Untangling APIs: Addressing Sprawl and Securing Your Modern Digital Ecosystem

it's all yours excellent thanks very much uh thanks for coming by folks um I hope I'm as half as interesting as lunch was um I've been uh doing uh API talks are very relevant in the industry and I've been doing these um but I find they're much more interesting when when somebody has a beer in their hand so I really encourage these to happen at a at like a a brew pub or something like that so hopefully um I've got you early enough today um you haven't digested your food enough that you're going to fall asleep but uh we'll uh all we will endeavor to make it interesting and exciting um so as my um very embarrassing I hate the bio like I don't anybody do these talks but someone always emails me for my bio and I'm like that I I hate those descriptions um they're they're make me very self-conscious um but my background is just that um I uh I consider myself a a a programmer um I'm a horrible programmer um and I just stumble through and U you know half the time use chat GPT or uh stack exchange or somebody else's code to to make I do what I want it to make happen um I recently uh released some code um to the company to F5 uh internally and I had to share my my private get repo um if has anybody anybody written their own code and like had this baby that you've been working on for like six months or a year and then to show it to people um yes yeah sorry that is the scariest thing you could possibly do um I can stand in front of a thousand people and present and that's fine um but to actually have someone look at my code and go wow I thought you were a good programmer um is uh you know kind of rips my heart out um but uh so that's kind of the problem the world faces um the keynote this morning um Alisha I think Alysa was her name um I thought was phenomenal uh she had a great talk um and uh very captivating but what she said was right where she hacked those uh those apis um and hacked it once and got 300 for free um happens all too often um I just describe what I did right I use chat GPT to write a bunch of stuff I use stack exchange to wrate a bunch of stuff um because you know why I I I have a self-image problem um and you know I I think everybody is better and smarter than I am and probably does a whole bunch of threat modeling and fixing stuff um before they release to the world right there's Chuckles because it's not right right um the the world has been built on uh you know three lines of hello world that was probably written in 1954 in Cobalt um and just been ported and ported and ported and advaned since then um and all the problems that we've had had um continue to to to keep moving forward um and so I start this presentation with this slide um and I will say I've been using PowerPoint since 1991 or 92 I think it's the first time I did a PowerPoint presentation it was on three floppy discs um and I have no idea how to make this slide automatically restart It's Magic to me I don't know how so I constantly replay this so you see me every once in a while just come up here and click it so it replays but this is a very interesting slide um and it shows the timeline of the world uh for the last little while um in how apis are becoming a problem and have been a problem um and I so I'm going to start the story with a little bit about myself um in in 200 uh the mid 2000s so 2008 2009 um I was working for a startup um that means you know the company what business that's what startup means right right um so I found myself um as an independent contractor my wife politely calls it self unemployed um and so I was hunting and hunting for some work to do and um friend of mine put me onto a a project that was looked like a lot of fun and um in in the in the hopes of doing something interesting and fun um you know I I took the meeting and I met with the people and um they had this idea of a of of a game so this is 200 uh it's 2009 um a game a mobile game that you're going to play in a movie theater um so before the movies play the movie starts so um it's called the the pre-show um and so they were developing this to sort of get you in you know go to go to go to your movie and you'd play this and you get some coupons and all kinds of stuff so I still haven't written a like a of one line of mobile code in my life I've written tons and tons of applications lots and lots of you know dozens of lines of code probably are attributed to me not just what I've stolen from other people um but I've never written anything uh as a mobile application but we were developing it for the three fantastic application Technologies of the time uh which were in 2009 which was number one Blackberry yes great hold our heads high as Canadians right um and uh we we needed it for uh Blackberry Android and this upstart from Apple this was taking was starting to to to move into the market um and so we needed a an interface to have people engage with it right so I had been writing some Facebook applications at the time um some integration with uh some some consumer-based uh marketing and stuff and so they wanted to tie in Facebook and they want to be able to create your account and share this kind of stuff and then you get a coupon that you can go to the kios you know to The Confectionary and you know get a get a free chocolate bar or whatever it was going to be and so they had to build this and they had to build a mobile application well I said I don't I don't write mobile applications I said no no no it's okay we've got a company in Ottawa that's going to write the code um completely fine I said good but we need somebody to put the whole thing together we need somebody to to AR architect it and we want it done with a a restful apis and I said what did I say yes I said fantastic I know all about restful apis why because I could Google it when I got out of the meeting because it was 2009 I didn't have a I couldn't google it on my phone at the time right so um so I looked up what the what what a restful API was and we ended up writing this application um so that you could have a mobile application but but we also built a you know a web front end so you could sign up and all kinds of stuff um and uh I'll tell you a little story um or a little hint um the first thing I can tell you about developers and hackers um is we're lazy we we don't want to do anything more than once um we want to make we want to do it as often as as as little as possible and make it as ubiquitous as possible right so um so they said with this restful API we should be able to create the applications and do all these things in in you know without having to write one for