The Security Hitchhiker's Guide to API Security

but let me go ahe and introduce Tim de block did I say that right y all right so Tim de block works for anen security um he focuses on or they focus on incident response and cyber Insurance cyber Insurance he'll elaborate I'm sure but his current title is he is the director of advisory Services let's welcome Timothy the ball all right so we've only got 30 minutes this is going to be uh pretty quick um you guys can hear me okay yeah I can hear myself okay um all right as mentioned yeah security H got API security um so this is the agenda uh who is the antigen um we've already mentioned some of it so

I'll skip some of that um why this talk API Basics how to secure your apis res resources for API security and then if we have time we'll questions of course you can hit me up I'll be at the conference I have been doing H hallway conon all day um I meant to go to a couple talks earlier today and ended up talking to somebody else so um feel free to uh come up and talk to me if you have questions um I don't do about many slides there'll be contact information at the end um again as we mentioned we're a cyber risk management for businesses instant response we can get you a deal on your cyber insurance if

you need it and then um you know we do proactive Services as well like Consulting you you want it well yeah we can do that um so why the St well before AI came out API security was a big Topic at the end of last year I built this at the end of last year um uh and as you see in the new section there is no more API talk um it's all AI right now but that doesn't mean apis are not still out there they are and AI is probably actually at creating uh helping create more apis because developers are using it to write code whether or not you have a in your organization by the way they

will go to their you know home machines and then just copy it over um it's not hard to get by um this also was meant to demystify apis because everyone thinks about this new technology and goes oh no right but it's really putting a lot of the same best practices in place apis have actually been around since the early 2000 late 90s so API in the news um I did try to look for a more recent API and again like I mentioned there are none it's all AI it's all actually social engineering right now if you have you're probably not having a great time and then of course Cisco uh acquiring spunk so not a lot of talk on with apis

but um earlier in uh January 2023 T-Mobile lost 37 million customers pii via an API right that's that's huge that's massive yeah um and that kind of uh foreshadows some of the issues with apis um Sam C Cur Curry also came out with uh some research on 18 different Vehicles so if you own a BMW Rolls-Royce Ferrari or Hyundai Genesis Honda Nissan infin Infiniti or Acura your API could you know someone could have your car essentially and in the case of Ferrari if you want to new Ferrari you just need to go modify the owner information via an napi so this all came out of his research um so kind of that's why the talk here are the API Basics um I

actually had more slides that actually went into this until I found this meme like literally a month ago and I think this does really good job of giving people a great analogy for thinking about apis because I've tried to to to speak to GRC folks about what an API is and it started with spaceships and ports and lasers and it didn't they were just more confused than when we started but I think uh this meme does a really good job of of showing a restaurant right you got your back end which is where your cooks are at uh your front end where you go into the restaurant and your apis are your waiters right so and and your menu

is your documentation that's where you go and pick you know what am I going to go order from here you give it to the waiter SL API they go to the back end grab and then deliver it to you right so I think that does a really good job um we'll still get into the API Basics though um and the idea actually started in the 1940s 1950s papers were written about in the 1960s and 1970s the term started in the 1980s and in the 1990s it actually expanded to remote procedural call so this has been brewing for a long time um uh and if I go to the Oxford language dictionary and this is where I I I

really struggled with understanding and trying to explain apis a set of functions of procedures allowing the creation of applications that access the features or data of an operating system application or other service if you're confused I was confused when I read that as well right yeah I got the so I went to chat GPT um chat GPT says and I don't normally like reading from slides but I think they do pretty a much better job of explaining apis API stands for application programming interface it is a set of rules protocols and tools for building software applications an API defines how different software components should interact with each other in simpler terms an API is a way

for different software systems to communicate with each other it allows developers to create software applications that can access and use the functionalities of other applications platforms and services without having to understand the underlying code so I think that does a much better job of explaining in much better terms we'll dive into some examples here Google Drive Right is that was my first thought CU everyone you know understands Google Drive and what it is you can download files upload files search for files and folders um share folders and drives uh to collaborate you can tap into other apis um to further explaining what the GitHub um a fuse file system based on Google Drive was our top uh open source

