Slide 1

Slide 1 text

(MIS)USING & ABUSING APIS D. Keith Casey Jr [email protected] @CaseySoftware

Slide 2

Slide 2 text

WHO AM I?

Slide 3

Slide 3 text

WHO AM I?

Slide 4

Slide 4 text

WHO AM I?

Slide 5

Slide 5 text

IT’S UGLY OUT THERE

Slide 6

Slide 6 text

CAMBRIDGE ANALYTICS • Not a data breach, not even misuse • They used it exactly as Facebook planned, designed, and implemented • Just as thousands of others have

Slide 7

Slide 7 text

EQUIFAX • Actually, wait.. let’s come back to this one.

Slide 8

Slide 8 text

PANERA • Completely unprotected API • Reported in August 2017, not addressed until April 2018 • Gave access to name, address, email, username, phone, birthday, food preferences, and last 4 credit card digits

Slide 9

Slide 9 text

WHAT CAN I DO WITH THIS? • Change your food preferences? • Verify your email address/phone number? • Use your home address? • Hijack your Google & Twitter accounts and get control of your Mac?

Slide 10

Slide 10 text

ATTACK PATTERN • Use Panera data to get name, email, address and last 4 cc digits • Contact Tech Support to update email address, reset accounts, take over everything • Contact [cell carrier] to port number to compromise 2FA-protected systems & data

Slide 11

Slide 11 text

Credit: https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815

Slide 12

Slide 12 text

EQUIFAX

Slide 13

Slide 13 text

EQUIFAX • Identity Proofing • When you sign up for something and have to verify who you are • Realistically, this no longer exists. With this data, anyone can “prove” they are anyone they want

Slide 14

Slide 14 text

HOW DID WE GET HERE?

Slide 15

Slide 15 text

API JOURNEY: A MATURITY MODEL 5 Phase 0 Integrate internal systems by introducing Private APIs Phase 1 Internal advocacy & collaboration for internal APIs and CoE/ Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Credit: okta.com

Slide 16

Slide 16 text

API JOURNEY: A MATURITY MODEL 6 Phase 0 Integrate internal systems by introducing Private APIs Phase 1 Internal advocacy & collaboration for internal APIs and CoE/ Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. The security issue was always there Credit: okta.com

Slide 17

Slide 17 text

THREE GROUPS: ALWAYS AT WAR ODDS Buyers: Integration Architects (NEW) Influencers: Developers Security Architects Credit: okta.com

Slide 18

Slide 18 text

SO WHAT DO WE DO?

Slide 19

Slide 19 text

AuthN vs AuthZ • Authentication is “who you are” • Authorization is “what are you allowed to do” • Understand who needs to do what when • is_admin is NOT enough

Slide 20

Slide 20 text

• Scope your API keys • Expire/rotate your keys • Provide multiple keys? • Understand the use cases you’re addressing KEY & TOKEN MGMT

Slide 21

Slide 21 text

• What does sample code demonstrate? • What the API does • How to use the API • The Right Way to use the API WRITE GOOD EXAMPLES

Slide 22

Slide 22 text

WHAT DO WE AVOID?

Slide 23

Slide 23 text

Don’t: Roll your own Encryption • Use an existing library that implements an open standard, audit if you prefer • Don’t create your own encryption • No, don’t. You’re not special. • No, not even then. Are you even listening?

Slide 24

Slide 24 text

Don’t: Leak your own Data • What can I tell from using your API? • Do the URLs tell a story? • Does that put customers at risk? • Does it share internal company data?

Slide 25

Slide 25 text

Don’t: Collect or Share Extra Data • Cambridge Analytica • Why should people to share this information? • How might Keith a bad actor use this information? • You can’t leak what you don’t have

Slide 26

Slide 26 text

SO WHAT IF I DON’T?

Slide 27

Slide 27 text

WHY?

Slide 28

Slide 28 text

(MIS)USING & ABUSING APIS D. Keith Casey Jr [email protected] @CaseySoftware