the website one for a mobile application it's pretty Advanced right today this is just like no-brainer right you're like okay I'm going to consume this in 14 different things um so that was 2009 2010 U I joined 20 F5 in 2011 um and that's when this graph this this slide starts it's not a coincidence that I ran screaming from the application development Market um at that time but I'm very happy I did um because over time apis have become a real challenge for protecting um or protecting from people right from from bad from Bad actors um and this isn't something that's unique to just me right um I will say I really hope no one hacked into into my environment and and and broke into it um and and stole C customer data but I really don't know right it's very hard to tell um there's but that doesn't just relate to just you know me being a a self- unemployed developer you know working in my basement um it relates to a whole bunch of organizations out there today too um so if I if I ask you one question how do you know summon a pellaton user yes we will it's the same as being a pilot and a and a crossfitter and I don't do CrossFit right um somehow we'll get into the conversation right we will tell you what's even easier than that then you don't need to talk to a pelaton person right use the API exactly so you can just ask their API so so um back in 2020 um if anybody remembers 2020 um without shaking and crying bellaton um you know certainly enjoyed uh a boon at the time um and really took off in the in in the world they were less than a million users um the mobile app was kind of you know some people use the mobile app they had a they had a device you know they had a they had a they had a uh a tread at the time they had a bike at the time um and then everybody got locked into their houses and wanted to you know use and work out and do all these crazy things and Paton took off so they were flush with cash if like me um you thought that their stock could never go down and you bought them at $100 okay you can take a lot of security tips from me do not take a stock tip from me okay it's one thing I will warn you I am not good at um and so they they really needed to figure out what they were going to do um and so they invested heavily in Dy um they had a lot of stuff on the go they were building like crazy they went from less than a million people they're well over 5 million maybe maybe eight or 10 million people accessing their environment that's a scale that's impossible to Fathom think about your busiest application that you have now and somebody's going to say it's going to increase five times in a month how do you handle that without sweaty palms and screaming and crying right I I had that I had that I was I was number one on crackberry for one of my applications worst day of my life I got hacked like you would not believe I had people all over my SQL Server I had all people banging into my environment we went from about a th downloads a day to when we went to number one in crack Bay we were we were 10,000 downloads a minute how do you like how do you scale that we couldn't we had we had a single pipe spinning stuff up in rack space didn't even know what rack space was at the time like this is crazy right this is what these guys went through so they were trying to figure out they're they're literally building the plane in the air like that old video from I don't know the consulting company where they're literally building the plane in the air this is what these guys are doing it's a tough job but they try to make the right decisions they try to use the good technology so they use something called graphql so graphql is a uh is way of providing data without having to do at API level you can it it's much more optimized for mobile devices uh it's a much more streamlined uh Communications me mechanism so graphql is a great way to share data doesn't doesn't stop you using rest because rest you still need to use that to talk back in the application but sharing the data and getting the data was very different and so this is what they did they turned this stuff on and they put a bunch of Protections in place they protected that whole network they were worried about everything on the edge and they figured out everything they could possibly do fantastic right fantastic story ends there does it end there no it doesn't end there the problem was um the way apis are built sometimes your business logic is exposed so they used a bunch of kubernetes PODS anybody here play with kubernetes right yeah I could I could stumble my way through a container uh um and when they put it together they exposed a bunch of stuff that they didn't expect that they were exposing so as a pellaton user I like to tell people I'm a pellaton user I think it's fantastic platform that's why I tell people about it but I don't want you to know what bike I have when the last time I worked out that's uh that's only something I share with certain people I don't want you to know my home address all that kind of information so you remember the Bola stuff that Alicia was talking about this morning this is this to the nth degree you can get everything the whole the whole network the whole data everything is available inside of here right you can go in here and make a query you could the beauty of of developing something with gra with graphql is just something called introspection and it'll tell you how to talk to it it'll say here are the functions that you can do to pull data out or push data in right but you're not supposed to have that on in your environment so everybody can see it and they didn't on the edge but unfortunately when you made a call to inter internal environments you saw how those environments were were were were put together and lo and behold you're able to pull that data out and this is the kind of information that they were exposed so is this a breach anybody call this a breach no a misuse of information right data leakage Maybe right breach is iy no it's a breach call it a breach because companies out there are trying to say no this isn't a breach I don't need to report it it's a breach right it's a breach of confidence it's a breach of of of the the the the confidence that you've put in those organizations right don't don't give them any leeway make sure they're protecting it right excuse me I got look what my next slide is all right I have another question for you or maybe this is an axium not a question um hackers lie right I'm not a hacker I hack code I've hacked websites okay I don't lie that often all right um so there's something called uh bug um um I tried to think hacker one there go I was say