apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to Make Secure APIs, Jeremy Snyder, FireTail

Transcript

1. API Security. Analysing Breaches & Empowering Devs to Build Secure

   APIs Apidays Australia | Oct 2023 | Jeremy Snyder
2. None

3. Overview. What we’ll cover in the next 25 minutes -

   Introduction - A Decade of Breach Data - Real Examples of High Profile Incidents - Effective API Security Strategies - Bridging the Gap: From Devs to DevSecOps - Questions - Bonus

4. About Me. Career cybersecurity professional and CEO of FireTail. -

   1998-2004 TRADOS (lang tech) - 2005-2006 Rivermine (telecom) - 2006-2010 Twinity (metaverse) - 2010-2011 AWS (30x MRR) - 2014-2014 REAN Cloud ($1M in 6 mos) - 2016-2020 DivvyCloud (20x ARR+) - 2020-2021 Rapid7 (M&A 3 deals)

5. A Decade of Data

6. Low Hanging Fruit. APIs are now an increasingly attractive target

   for attackers - API sprawl is a looming threat to our economy - APIs are becoming the low-hanging fruit for attackers - API Attacks grew 348% in Q3/Q4 2021 - APIs will become the #1 attack vector - APIs represent 90% of the attack surface of modern apps https://www.firetail.io/api-data-breach-tracker

7. Top 6 Problems. As reported by CISOs in response to

   CSO Magazine survey: 1. Lack of API inventory 2. Enforcing perimeter security 3. End-to-end tracing of code to API 4. Number of required security configs per API 5. API change management, security implications 6. Gap between developers and security teams

8. Examining Breaches. Here are the top-level stats from our analysis

   of API breaches: - 577M+ 1.4B+ records breached / exposed / risk of breach - 13 22M records per breach event - 43 62 unique, documented breach/research events - Huge acceleration in 2023 - Top attack vectors can be broken down into a few categories Numbers updated since May 2023 report; https://firetail.io/api-security-report-2023

9. Breach Events by Primary Attack Vector.

10. Almost all breach events are multi-vector.

11. API Breaches by Secondary Root Cause.

12. Real Examples

13. Even the biggest brands are at risk of API breaches.

14. None

15. Examples of breach logic around authorization. Authenticates once, but then

    doesn’t require subsequent authorization to access additional functions. Sequential numbering made scraping very easy. - Authentication ≠ authorization - Must be done server-side - Must be with EVERY call - Principal + resource + action; either all map to YES, or it’s NO

16. “Vulnerabilities in apps handling API data are the direct cause

    of these breaches. Nothing else is to blame.” archive.org
17. None

18. Examples of breach logic around auth n/z +. Another multi-vector

    breach. A number of things went wrong. - API URL landed in Google SERP - API did not require authentication token - API did not check for authorization - API allowed CRUD functions - Conclusions: - Combo network configuration + more - Poor API design on auth-N/Z

19. Almost all breach events are multi-vector.

20. None

21. Example of breach with server & data handling. The starting

    point of this breach was a server that gave overly verbose errors. Other stuff went wrong too. - Enumeration exposed routes - Found undisclosed graphQL endpoint - GraphQL endpoint allowed “select *” - Conclusions: - Poor server config - Non-declarative API model - Excessive exposure

22. “The internal API had an exposed Microsoft Graph instance which

    would’ve allowed an attacker to exfiltrate nearly 100 million user records including names, emails, phone numbers, and addresses” Sam Curry
23. None

24. Example of breach via network / data / auth. Yet

    another multi-vector breach. A number of things went wrong. - API made public with DNS / network configuration change - API had poor authN - Incremental account IDs - Conclusions: - Poor network change mgmt - Bad data handling - Easy API access

25. "No authenticate needed…All open to internet for any one to

    use." The Attacker

26. Industry Analysis. Where do breaches happen? - Not industry-specific or

    geography-specific - APIs are everywhere - But some industries have had a huge breach impact recently - Manufacturing (automotive) - Technology (software) - Hospitality (airlines, hotels, rental cars)

27. 2B+ at risk in 2023 Recent disclosures

28. Effective API Security

29. Traditional security doesn’t work.

30. Consumer Server Internet GW/Proxy WAF Rate limiting AuthN Sanitize Validate

    AuthZ Fetch Data / Modify Data / Execute Function Request Response Third party API 6. Unrestricted Process Access. 7. SSRF. 8. Misconfiguration. 9. Improper Inventory Management. 10. Unsafe consumption of APIs. 1. BOLA. 2. Broken AuthN. 3. BOPLA. 4. Unrestricted Resource Consumption. 5. BFLA. 1 2 3 5 7 6 6 6 4 4 4 Breaches look like normal requests. 10 10 8 9

31. Components of Effective API Security. Visibility. Get a complete view

    of your entire API landscape across your IT fleet. Policy. APIs analyzed for configuration settings & security policy. API security posture management. Discovery. Finding APIs not running FireTail library via network traffic, code repos & cloud APIs Enforcement. Authentication, authorization, validation and sanitization directly in your code. Observability. Commercial version sends configuration and success / failure events to cloud backend. Audit. Full & centralized audit trail of all APIs with FireTail library. Search & alert capabilities.

32. Focus on API security at the application layer.

33. Existing approaches just don’t cut it. API Call Log Visibility

34. Bridging the Gap

35. Pave a clear path for developers.

36. Embracing New Tech.

37. DevSecOps & APIs. Define standards and enforce policy to ensure

    consistent security. Use API Security posture management to keep everyone aligned. - API Specifications. - Security Configurations. - Governance & Enforcement.

38. DevSecOps & APIs. Empower developers. Provide clear guidance: - Where

    is the problem? - What is the problem? - What is the risk? - How do I fix it?

39. DevSecOps & APIs. Empower developers. Provide clear guidance: - Where

    is the problem? - What is the problem? - What is the risk? - How do I fix it?

40. DevSecOps & APIs. Empower developers. Provide clear guidance: - Where

    is the problem? - What is the problem? - What is the risk? - How do I fix it?

41. Bridging the Gap. Code & design phase: 1. Secure source

    code 2. Vulnerability elimination Pre-launch testing: 1. Fuzzing test 2. Logic test Runtime protection: 1. Cover top 4 attack vectors 2. D&R on central logs Contextual Awareness 1. Feed into CNAPP / AppSec 2. Integrate with SecOps Pre-production (dev / test / staging) Production APP SEC

42. Questions

43. Get this Deck. If you would like your own copy

    of the slides from this presentation, just scan the code.

44. Discount. Competition. Win a free API Security Assessment. 60% Off

    FireTail Enterprise Plan.

45. Thanks