Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Helsinki 2024 - From Chaos to Calm- Nav...

Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai

From Chaos to Calm: Navigating Emerging API Security Challenges
Eli Arkush, Principal Solutions Engineer, API Security at Akamai

Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

June 07, 2024
Tweet

Video

More Decks by apidays

Other Decks in Technology

Transcript

  1. From Chaos to Calm: Navigating Emerging API Security Challenges Eli

    Arkush | Principal Solutions Engineer, API Security
  2. Traditional vs Modern Apps GET /dashboard.aspx Fetch messages/notifications/news Returns HTML

    view GET /api/v2/messages GET /api/v2/notifications GET /api/v2/news Returns RAW data Fetch messages/notifications/news User Service
  3. See the full report, which sheds more light on API

    attack trends and remedies. akamai.com/lp/soti/lurking-in-the-shadows
  4. We’re making all the same mistakes with API security that

    we made with web security 20 years ago. Chris Eng - Chief Research Officer - Veracode Akamai State of the Internet (SOTI) API - The Attack Surface that Connect Us All. 7
  5. Loyalty Program Fraud Travel | Airlines | Ecommerce Device Loyalty

    Account 1 Loyalty Account 2 Loyalty Account 3 Loyalty Account 4 Loyalty Account 5 Loyalty Account 6 2 1 See this behaviour in your APIs Investigate these accounts for fraud
  6. Loyalty Program Fraud Travel | Airlines | Ecommerce Device Loyalty

    Account 1 Loyalty Account 2 Loyalty Account 3 Loyalty Account 4 Loyalty Account 5 Loyalty Account 6 See this behaviour in your APIs Investigate these accounts for fraud 2 1
  7. Case Study - Ride Sharing Company 14 (1) POST /addDriver

    (1) Error message with UUID (2) POST /getConsentScreenDetails (2) PII and access token Ride Sharing Company
  8. Ride Sharing Company: Excessive Data Exposure API3:2023 — Broken Object

    Property Level Authorization The APIs exposed much more data than required to operate
  9. Ride Sharing Company: BOLA API1:2023 — Broken Object Level Authorization

    Users can access resources that are not owned by them
  10. BOLA Detection - Relationship Violation A violation of those relationships

    => BOLA UserID: 1337 UserID: 430 Account: 7331 Account: 835 Account: 908 UserID: 777
  11. Goal Is Quality Code In Production Write Code Commit Code

    Build Deploy Maintain Detect ALL APIs: Zombie / Shadow Classify ALL Exposed Data Triage Critical Issues Feedback into Mitigation Tooling Test Code Detect Common Security & Posture Issue
  12. DDoS attacks OWASP attacks CVE exploits Known API attacks Bot

    attacks 1 DDoS protection Rate Limiting Cloud -based Solutions Web Application Firewall Virtual patching of vulnerabilities Blocks known attack patterns Bot Protections Block known bots Built-in App protection Shadow API Auth. partner ! compromised Logic attacks Mitigation Behavioural Analysis Detect: Business Logic abuse Zombies Shadow API Corp Cloud On-prem
  13. API Security Maturity Levels Coverage across the entire enterprise API

    estate Discover shadow APIs and ensure each one is documented or decommissioned Organize your API inventory Look at common alert types and identify strategies and priorities to reduce risk Create response plans to address possible attacks from adversaries Establish a formal API threat hunting discipline 1 Shining a light on the shadows 2 Getting organized 3 Hardening the API posture 4 Sharpening threat detection and response 5 Developing a proactive approach
  14. Takeaways 1. APIs are a primary target 1. Ensure sufficient

    protections are in place for DDoS, Injection attacks and Business Logic abuse 1. Ensure you know where ALL your APIs are located 1. Ensure you know what ALL your APIs are exposing
  15. Come and meet the team! Marc Sandell Bergqvist Major Account

    Executive Akamai Technologies Anders Persson Regional Sales Leader EMEA North Akamai Technologies Sebastian Moradi Senior Major Account Executive Akamai Technologies Eli Arkush Principal Solutions Engineer, API Security Akamai Technologies