apidays LIVE London 2021 - Reaching Maximum Potential in Banking & Insurance with API Mindset
October 27 & 28, 2021
API Security
API Security challenges and solutions
Wadii Tahri, CEO of DIGIXER
3. OWASP API Top 10
1. Broken object level authorization
2. Broken user authentication
3. Excessive data exposure
4. Lack of resources and rate limiting
5. Broken function level authorization
6. Mass assignment
7. Security misconfiguration
8. Injection
9. Improper assets management
10. Insufficient logging and monitoring
4. Threats
Broken Object Level authorization
/! Known also as Insecure Direct Object Reference
/! Attackers substitute the id of their a resource in the
API call with an id of another user’s resource.
/! Unauthorized access to API’s resources
5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here
6. Threats
/! Improper access controls
/! No authorization, or lack of strict authorization
Data disclosure, full accounts taking over…
Broken function level authorization
7. Threats
/! Insecure or missing protection mechanisms to API
➔ Stealing sensitive data, accounts takeover,
impersonations of user acconts
Broken User Authentication
8. Threats
Excessive data exposure
/! The API may expose a lot more data than what the
client really needs
/! Attack vectores : brute force, credential stuffing
➔ Attackers call the API directly, get the sensitive data
9. Threats
Lack of resources and rate-limiting
/! abuse an API leading it to consume available
resources and making the service unavailable
/! If attackers go directly to the API, they have it all.
➔ DoS
10. Threats
injecting malicious code through an API to server
SQL injection, OS or LDAP injection
➔data loss, data breach, denial of service, etc.
➔Input data validation is required
Injection
12. Solutions ?
➔Authorization
/! Clients should only be able to get access and use API’s
resources only if they are authorized using tokens!
➔Identity and Access Management (IAM)
/! End users should get authenticated to an authentication
system which is SSO or IdP before his client App has given a
token before getting access to API’s resources!
➔Traffic management : Quotas, Spike Arrest
/! API provider should consider protecting his APIs and their
backends against inappropriate traffic launched by clients using
throttling and quota mechanisms!
14. OpenID Connect
/! simple identity layer on top of the OAuth 2.0
/! It allows clients identify end users by delegating
the authentication request to a IdP (Identity Provider)
15. SSO (Single Sign On)
/! Single authentication ➔ Simpler and more convenient for users
/! Stronger passwords
/! No repeated passwords
/! Better password policy enforcement
/! Multi-factor authentication
/! Internal credentials storage
16. APIM
/! All API Gateways and API Manegement solutions
provide security policies to secure APIs
/! OAuth2 policies : generating/verifying tokens
/! JWT policies : generating/verifying tokens
/! API Platforms support the integration to IDPs or SSO
18. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here