apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Siemens Energy

Transcript

1. Do not live in the Shadow (APIs) Paris, December 5,

   2024

2. GET /api/v2/users/me • Into APIs since 2017 • Into Cybersecurity

   since 2021 • Into API Hacking since 2022 • Threat Hunter @ Siemens Energy • APISec University Ambassador • Speaker @ apidays Paris 2023, apidays London 2024 • Speaker @ Geek Girls Portugal Conference 2024 • Previous Experience: Senior IT Advisor/Pentester @ KPMG Portugal

3. Shadow vs Zombie vs Orphan • API that exists and

   operates outside the official, monitored channels within an organization • It arises from rushed development, legacy systems, third-party integrations, or lack of centralized API management • Old, forgotten API that is still working in the background • It may have been replaced by new versions or sometimes even a brand- new API Shadow Zombie • Documented API that does not receive traffic • This happens for a variety of reasons, such as being superseded with a new version but not unpublished Orphan

4. What are the risks of Shadow APIs? (October 2022) Top

   Threat #1: Shadow APIs Hit with 5 Billion Malicious Requests Ref: https://www.cequence.ai/news/more-than-30-of-all-malicious-attacks-target-shadow-apis/

5. What are the risks of Shadow APIs? Often lack the

   security measures that are applied to documented APIs Might not comply with organizational data privacy policies and regulations or guidelines with respect to security and compliance Might not adhere to the organization’s operational standards and best practices - can cause operational inefficiencies, such as duplication of efforts and hidden system dependencies

6. Optus Data Breach • Optus is the second largest telecommunications

   company in Australia • Root cause: a REST API used for testing that was unknowingly exposed to the Internet • The data breach resulted in the exposure of approximately 10 million customer records, including PII Ref: https://twitter.com/onejvo/status/1573929672748208128 Ref: https://twitter.com/Jeremy_Kirk/status/1573407117566152704/photo/1

7. Optus Data Breach A change of heart? Ref1: https://twitter.com/Jeremy_Kirk/status/1574564051694145536/photo/1 Ref2:

   https://twitter.com/Jeremy_Kirk/status/1574572905454743553

8. Unrestricted Resource Consumption (API 04:2023) Broken Object Level Authorization (API

   01:2023) Insufficient Logging and Monitoring (API 10:2019) Broken Authentication (API 02:2023) Excessive Data Exposure (API 03:2019) Improper Inventory Management (API 09:2023) Optus Data Breach

9. How to detect/prevent Shadow APIs?

10. #1 API Discovery • Using specialized tools, scripts, and services

    to scan websites, applications for API endpoints Automated Manual • Review documentation and user interfaces • Check for API-related URL patterns and network traffic • Analyse source code, if available • Explore API directories and ask developers

11. Disadvantages Advantages • Time-Consuming • Human Error • Limited Scalability

    • Dependent on expertise • Inefficient for Dynamic Environments • Suitable for short or limited requirements • Precision Manual API Discovery

12. • Potential for False Positives • Legal and Ethical Concerns

    • Lack of Context • Dependency on Updates • Limited Depth • Efficiency • Scalability • Consistency • Time-Saving Automated API Discovery Advantages Disadvantages

13. Both! What is the best option? Automated Tools + Manual

    Validation

14. #2 Build an API Inventory An API Inventory is an

    up-to-date, structured and centralized catalogue of all the external and internal APIs used within an organization: • Information about each API, such as name, description, purpose and owner • Version details, including changes, updates and deprecations • Any integration with 3rd party APIs • API endpoints details - purpose of each endpoint, parameters, requests and responses • Other API details, such as authentication and authorization, errors, redirects, dependencies, data formats, usage statistics, lifecycle status, among others

15. • Have a handle on their attack surface and exposure

    • Track all the APIs that are used by your applications • Have clear visibility of who owns the APIs • Track older versions of the APIs • Identify Zombie, Shadow and Orphan APIs Why is important to have an API inventory?

16. • Identify an increase in the number of calls to

    a particular API endpoint • Identify any other abnormal activity Understand and establish a baseline for normal traffic activity (baseline traffic patterns) #3 Continuous Monitoring

17. #4 API-First Mentality • Organize regular API best practices training

    workshops with the team Ensure that everyone is on the same page about maintaining solid API hygiene, they will more likely adhere to compliance and be vigilant in identifying such APIs

18. #5 Shift-Left Approach • Start testing your APIs in the

    early stages of development When a secure design is the default, you’re not just stopping vulnerabilities— you’re establishing a culture in your organization that produces APIs protected by security as a standard Ref: https://www.lambdatest.com/learning-hub/shift-right-testing

19. “APIs can be open windows, even when the doors are

    locked.” Ref: https://www.cequence.ai/blog/api-security/api-breach-duolingo/

20. Do you have any questions? /in/maria-teresa-pereira @starmtp Thank you! Not

    registered to APISec University yet? Register today! @starmtp_