APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
I KNOW WHAT YOU(r APIs) DID LAST SUMMER โ Understanding and Identifying Threats Against APIs
Shannon Wilkinson, Cybersecurity Founder | Women in Technology & STEM Advocate | Keynote Speaker | Board Member & Advisor
4. Top 10 2023RC
โข Broken Level Authorization
โข Broken Authentication
โข Broken Object Property Level Authorization
โข Unrestricted Resource Consumption
โข Broken Function Level Authorization
โข Server Side Request Forgery
โข Security Misconfiguration
โข Lack of Protection from Automated Threats
โข Improper Asset Management
โข Unsafe Consumption of APIs
Top 10 2019
โข Broken Level Authorization
โข Broken User Authentication
โข Excessive Data Exposure
โข Lack of Resource & Rate Limiting
โข Broken Function Level Authorization
โข Mass Assignment
โข Security Misconfiguration
โข Injection
โข Improper Asset Management
โข Insufficient Logging & Monitoring
5. Where Do API
Threats Come
From?
โข Bad Coding โ QA, we donโt need
no stinking QA!
โข Poor Validation โ Do you validate
your SSL certs to protect
traffic/data?
โข Poor Authentication โ Do you
require authentication?
โข Automated Threats
โข BOTSSSSSSSSSSSSSSSSSS!
โข API Utilization โ How much data
should be going out?
6. Where Are Your
APIs?
โข How can you protect what you
donโt know?
โข You need to or you need
someone to perform a thorough
analysis of what APIs you have in
your environment.
โข Itโs not a One-And-Done
assessment, you need
continuous validation/testing
7. โข Data Flow
โข What is the normal flow of data?
โข User Behavior
โข Who/where/when/how?
โข Expected Level of Errors
โข KYAPIs โ Know Your APIs
โข What data is exposed?
โข Are the endpoints secured?
โข Do we have SSL and no HTTP redirects?
8. Thatโs Not Normal -
Anomaly Detection
โข Unusual Traffic
โข Increased Traffic
โข Unexpected API Calls
โข Vulnerability Scanning
โข 404/500 Errors
โข Unusual User Behavior
โข Extraordinary Traveler
โข Repeated Failed Attempts
9. API Specific Rules
โข Excessive API Calls
โข Exceed Rate Limits
โข You Do Rate Limit, Right?
Right?
โข Unusual User/Data Behavior
โข Schema Validation
โข Add to Cart & Buy in Less
than X Timeframe (Bots!)
โข Configuration Changes
โข Suspicious Payloads/File
Transfer
โข Scan with AV/EDR
10. โข Developers
โข Code Reviews
โข Code Repository Reviews
โข Code Vulnerability Scanning
โข Documentation of API Endpoints
โข SBOM (Software Bill of
Materials)
โข Unmanaged APIs
โข Vulnerable APIs (Log4j anyone?)
โข What do 3rd Party APIs have access to?
โข Protecting
Credentials/Authentication
โข Public vs Private APIs
11. โข Security Team / Audit & Compliance
โข Policies & Procedures
โข Assessments
โข Attack Surface Management Tools
โข AV/EDR on Endpoints/Servers
โข WAFs
โข Security Operations Center (SOC)
โข Ingestion of API Security Logs
โข Monitoring of API Activity through
SIEM/Data Lake
12. Nope, Not On My Watch!
โข Monitoring
โข OWASP Top API 10 โ Insufficient Logging & Monitoring
โข 200+ Days to Detect
โข Detection by 3rd Party (Ouch, Embarrassing!)
โข SIEM/Data Lake Platforms
โข Comprehensive View โ Attack Surface, WAFs, Endpoints
โข Threat Intelligence / Correlation Tools