Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays New York 2023 - A decade of API breache...

apidays New York 2023 - A decade of API breaches, courtesy of application flaws, Jeremy Snyder, FireTail

apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023

A decade of API breaches, courtesy of application flaws
Jeremy Snyder, Founder at FireTail

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

June 29, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. BREACH DATA COLLECTION METHODOLOGY Google + alerts, notifications around data

    breaches Breach events are reviewed – API as the breach vector? Primary and secondary breach vectors, if applicable Including responsible disclosure, but zero record count Alignment to OWASP API Top 10 (2019) assessed as best fit as possible
  2. BREACH DATA COLLECTION CAVEATS Based on publicly reported data, with

    few exceptions Examine as many sources as possible, but sometimes only one source is available In most cases, we do not try to replicate the results Not yet recategorized based on OWASP Top 10 2023 RC We did not (yet) finish analysis by API type (REST, graphQL, gRPC, SOAP), cloud provider or code language List is almost certainly incomplete
  3. APIS ARE GROWING; APIS ARE A PROBLEM ▸API sprawl is

    a looming threat to our economy - APIs are becoming the low-hanging fruit for attackers ▸API Attacks grew 348% in Q3/Q4 2021 ▸Close to 1 billion (with a B) records at exposure risk since 2013 ▸“Vulnerabilities in apps handling API data are the direct cause of these breaches. Nothing else is to blame.” https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/, https://web.archive.org/web/20210127101627/https://www.cloudvector.com/api-data-breaches-in-2020/, https://devops.com/api-sprawl-a-looming-threat-to-digital-economy, Gartner By 2022, API abuses will move from an infrequent to the most frequent attack vector
  4. BREACH DATA ANALYSIS HIGH LEVEL STATISTICS 577M+ records breached 13M

    records per breach event 43 unique, documented breach/research events Top attack vectors can be broken down into a few categories
  5. BREACH DATA ANALYSIS EXAMPLES OF BREACH LOGIC AROUND AUTHORIZATION Authenticates

    once, but then doesn’t require subsequent authorization to access additional functions Authenticates, but doesn’t enforce server-side authorization; client is responsible for (B)FLA Conclusions: Authentication ≠ authorization Must be done server-side Must be with EVERY call Principal + resource + action; either all map to YES, or it’s NO
  6. “VULNERABILITIES IN APPS HANDLING API DATA ARE THE DIRECT CAUSE

    OF THESE BREACHES. NOTHING ELSE IS TO BLAME.” – ARCHIVE.ORG PAGE
  7. BREACH DATA ANALYSIS DISCUSSION AROUND MULTI-VECTOR CONCLUSIONS Almost all cases,

    more than one thing went wrong Sequential numbering + no server-side authZ No authZ + full data records returned (trimmed by client) 3rd party API access keys discovered + lack of encryption Using common IDs (like VIN or SSN) as authN tokens + second factor
  8. BREACH DATA ANALYSIS OTHER NOTES AROUND ATTACK VECTORS TRACKED Enumeration

    – lab environment with hits within 5 min, return callers, 90%+ traffic is probing (git.config, /.env, etc) Data Exposure – returning too much data; leaving it to the client to trim or remove Injection – not super common, roughly ~10% of cases Governance - general term, can refer to configuration in a cloud environment, private -> public API, etc
  9. BREACH DATA ANALYSIS SYSTEMIC FLAWS CAN BE ATTACKED SYSTEMATICALLY These

    flaws tend to affect the entire API / app logic In responsible disclosures, researchers have often performed very large POCs Average number of records per breach is in the millions, but has actually come down (more breach events)
  10. BREACH DATA ANALYSIS SOME OTHER OBSERVATIONS Not industry-specific - APIs

    are everywhere Not geography-specific – APIs are everywhere But some industries have had a huge breach impact recently Manufactoring (automotive) Technology (software) Hospitality (airlines, hotels, rental cars)
  11. SURVEY RESULTS TOP 6 PROBLEMS WITH APIS, REPORTED BY CISOS

    1. Lack of API inventory 2. Enforcing perimeter security (gateway+logic, not firewall) 3. End-to-end tracing of code to API 4. Number of required security configs per API 5. API change management, security implications 6. Gap between developers and security teams
  12. “ORGANIZATIONS THAT DEFEND THEIR APIS WITH TRADITIONAL NETWORK SECURITY SOLUTIONS

    ARE HAVING MODERATE SUCCESS AT BEST, IF THEY HAVE ANY SUCCESS AT ALL.” - AKAMAI
  13. TRACK OUR RESEARCH DATA AND ANALYSIS SHARED ONLINE FireTail’s API

    Data Breach Tracker: https://firetail.io/api-data-breach-tracker
  14. CORE PRINCIPLES OF API SECURITY FIRETAIL VISIBILITY OBSERVABILITY POLICY AUDIT

    DISCOVERY ENFORCEMENT Authentication, authorization, validation, sanitization in code Commercial version sends configuration and success / failure events to cloud backend Full view of API landscape across IT fleet Finding APIs not running FireTail library via network traffic, code repos & cloud APIs APIs can be analyzed for configuration settings and security policy. API security posture management Full and centralized audit trail of all APIs with FireTail library implemented. Search and set alerts.
  15. THE SOLUTION - ADOPTION PATH EMBRACING NEW TECH DISCOVERY &

    INVENTORY POLICY AUDIT ATTACK PREVENTION 1 2 3A 3 4
  16. t Pre-production (dev / test / staging) Production Code &

    design phase: 1. Secure source code 2. Vulnerability elimination Pre-launch testing 1. Fuzzing test 2. Logic test Runtime protection 1. Cover top 4 attack vectors 2. D&R on central logs Contextual awareness 1. Feed into CNAPP / AppSec 2. Integrate with SecOps ©2022 FireTail Inc, All rights reserved.