project the second one was another fuse wrapper for Google Drive um I don't know what fuse is both transparency I actually had to look at up but if you know what it is it is um and then the one that I did understand was the FTP adapter for connecting Google drive to the FTP didn't want to stop there if you're into fantasy football um you can use this open source project to um create weekly reports for your fantasy football league and then of course being in security of course there's a red team tool that Taps into your Google uh Google Drive and can xfill all your data so if they get credentials to somebody's Google account they can excal it right

so um that's a really good example another one that I think a lot of people can identify with is um Google roads which is just tracking where you're going right that's how we get the Google Maps information to avoid this area or if you're ordering door Dash or GrubHub you can see the person going to the store picking up your stuff and then delivering it to your house same thing with Uber and left um a lot of uh package delivery companies to track their drivers now to make sure that they are doing like an efficient route to go deliver stuff and they're not like going off to take a nap app somewhere else right I I see our the drivers nowadays

like they come out with the package they deliver it and then they run back to the car cuz they're like on some sort of you know time crunch to get in um I'm also wearing an API and probably some other people this is a whoop if anybody this is more of a fitness it measures myology tracks my sleep um my training any sort of uh any sort of Behavioral stuff I can actually tap this into my phone on um Google's Apple health so now we're doing API on type of API so this is why apis are kind of all all over the place and these are just a few examples but you can see here there are several more just

within the roads routes Maps section um of the Google offering um and the reason why these apis are out there is because instead of writing custom code for each one of these things developers they can just create something that people can tap into with defin parameters on how to actually use it and so this actually empowers Crea ity and Innovation if developers had to continually write custom code for stuff over and over again this would be a nightmare like they would be way behind on stuff this is actually better for security as well because with apis you have a defined way of interacting with it you no longer have the uh SQL injection well you still

have SQL injection and some of these other injection things but they're less of an issue and we'll get into some of that um in the security section um but essentially you know you've almost eliminate a crossy script and some of this other stuff it's it's actually a more nuanced um issue within apis so the different types of apis um rest is uh probably the most popular um soap is another one that you've probably heard about that actually just got passed by graphql um um as of this year I used the this is from the postman state of the API report from 2022 and 2023 so last year soap was third but graph Qs pass that this year so you can

see there's a bunch of different different apis if you're if you've been in the development space I honestly feel like this might be like a Javas JavaScript thing where there's a new framework coming out each week right so we might see more apis and different types of apis um this is pretty straightforward you have your private which is your internal apis your partners so Partners would be an example of your CRM um your your service now your workday anything that you're tapping into from a SAS perspective software application or um software as a service um and then of course public which we just went into so let's talk about documentation now Swagger and postmen are the way that

developers can document apis Swagger is an open source software used with rust apis tied to the open API specification and then Postman is a commercial API platform for developers to design build tests and iterate their apis if you want to get into the API security tooling space you're developing team has to be doing Swagger and Postman files because that's what the security tooling needs to be able to use the or actually look at the apis and we'll talk about the um security tooling space so how to build an API well I went to GitHub again and it takes only 10 minutes for you to clone this project npm install and then npm run start right so you can just go to

GitHub and find the apis here I also decided to use a chat GPD because why not the developers are already using it um this is a demo um of me uh going to chat gbt you see me whatever you think is best they was like you can have this API or this API I was like just you choose I don't really care I asked for an API on for this presentation um so you see here it's going through um and creating it it actually does a really good job of documenting it but it's creating the actual code itself as well right um so I don't really have to do anything thing this is I think going to be a good thing

for Development I've read the studies on security code review and it doesn't do a great job but as far as writing code and developing code and creating apis this is all developers have to do now so a lot of people and this is kind of a side AI rant you're going to go from creators to editors because this is not the final draft necessarily this is a first draft and then people are going to go edit it to um use it for whatever their use case is in fact developers can take this code put put it in test it out and that they get errors they can just put those errors in and then it'll rewrite for

them as well so this actually I think helps security and development as far as keeping developers from the stack Overflow where they're going to the first answer that says turn off the security feuture and everything works well of course yeah and then you know five five five comments down it's like no you can't do that you're going to turn off security I think AI does a pretty good job of it's going to it's going to increase the quality of code that we see but it's also going to increase inre the amount of code we're going to see so apis are going to continue to grow as well as any sort of development code um which leads me to who who's

using the apis um right now it's only half of developers or half of the respondents were using apis were developers and this is again from the postman of the API report um security but if you if you've been have a Keen Eye there security got beat by ctOS and CEOs so um that's a little bit concerning but this also explains also explains why we have had a massive increase in apis within the space right as as a lot more people are using it because it's a lot more accessible that that video I just showed a minute 20 seconds that's how long it took for me to spin up in API um or at least create an

