APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies, Sudhir Chepeni

© 2023 Sudhir Chepeni
1
Exploring Advanced
API Security
Techniques and
Technologies
Sudhir Chepeni
Director Application Security
@ Akamai Technologies

2
Global Trends Raising The Risks Of Online
Interactions
● Digitalization
● COVID 19
● More interconnectivity of
supply chains
● Cost savings
● Skills

3
App Modernization is Fuelling API Growth
Impact on Development Team
Developer efficiency + deployment speed
Better connectivity with 3rd party apps and partners
Better User Experiences and Personalization
Rapid Innovation
75% believe microservices will drive the biggest growth in APIs
80% of organizations are developing public facing APIs
APIs are everywhere as key enablers of digital transformation
strategies and modern applications.

4
Pervasive API Traffic & Attack Trends
35%
API Traffic YoY
Growth CAGR
2020-2025
+200T
API Hits by 2024
+4,500
Customers
delivering APIs
91%
Of all ESSL
requests are APIs December 2021, API calls represented 54% of
total requests, up from 52% during the first week
of February 2021.
Explosive growth in API requests only being outpaced by the growth in malicious API calls (>600% YoY)

5
Web Application Attacks
Continue to Rise
+23% Q/Q | +196% Y/Y
6.31 Billion
NEW RECORD
In Q1’22, we experienced
We analyze ~350 TB of new attack data every day
web app attacks in a single
quarter for the first time
(that’s over 1 billion more
than the prior quarter!)
6 Billion

6
API Attacks are getting global and across verticals
Case Study : Log4j

7
API Attacks are continuous and Mitigation needs be
continuous: Case Study Spring Core

8
APIs complexity leads to Risk
● Modern applications have more moving parts or pieces to manage
● The nature of collaboration is evolving - from local to global
● Development trends are changing
● Teams are often in different tooling ecosystems
More
Functionalities More Features More Users More Data

9
Source: Forrester Analytics Business Technographics Security Survey, 2021
Base: 530 Security decision-makers with network, data center, app security, or security ops responsibilities who experienced an
external attack when their company was breached
1.94
The average number
of times firms
suffered breaches
from external attacks
WHAT’S AT RISK?

10
API security flaws can result in data breaches

11
Today securing an application means…
Protecting the..
q Custom Developed Source Code
q Software that forms the supply chain
q The CI/CD pipeline itself
q Infrastructure hosting the application - a majority of which is spinning up in public cloud
q APIs powering the comms between user and inter app components

12
API Overview

13
What is an API
An application programming Interface (API) is a connection between computer programs
Your Program
(In any language say X)
My Program
(In any language say Y)
getSomething
Something

14
APIs have
TYPE
XML-RPC, SOAP, REST,
gRPC, GraphQL
TRANSPORT
HTTP(S), HTTP/2/3 ..
DATA ENCODING
XML, JSON, binary, protobuf..
INFRA
API Gateway, Service mesh, Load
balancer, Control plane
STAKEHOLDERS
• Customers, users
• Dev Teams
• Product Teams
• Admins, network, API Gateway
• Security Operations
• Mobile/IoT
API

15
15
API Types, Protocols and deployments
Public APIs allow to
expose information and
functionalities to third
parties
Private APIs are used
internally to facilitate
integration of different
applications
Partner APIs used to
facilitate
communication and
integration between
partners
Different API Types Different API Protocols
Understanding the API
Types, Protocols and
Deployments is key to
providing an API
Security Solution
Deployment of APIs
Virtualization
Services
Containers
API

16
APIs Grow
APIs will Grow
Breadth – More and more APIs
Depth – API calls create calls to other APIs
Directions
North/South Traffic – External APIs
East/West- Internal APIs

17
Server
Database
Media
Web
Mobile
Partner
Internet
Sensors
Request
Response
Interaction
Layer
Micro
Orientation
Mediation
Transformation
Traffic
Management
Network
Integration
Layer
Service
Mediation
Messaging
Connectivity
Application Layer
Business Rules
Business Process
Orchestration
Sense and Response
Service Orchestration
Infrastructure Configs
API Architecture
• API Management
• Service Management
• Platform Management
• Developer Portal
• Internal external
• Partner
• Authentication
• Authorization
• Threat Protection
• Data Privacy
• PCI DSS
• Federation
• Single Sign on
• Access Control
• API Analytics
• Operation
• Customer
• Business Customer BI
• Req reply signatures
• Token channel binding
• Context risk assessment
• App integrity checking
• Environment Risk
Assessment
• Minimize client-side API keys
API Security Thinking
• API Interface Layer
• API Trust and usage Policy
• Layer 7 Attack Protection
• Compliance checks
• Rogue API Detection
• API Implementation Layer
• Micro segmentation
• Identify propagation and
brokering
• Multilevel Authorization
• Integrate standard
infrastructure and
application platform security
• Continues API monitoring
• Configuration
API Developers
Are thinking
API Security
Needs thinking
Management Services Analytics Services
Client Services
Security Services

18
API Security Building Blocks

19
Traditional Attacks Current/Future Attacks
Recent Attacks
Bad actors targeting APIs would
attacks such as SQLi and XSS and
exploit vulnerabilities
Attackers take days, weeks, or even
months to probe and learn about
APIs, and they use “low-and-slow”
techniques that stay under the radar
of traditional security tools.
“One-and-Done” “Low-and-Slow”
Attackers focus now is on finding
vulnerabilities in the business logic of APIs.
APIs are unique, so the attacks have to be
as well. The attackers launch low and slow
attacks with reconnaissance to understand
context and start business logic abuse
“Context-Based”
Evolution of API Attacks

