(MIS)USING &
ABUSING APIS
D. Keith Casey Jr
[email protected]
@CaseySoftware
Slide 2
Slide 2 text
WHO AM I?
Slide 3
Slide 3 text
WHO AM I?
Slide 4
Slide 4 text
WHO AM I?
Slide 5
Slide 5 text
IT’S UGLY OUT THERE
Slide 6
Slide 6 text
CAMBRIDGE ANALYTICS
• Not a data breach, not even misuse
• They used it exactly as Facebook planned,
designed, and implemented
• Just as thousands of others have
Slide 7
Slide 7 text
EQUIFAX
• Actually, wait.. let’s come back to this one.
Slide 8
Slide 8 text
PANERA
• Completely unprotected API
• Reported in August 2017, not
addressed until April 2018
• Gave access to name, address,
email, username, phone,
birthday, food preferences,
and last 4 credit card digits
Slide 9
Slide 9 text
WHAT CAN I DO WITH THIS?
• Change your food preferences?
• Verify your email address/phone number?
• Use your home address?
• Hijack your Google & Twitter accounts and get
control of your Mac?
Slide 10
Slide 10 text
ATTACK PATTERN
• Use Panera data to get name, email, address and
last 4 cc digits
• Contact Tech Support to update email address,
reset accounts, take over everything
• Contact [cell carrier] to port number to
compromise 2FA-protected systems & data
EQUIFAX
• Identity Proofing
• When you sign up for something and have to
verify who you are
• Realistically, this no longer exists. With this data,
anyone can “prove” they are anyone they want
Slide 14
Slide 14 text
HOW DID WE GET HERE?
Slide 15
Slide 15 text
API JOURNEY: A MATURITY MODEL
5
Phase 0
Integrate
internal
systems by
introducing
Private APIs
Phase 1
Internal advocacy
& collaboration
for internal APIs
and CoE/
Governance
Phase 2
Limited API
access to
partners,
resellers and
suppliers
Phase 3
Grow these APIs
as full fledged
products with
external developer
access
Either monetized
directly or to reach
new customers and
enter new markets.
Security Team evaluates
use cases, interfaces,
authentication, access
management, etc, etc
Credit: okta.com
Slide 16
Slide 16 text
API JOURNEY: A MATURITY MODEL
6
Phase 0
Integrate
internal
systems by
introducing
Private APIs
Phase 1
Internal advocacy
& collaboration
for internal APIs
and CoE/
Governance
Phase 2
Limited API
access to
partners,
resellers and
suppliers
Phase 3
Grow these APIs
as full fledged
products with
external developer
access
Either monetized
directly or to reach
new customers and
enter new markets.
The security issue was
always there
Credit: okta.com
Slide 17
Slide 17 text
THREE GROUPS:
ALWAYS AT WAR ODDS
Buyers:
Integration Architects (NEW)
Influencers:
Developers
Security Architects
Credit: okta.com
Slide 18
Slide 18 text
SO WHAT DO WE DO?
Slide 19
Slide 19 text
AuthN vs AuthZ
• Authentication is “who you are”
• Authorization is “what are you allowed to do”
• Understand who needs to do what when
• is_admin is NOT enough
Slide 20
Slide 20 text
• Scope your API keys
• Expire/rotate your keys
• Provide multiple keys?
• Understand the use cases you’re addressing
KEY & TOKEN MGMT
Slide 21
Slide 21 text
• What does sample code demonstrate?
• What the API does
• How to use the API
• The Right Way to use the API
WRITE GOOD EXAMPLES
Slide 22
Slide 22 text
WHAT DO WE AVOID?
Slide 23
Slide 23 text
Don’t: Roll your own Encryption
• Use an existing library that implements an open
standard, audit if you prefer
• Don’t create your own encryption
• No, don’t. You’re not special.
• No, not even then. Are you even listening?
Slide 24
Slide 24 text
Don’t: Leak your own Data
• What can I tell from using your API?
• Do the URLs tell a story?
• Does that put customers at risk?
• Does it share internal company data?
Slide 25
Slide 25 text
Don’t: Collect or Share Extra Data
• Cambridge Analytica
• Why should people to share this information?
• How might Keith a bad actor use this information?
• You can’t leak what you don’t have
Slide 26
Slide 26 text
SO WHAT IF I DON’T?
Slide 27
Slide 27 text
WHY?
Slide 28
Slide 28 text
(MIS)USING &
ABUSING APIS
D. Keith Casey Jr
[email protected]
@CaseySoftware