API with that we'll we'll now dive into how to secure apis none of this should be a shocker if you've been in the security space for a long time inventory you got to know where you're apis are at to actually be able to secure them there is no Silver Bullet for in for finding apis either um the vendors will tell you um but really they're just using a different technique what I always recommend is work with the Development Group um and that doesn't account for all your apis by the way as well because the developers sometimes don't know where their apis are at because developers come in and then they end up leaving um but work with the development

team I think a collaborative effort a lot of and you'll see um I'll show you some of like the post and report what they consider this their top security concerns they are um they they align pretty well um you can look for Postman and Swagger files and the repost to get access to the code you can still look into the code to find stuff that's if you have all the code in one repository you might have to go to five different ones um pent testers are really good to find in this stuff right if you're a pentester one of your first steps is to Recon the environment so pent testers you have a better environment of the

people that actually run the environment and that's what a lot of security vendors are actually just doing is are just running a word list using like burp sweep or zap against the environment looking for the names that you would find in API documentation for those URLs that's that's literally all they doing you probably go to GitHub and find a word list if not I'll have ai right one for you um um vulnerability management too um you know if you have a pretty good vulnerability management uh uh U program you can go there to look for any sort of servers that might be a web server that might indicate that there's apis on there um EDR and your seams um which has

a lot of the logging and stuff you can look in there for like traffic which is another approach that some of the security tooling vendors take is they are just going to tap into your network traffic and look for anybody interacting with the apis um and then of course again like I said uh work with your Development Group they have a tool called the API management platform that allows them to collect inventory log all their apis um requirement specif spe ifications those are the two NIS standards there um that have some form of API in them if you're a NIS person um I also like pointing back to development open API specification talks a lot about

um a lot of off uh you'll have the open web application security project oos um that's pretty standard they've got cheat cheats in the top 10 um normally that let you read through this but I'm not going to I'm just going to blow it um authentication authorization are four of the top five so that's your actual issue with apis is this more about configuration do people have actual proper authentication authorization if you go back to the bottom there um it's more access issues uh server side request forgery which I would also argue as an authorization issue um is kind of your injection there right um misconfiguration and then I also love that they just call out people don't

know where they apis or not so um those top 10 align with uh development which they they recognize improper uh authentication and authorization uh in Secure data leak and then um business logic flaws right business logic flaws are going to be something for example a retail company has a coupon code that um uh that people can use if that coupon code is not expired properly people can check out over and over with the same coupon code thus costing the business a lot of money um so uh you know that that that's uh oh before we get into that but um I love at the bottom too we don't know where apis are at so even the

developers don't know where they're at right um but go back to the business logic flaw this is why I like threat modeling you can use threat modeling at the early stages of a project in development you can also I found I've used threat modeling afterwards too to help document and really understand what is going on with a system that can include apis um within uh Development I've also used it in several IT projects as well too so it's it's pretty effective um you can look for authentication authorization um caching strategy error handling validation all you're really doing is drawing a diagram on a whiteboard all the you know since since the pandemic all the different um

meeting uh video conferencing stuff has whiteboards on it now Team Zoom whatever um and really you just drawing squares and arrows it's it's i' I've messed with all them I've used the basic stuff in there always looking for something better but um and then once you draw the diagram you're just really attacking it what can go wrong with this uh threat modeling by Adam showc is the book that I Rec if you're looking to get the threat modeling what's the name uh uh threat modeling by Adam showstack um uh manual testing again you want to do prior to release business logic like that's where pen testers can really try to to to um mess with the