20
API Attack Classes
DDOS
Network DDOS
HTTP Flood
Application DOS
Data Breach
Internal data made public
Excessive data exposure
Authentication weakness
Abuse of
Functionality
Business logic flaws
API

21
DDoS

22
API DDoS Attack Surface

23
Global WAAP DDoS Attacks

24
BOTS

25
API’s Protection From BOTs

26
Global Bot Activity
Malicious Bots Plague Businesses
January – June
2021
July – December
2021
January –
April
2022
40B
30B
20B
0
Number
of
Bot
Requests
Malicious Benign
10B

27
Malicious bot activity
jumped more than
during India’s Diwali
shopping holidays.
55%

28
Business Logic

29
OWASP Top 10
A01:2021-Broken Access Control
A02:2021-Cryptographic Failures
A03:2021-Injection
A04:2021-Insecure Design
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication
Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring
Failures
A10:2021-Server-Side Request Forgery

30
Real World Examples
30
API Vulnerability Exploited Impact
Authentication, Authorization, Excessive
Data Exposure
60 million customers data compromised due to broken
access control which allowed logged in users to access
account information of others
Authentication and Authorization 13+ million customer PII, IMEI, IMSI data leaked. Some
instances of SIM Swap scams with MFA bypass
Authentication, Excessive Data Access,
Anti-Automation
200 million user transactions were set to public by
default and available to anyone causing big data breach
Authentication 37+ million Panera bread customer profile data exposed
due to breach in unauthenticated API endpoint
Authorization and Excessive Data Exposure Account Impersonation/Takeover of any Uber user,
driver, partner
Authentication, Configuration Issues Ability to access remote functionality of millions of
cars in China
Authentication and Excessive Data
Exposure
FICO Score and Risk factors for 100+ million
people in the US

31
API Security Solutions

32
API Security Technologies

33
Vestibulum congue tempus
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
Lorem ipsum
●DoS & Automation
●Injection Attacks
●Business Logic Abuse &
●Industry Specific Workflows
Runtime Detections
●API Discovery & Profiling
●API Misconfigurations
●Risk Assessment & Prioritization
Visibility and Posture
Management
●Integration into CI/CD
●API Security Testing
SDLC Integrations
●API centric threat hunting
●API centric analytics
●Integrations with prevention and
response tools
Threat Hunting,
Analytics
API Security Framework

34
API Security Solution for what?
DEV or Runtime
Security Posture
• Inventory of APIs
• Mapping of data
• Who what from where
Runtime Security
• Monitoring watching inspecting traffic
• Behavior based models for anomaly detection
• Heuristic, ML, AI modeling with continuous learning
• Threshold of abnormal traffic alerts and protection
1 2

35
APIs Runtime
Versions
Design, Develop, Build, Test
and Deploy
APIs in running in
Production
API Security and
Build time
API Security and
Runtime
Monitor, Protect , Observe,
Behavior based detections
Security
Posture
Runtime

36
API Security Full Cycle

37
API Security
DISCOVER
ALERT &
PROTECT
DETECT
Full Lifecycle API Attacks
and Abuse security
1. Continuous catalog of APIs
2. Sensitive Data Discovery
3. Discover deprecated, undocumented APIs
4. Identify 3rd party APIs
1. OWASP API Top 10 Attacks Detection
2. Behavior Based detections
3. ML assisted analysis to help reduce
false positive rates
1. Generate Actionable Alerts
2. Protect the APIs Ex at WAF
API Security Solution

38
API Discovery
& Profiling
Automatically
discover and profile
unknown and/or
changing APIs
VISIBILITY
Network
Set API network lists
(allowlists and/or
blocklists) based on
IP/Geography
Rate controls for API
endpoints based on
API key. Protection
from low and slow
attacks (slow POST)
DDOS
PROTECTION
Authentication
& Authorization
Secure
authentication and
authorization via
JSON Web Token
(JWT) validation
+/- API SECURITY &
GOVERNANCE
Threat Assessment
Automated assessment
of API risk
Prioritized API
protection
Behavior based API
Security
Analyze API Behavior,
session behavior to
uncover advanced attacks
AI, ML MODEL
BASED
AUTOMATED THREAT
ASSESMENT
API Security Path

39
PROTECT ALL APPS AND APIS
Design Time and Runtime
Layered Defense To Protect Against Evolving API
Threats
Attack surface reduction & prevent
lateral movement
Cloud misconfigurations
Supply chain attacks, known
vulnerabilities
Edge WAAP
Visibility to all apps & APIs
Devops deployment, rapid config changes,
native to public cloud
DDoS, Bots, Injection-based Attacks
Container breakout, container
misconfigurations, supply chain attacks
Container Runtime
Security
Container Vulnerability
Mgt
Attack Surface Mapping
Cloud Configuration Audits
Microsegmentation
Origin WAF
Edge WAAP
Cloud Workload
Protection
Platform
Cloud Security Posture
Management

40
Recommendations
1. Think about full lifecycle of APIs for API Security Solutions
2. API security is Discovery Detection and Protection
3. API security is a layered, choose fewer tools
4. Use automation to alert right people in time
5. Focus on observability, use tools to automatically detect and protect

41 41
Customers expect their
digital experience to be
consistently fast,
consistently engaging,
completely secure
APIs are at the Center of Modern Experience

APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies, Sudhir Chepeni

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies, Sudhir Chepeni

Similar to APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies, Sudhir Chepeni (20)

More from apidays

More from apidays (20)

Recently uploaded

Recently uploaded (20)

APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies, Sudhir Chepeni