I Know What
You(r APIs) Did
Last Summer
Shannon Wilkinson
CEO, Tego Cyber Inc

• DDoS
• Injection Attacks
• Authentication Attacks
• Cross-Site Scripting (XSS)
• Parameter Tampering
• Man in the Middle (MiTM)
• Credential Stuffing
• Application Abuse
• Server-Side Request Forgery (SSRF)

Top 10 2023RC
• Broken Level Authorization
• Broken Authentication
• Broken Object Property Level Authorization
• Unrestricted Resource Consumption
• Broken Function Level Authorization
• Server Side Request Forgery
• Security Misconfiguration
• Lack of Protection from Automated Threats
• Improper Asset Management
• Unsafe Consumption of APIs
Top 10 2019
• Broken Level Authorization
• Broken User Authentication
• Excessive Data Exposure
• Lack of Resource & Rate Limiting
• Broken Function Level Authorization
• Mass Assignment
• Security Misconfiguration
• Injection
• Improper Asset Management
• Insufficient Logging & Monitoring

Where Do API
Threats Come
From?
• Bad Coding – QA, we don’t need
no stinking QA!
• Poor Validation – Do you validate
your SSL certs to protect
traffic/data?
• Poor Authentication – Do you
require authentication?
• Automated Threats
• BOTSSSSSSSSSSSSSSSSSS!
• API Utilization – How much data
should be going out?

Where Are Your
APIs?
• How can you protect what you
don’t know?
• You need to or you need
someone to perform a thorough
analysis of what APIs you have in
your environment.
• It’s not a One-And-Done
assessment, you need
continuous validation/testing

• Data Flow
• What is the normal flow of data?
• User Behavior
• Who/where/when/how?
• Expected Level of Errors
• KYAPIs – Know Your APIs
• What data is exposed?
• Are the endpoints secured?
• Do we have SSL and no HTTP redirects?

That’s Not Normal -
Anomaly Detection
• Unusual Traffic
• Increased Traffic
• Unexpected API Calls
• Vulnerability Scanning
• 404/500 Errors
• Unusual User Behavior
• Extraordinary Traveler
• Repeated Failed Attempts

API Specific Rules
• Excessive API Calls
• Exceed Rate Limits
• You Do Rate Limit, Right?
Right?
• Unusual User/Data Behavior
• Schema Validation
• Add to Cart & Buy in Less
than X Timeframe (Bots!)
• Configuration Changes
• Suspicious Payloads/File
Transfer
• Scan with AV/EDR

• Developers
• Code Reviews
• Code Repository Reviews
• Code Vulnerability Scanning
• Documentation of API Endpoints
• SBOM (Software Bill of
Materials)
• Unmanaged APIs
• Vulnerable APIs (Log4j anyone?)
• What do 3rd Party APIs have access to?
• Protecting
Credentials/Authentication
• Public vs Private APIs

• Security Team / Audit & Compliance
• Policies & Procedures
• Assessments
• Attack Surface Management Tools
• AV/EDR on Endpoints/Servers
• WAFs
• Security Operations Center (SOC)
• Ingestion of API Security Logs
• Monitoring of API Activity through
SIEM/Data Lake

Nope, Not On My Watch!
• Monitoring
• OWASP Top API 10 – Insufficient Logging & Monitoring
• 200+ Days to Detect
• Detection by 3rd Party (Ouch, Embarrassing!)
• SIEM/Data Lake Platforms
• Comprehensive View – Attack Surface, WAFs, Endpoints
• Threat Intelligence / Correlation Tools

…If You
Enjoyed the
Presentation
Shannon Wilkinson – CEO – Tego Cyber Inc
https://tegocyber.com
shannon.wilkinson@tegocyber.com