
C. normal transaction/sec volume
D. API specific real-time protection
E. TEST
Ready to activate
Plan to secure & activate the app again

7. 7 │ 42Crunch.com
THU
TEAMS & TIMELINE
MON
SUN
TUE WED
NETWORK | WAF | DEVELOPER
API SECURITY SME

8. 8 │ 42Crunch.com
Identify APIs in Applications
OAS standard for security governance
Long term strategy
Stage1 - Awareness
Automate security evaluation of each OAS on every push
Automate specific API security tests on every pull request
(conformance with the OAS and OWASP API TOP 1 - 5)

9. 9 │ 42Crunch.com
Long term strategy
Stage2 - evolution to more security
Implement Security Quality Gates,
stop the pipeline on failure
Communicate findings to developer for remediation
incl. hints
Implement real-time API protection for each API

10. 10 │ 42Crunch.com
Long term strategy
Stage3 - fully automated API Security
Application delivery needs to
pass all Security Quality Gates
Delivery pipeline includes
OAS and Implementation SQGs
Real-time API protection update

11. 42Crunch.com
QUESTIONS ?
Thank You
and maybe answers