This document discusses the importance of API security testing. It notes that 56% of webinar attendees felt API security was very important to their organization, but only 12% were doing extensive security testing. It highlights some examples of security breaches caused by insecure APIs and recommends implementing API management solutions to protect against threats like unauthorized access, data exposure, and denial of service attacks. The document demonstrates how an API gateway can detect and block a SQL injection attack on a banking API. It emphasizes the importance of putting security protections in place for APIs and including testing in the development process.

1. @Axway @SmartBear #APISecurity
Test & Protect Your API
Practical Tips to Achieve API Security
Nirvana with Axway & Ready! API
1

2. @Axway @SmartBear #APISecurity
The API Lifecycle – SmartBear approach
SmartBear Confidential and
 Open source based and driven
 Integrated tools for Dev/Test
across API lifecycle
 Extendable and easily
integrated into API lifecycle
workflow
 Data driven and automated
 Protocol and runtime
independent
 Leverage and reuse assets
across lifecycle
 Democratize advanced dev/test
capabilities

3. @Axway @SmartBear #APISecurity
 Axway technology manages
interactions between
applications, people and
communities.
 Security and integration across
B2B (EDI, MFT, and APIs)
 Positioned as a leader in
Gartner Magic Quadrants for
“On-Premises Application
Integration Suites” and for
“Application Services
Governance”
3
About Axway

4. @Axway @SmartBear #APISecurity
Webinar Attendee Statistics
3%
41%
56%
How important is API Security to
your organization?
Not important at
all
Growing
importance
Very important
23%
65%
12%
How much API Security testing
do you do today?
None
Some
Extensive
56% of attendees for this webinar responded that API security is
“very important,” and yet only 12% are doing extensive security
testing

5. @Axway @SmartBear #APISecurity
 Security vulnerabilities related to APIs
 Enabling account information exposure
(Snapchat)
5
APIs – A soft underbelly for security?

6. @Axway @SmartBear #APISecurity
6
IRS Data Breach
Insecure API
Access

7. @Axway @SmartBear #APISecurity
7
And more security vulnerabilities…

8. @Axway @SmartBear #APISecurity
 Insecure APIs are often the source of
mobile app security issues
 Sniffers can detect insecure API calls
8
Mobile App vulnerabilities are often
API vulnerabilities in disguise…
Source: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html

9. @Axway @SmartBear #APISecurity
 Problem:
 API Keys are often simply passed in URLs
 &APIKey=123456
 Vulnerable to sniffing and replay attacks
 Amazon uses two keys:
 Secret Key ID to perform HMAC signing
 With detection of replay attacks
 Access Key ID to identify the client
9
Beware Weak API Key Authentication

10. @Axway @SmartBear #APISecurity
10
The solution – API Management
Configure API Keys
Configure OAuth

11. @Axway @SmartBear #APISecurity
 Managing usage quotas for APIs to
prevent misuse of DoS
11
Quota Management for APIs
Configure Quotas

12. @Axway @SmartBear #APISecurity
12
The Role of the API Gateway

13. @Axway @SmartBear #APISecurity
 Protective Security
 Content-Level Threats (XDoS, XXE, etc)
 WAF functionality (OWASP Top Ten, etc)
 Throttling
 Policy Decision and Enforcement Point
 STS- Security Token Creation, Consumption, Mediation
 Dynamic Authorization
 Data Flow Introspection and Governance
 Integration (lightweight ESB)
 Heterogeneous, Vendor Agnostic
 Multiple Protocol and Standard Support
 Enterprise Architecture Intelligence and Protection
 SSO Enablement
 Architecture wide auditing and risk analysis
13
API Gateway – Security and more

14. @Axway @SmartBear #APISecurity
API Gateway protects against threats to Web Services / APIs
including:
 Unauthorised Access
 Parameter Manipulation and Data Harvesting
 Network eaves dropping
 Disclosure of sensitive customer data
 Message replay
14
Security provide by API Gateways
Unauthorised
Access
Parameter
Manipulation
Virus
Insertion
Consumer
Network
Eavesdropping
Message
Replay
Firewall
API
Disclosure of
customer data
Standard network firewalls offer
no protection against these
threats

15. @Axway @SmartBear #APISecurity
Client Applications
REST API
SOAP/XML/REST/JSON
API Manager
Services
Applications
Data
Application
Developers
API Portal
API
API Registration
& Lifecycle
API Catalog
Partner & Policy
Administration
Self-Service API consumption
Build developer community
New channel to market brand
API Developers
API
Administrators
Self-register to resources
Browse and learn APIs
Manage application credentials
R
E
S
T
SOAP Web Services
POX, JMS, FTP
Integration with non-
REST API services
Policy
Enforcement
API Gateway
Register and manage API lifecycle
Perform partner, policy and process admin
Monitor and report API use
Policy
Developers
Create and extend policies
Integrate with applications
and infrastructure
API Gateways in API Management

16. @Axway @SmartBear #APISecurity
 API breaches can result in:
 Stolen data
 Server attacks
 Spoofing
 IoT device tampering
16
API Security testing: Why is it so important?

17. @Axway @SmartBear #APISecurity
• We want to know as much as possible
about an API’s endpoints, messages,
parameters, behavior
• The more we know about the API’s
surface – the better we can target our
attack!
Thinking like a hacker

18. @Axway @SmartBear #APISecurity
 OWASP.ORG
 Identify the most likely “soft spots”
 Run all the scans but automate & repeat
the most important ones
 Don’t neglect payload analysis
 Pay attention and respond quickly
18
Looking for vulnerabilities in your API

19. @Axway @SmartBear #APISecurity
Show Me How to Protect My API
19

20. @Axway @SmartBear #APISecurity
Demo – Scenario
Bank Account API with
– One method for users get balance one of their accounts
– Vulnerable to SQL Injection
User authentication out of scope
– Focus on the SQL Injection attack

21. @Axway @SmartBear #APISecurity
Demo – Detecting API Threats
API
vulnerable to
SQL injections
Definition imported prior to demo
1. Normal request
2. scanning
GET http://<host>/account/balance?accnt=123456789 HTTP/1.1
 SELECT balance FROM accountinfo WHERE account=123456789;
 Returns the balance from account 123456789
GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1
 SELECT balance FROM accountinfo WHERE account=1 OR 1=1;
 Returns the balance from all accounts!

22. @Axway @SmartBear #APISecurity
Demo – Protecting Against API Threats
Threat Protection
API Gateway
Protected
API
API Manager
1. Normal request
2. scanning
API
vulnerable to
SQL injections
GET http://<host>/account/balance?accnt=123456789 HTTP/1.1
 SELECT balance FROM accountinfo WHERE account=123456789;
 Returns the balance from account 123456789
GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1
 Detected and Blocked by Axway API Gateway!

23. @Axway @SmartBear #APISecurity
Key Takeaways
API Protection
API Testing
Create APIs with Confidence
 Put protection in place for your APIs
 Apply throttling, input validation, threat detection
 Block the full spectrum of attacks
 OWASP.org is your friend
 Focus on most likely vulnerabilities first
 Build security testing into your dev plans
23

24. @Axway @SmartBear #APISecurity
Try For Free
FREE TRIAL FREE TRIAL