bug Crow but I knew it wasn't bug Crow uh hacker one um so anybody know what hacker one is right so hacker one um if you're bored on a Sunday uh on a Saturday and you want to make some extra money uh you can go to hacker one and you can go hack somebody's website completely legally right if you are somebody who owns a website or manages a website check out hacker one or bug crowd or any one of these Services because they're phenomenal it's a way for you to have something called responsible disclosure and you define how people are allowed to hack you don't touch this you're allowed to poke in here you're allowed to pull this data out over here you're allowed to do this but you're not allowed to do that right they're very well- defined characteristics of how these things work but the thing I like about this this hacker one report this is 2020 um in 2021 and 2022 they release it too but honestly it's not a fancy little graph that it was easy for me to put together so I just leave this slide in here for a few years but this is me telling you hackers lie because hackers say they spend 71% of their time on hacking we websites what did Alyssa say this morning I chuckled when she said this said this line when she was talking about about how she attacks right she watches the website she goes and uses the website she she starts figuring out what's going on and then she then she throws the website away because the website has all that stupid business logic that they want us to adhere to right the fun part is when you start playing with that business logic why because developers are lazy but in a good way we want the systems to be used right so to me when I see 71% of the time people spend on websites and 7% of the time they spend on apis that is not me I might spend 7% of my time looking at your website and I'm going to show you a couple things later if we've got some time about how easy it is to pull all that stuff together using something like Postman and chrome right reduce that from 7% down to 3% and grab all those all that traffic that's going on between your mobile application your web application and the backend servers right all that stuff is happening and there's fun things you can do when you start poking at it and that's what hackers do that's typically where we start to find those those vulnerabilities when I was developing that that uh that that pre-show application I had a a team that I you know I brought in to to help me with it and um my QA director mean one of my best friends let let's be honest um you know we there was a I had about eight or eight or 10 people at some point working in my in my basement and so Paul would show up in the morning and we'd share share an office and we would write the contract of how the applications were going to work right so so we defined that here's a crate user API here's a crate address API and we would document it another ask him about developers we are not good documenters if I can get somebody to take the things that are mulling around and bouncing around on my brain and get somebody else to write it fantastic chat GPT I wish I could I could just have a brain dump that' be phenomenal uh but Paul and I spent many many many many hours weeks months really defining this stuff before we wrote One Li one line of code because in order for me to go and create a user and for that to appear on somebody's iPhone I didn't have an iPhone in 2009 you know I wasn't a multi-millionaire or anything like that right to be able to see that that had to be that had to happen right in a way that we had we had established a contract so that contract was a bunch of pieces of paper that I wrote PDFs PDFs and PDFs and so when we wrote them was great and then I would sit and code and when does when does every developer code 3 o'clock in the morning right um when life gets in the way and all the other things you got going on you you code at 3:00 in the morning and then Paul would show up at 8 o'clock in the morning the next the next morning and I said ah I got that crate user API ready to go and the uh you know the crate address is is good to go for you to test too and he would look at me go and then before he has a sip of his coffee or tea he doesn't drink coffee he'd say I broke it and I'd say what do you mean you broke it we spend like three weeks writing the writing the spec how can you break it he goes oh I threw an asteris in the in in the phone number why would you throw an asterisk in the phone number because I knew you didn't expect it right because we're so in our own heads when we're defining these things and when we're coding them we don't necessarily think about what what the problems are and how somebody can misuse it right I'm so so driven to make make this available for somebody to use it that the challenge becomes how do I how do I protect it right I those are hard problems those are hard things to figure out and so I'm going to skip a couple slides here I got the wave in the back that I'm I'm rambling if I can find my mouse here we go so when we start thinking about what's important um this is from uh Postman again anybody heard of Postman anybody use Postman it's free downloaded it's fantastic great tool um but this is their state of state of the API report these are the things that people worry about it's kind of intangible isn't it like if I tell you that you know Bola o or ID like are you know those are problems broken object level uh uh validation and and and access are broken you don't necessarily know what that means threat modeling isn't easy right so it is a it's an art form it's it's a science all allinone so to translate these to what you have to worry about is a challenge that's why we have smart people putting together lists like this so the open web application security project who I got called out last week because it's no longer the it's no longer the open web application security project one of the it's either the W or the a changed like in the last month one of them has changed so I'm going to call it OHP because I forget which it was um they put these things together they tell you the things that people are attacking um but the second week of August now um sisa which is the US um uh you know uh Federal civilian uh Information Security Agency um so I do a lot of work with sisa I do a lot of work with daa um the defense their defense counterpart um they uh announced as part of the five eyes thing we're part of five eyes as well um with the Australian um counterpart that Bola or the the the the the ability to access data that you shouldn't be able to access right so being able to tweak that I love that example that Alysa