Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

ABOUT ME • Slovakia • Software Engineer • ~10 years
of experience in Software Engineering • Mostly in chemical analysis area, some side projects • Currently in Thermo Fisher Scientific • What am I interested in? • Distributed systems, DDD, Security, AI • Skiing, tennis, hiking, travelling

Security vulnerabilities in your APIs ApiDays Helsinki & North 2024

“ ” SECURITY IS LIKE SPINACH. ONE KNOWS IT IS
VERY BENEFICIAL BUT DOESN’T REALLY EAT IT THAT MUCH. It is the same with SW engineers and security. They mostly understand that their APIs should be secure, however active pursuit of that is not really their priority and they tend to neglect it.

SECURITY NEGLIGENCE • „86 % of developers do not see
security as a top priority“ • What might be the reason? • Deadlines - Knowledge - Management support • Misconceptions • It’s not my problem – DevSecOps department solves it • 3rd party stuff is secure • We are not target for hackers • Security slows down development • Why they should change their perception? • Save the product/company from a PR nightmare • Contribution to the product success • Do not be the hackers’ best friend • Proactive approach more efficient (time & money) than reactive • Security skills make you more valuable in the job market

SECURITY NEGLIGENCE • What might go wrong? • Data breaches
• Sensitive data • Unauthorized access • Resources, functionalities • Denial-of-service attack • Business logic abuse • Having one discount-code and using it multiple times • Removing good reviews of the competitor's restaurant • They’re usually hard to catch by some code-scanning tools

REAL WORLD EXAMPLE • One famous application • Free account
– limit of operations per day • Paid account – unlimited • Business logic abuse → No check when offline

WHAT IS NECESSARY TO PREVENT SUCH THINGS TO HAPPEN IN
YOUR APIS? • Knowledge • Regular checking of APIs for vulnerabilities • Tools • Code-reviews • Testing done by external company

KNOWLEDGE. WHERE TO START? • „33% don’t know what makes
their code vulnerable“ • OWASP - Open Web Application Security Project • Online community • Free resources, methodologies regarding SW security • Top 10 security vulnerabilities list • OWASP Cheat Sheet • CWE - Common Weaknesses Enumeration • Complement to OWASP

OWASP VULNERABILITY EXAMPLE #1 • API6:2019 - Mass Assignment •
https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/

OWASP VULNERABILITY EXAMPLE #2 • API1:2023 Broken Object Level Authorization
• https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level- authorization/

KNOWLEDGE. VULNERABLE PLACES Where does the security “happen”? • Web
browsers / other types of API clients • Network • API hosting machine • Application code – boundaries (middleware) • Application code – 3rd party libraries • Application code – “business code”

TOOLS • Web browsers – Developer tools functionality • Static
code analysis • CI pipeline – CodeQL • AI tools – explanation of piece of code by e.g., GitHub Copilot • Runtime (penetration) testing - FuzzAPI

“ ” THE ONLY TRULY SECURE SYSTEM IS ONE THAT
IS POWERED OFF, CAST IN A BLOCK OF CONCRETE AND SEALED IN A LEAD-LINED ROOM WITH ARMED GUARDS - AND EVEN THEN I HAVE MY DOUBTS. GENE SPAFFORD, SECURITY EXPERT • It is not black, nor it is white • Usability vs. security • X-factor authentication vs. fast login • Constant evolution • Code changes • Code - context changes • Library updates • New ways to attack

A FEW “MUSTS”… • Authentication & authorization • Input validation
& sanitization • Do not put secrets directly into the code • Regularly check for vulnerabilities in 3rd party libraries • Make use of API security testing tools

HOW TO PROCEED? • Resources: • https://owasp.org/API-Security/ • https://cheatsheetseries.owasp.org/index.html •
https://cwe.mitre.org/top25/ • Online courses • UDEMY: Hacking REST APIs - A beginner's guide • UDEMY: Website Hacking / Penetration Testing

THANK YOU! Resources: - https://owasp.org/ - https://cwe.mitre.org/top25/ - https://www.securecodewarrior.com/press-releases/secure-code-warrior-survey-finds-86-of-developers-do-not-view-application-security-as-a-top-priority [email protected]
https://www.linkedin.com/in/ldurovsky/

Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

apidays
PRO

More Decks by apidays

Other Decks in Technology

Featured

Transcript

ABOUT ME • Slovakia • Software Engineer • ~10 years

Security vulnerabilities in your APIs ApiDays Helsinki & North 2024

“ ” SECURITY IS LIKE SPINACH. ONE KNOWS IT IS

SECURITY NEGLIGENCE • „86 % of developers do not see

SECURITY NEGLIGENCE • What might go wrong? • Data breaches

REAL WORLD EXAMPLE • One famous application • Free account

WHAT IS NECESSARY TO PREVENT SUCH THINGS TO HAPPEN IN

KNOWLEDGE. WHERE TO START? • „33% don’t know what makes

OWASP VULNERABILITY EXAMPLE #1 • API6:2019 - Mass Assignment •

OWASP VULNERABILITY EXAMPLE #2 • API1:2023 Broken Object Level Authorization

KNOWLEDGE. VULNERABLE PLACES Where does the security “happen”? • Web

TOOLS • Web browsers – Developer tools functionality • Static

“ ” THE ONLY TRULY SECURE SYSTEM IS ONE THAT

A FEW “MUSTS”… • Authentication & authorization • Input validation

HOW TO PROCEED? • Resources: • https://owasp.org/API-Security/ • https://cheatsheetseries.owasp.org/index.html •

THANK YOU! Resources: - https://owasp.org/ - https://cwe.mitre.org/top25/ - https://www.securecodewarrior.com/press-releases/secure-code-warrior-survey-finds-86-of-developers-do-not-view-application-security-as-a-top-priority [email protected]