business logic flaw stuff um I've had pent test teams what they've usually look for is tokens credentials within the API which leads to other you know issues as far as escal privation and you know uh compromising accounts and then of course injection you want to do fuzzing look for for any source of uh non-resource constraints right that's another attack is if your API is open and it spins up new resources in the cloud and someone's just hammering it you might get end up getting a really big Bill from your Cloud spider um so let's talk about tooling real quick um let see you can't see that all right so down here that's API security the rest of it is um the rest

of it is uh the API landscape for development right so it's it's still pretty massive but API security is a small thing when we're talking about tooling um we want to do uh you can still do your basic application security program stuff um um static uh application security testing Dynamic application security testing if you want to know more about that stuff come talk to me afterwards um software composition analysis and then as I mentioned getting it having things pushed into the API Management console if your dep team has that you can really align with them and get them to push apis into that right and then security doesn't have to own another tool that's under the

development um so let's talk about the API security tooling landscape because I think this is important it's not a silver bullet it's still a maturing space um a lot of a lot of people uh a lot of vendors pivoted from bot detection into the API space um if you've uh if you have nightmares about running a web application firewall security toing is a web application firewall that's one approach for stuff right so now you're not necessarily talking about application security you're talking about network security and then your Security operation Center because those tools will create alerts based on actual usage within the API but that's also a way that you can find apis like I mentioned before um uh the other

way that I've seen uh tooling do it is that they will actually test within the development life cycle um so they have testing focused on that um I'll I'll call out the one VOR that I've seen doing that but uh some of the other ones are just doing the wff base and they have like a side testing for it again you can come talk to me after after the talk if you want to learn more about the um the vendor space here I don't endorse any specific vendors this is from the oosp uh page for API vendors um some of the big names there no name salt synopsis and pra traceable apog is Google's API management platform so I

just wanted to call that out uh the interesting Tech I've seen 42 crunch that's the one that they test within the developers pipeline um that's they're Jam they're not looking to any do any sort of laugh stuff um and then I've never heard of vehle security replays interested to learn more about that stuff um resources for apis um I I read the Google API report um we have Postman state of the API report from 2022 and 23 there are vulnerable apis out there if you need to have your pen testers or people um testing your stuff or you want to learn more about actually attacking it and that is um uh that is just one of

the many there's also one called B I don't want to you know fog down the slides with this I have a site called explor sec.com API all the resources you know we'll dive into some of that stuff there but from this conference and other conferences I'll have stuff there as well so you know if you need to uh you know refer back to that stuff I have my own website SP up stood up for that um and then of course OAS which you've already talked about I of course had to go to AI cuz I'm just really interested in AI right now um there are two books API security and action oh two in action

um 42 crunch had an apis security. uh newsletter which was interesting had some pretty good stuff on there employal side I always recommend as far as like just general it and security training um Google Scholar rv.org with that um questions I think we have what minute two minutes per question three four three or four any questions on API security since they're in that most the time I've gone over API stuff people always talk about your developers what we got is a c uh customer internal customer wants to buy an application that has an API out to the vendor back in somehow how do I validate that secure and does it so you're talking about third party risk at that point right

yeah so I mean that's where your vendor you know vendor management you have to ask the right questions and you know you're asking about how are they you know doing development on that stuff does security get involved in that you also can potentially have so my I had an internal team where if you have your own pen testers you could have them go test the API if if the company's willing to right it kind of depends on the scenario some of the bigger players are going to be like no go away here's where here's your third you can ask for a a pent test report as well too um but that's kind of the way you can really have some sort of

assurance really does that answer your question I mean it's fairly simple right it's it's it's just checking to see if they're doing the right things and then if you can test it I would recommend if have internal pen testers or just even ask for a third party pen test that shows that they've tested that any other question yes sir no actually just building on that uh question is if the vendor provides like a specification and they don't mention anything about transport layer security it's already a red flag because that means you have to roll it yourself right so you they already failed pen test number one yeah yeah good point yep so we do have a couple prizes that we want

to give away um do you have a question or two for the audience that we might be able to see if anybody can get right how many how many two we have two yeah the first is a USB Wi-Fi adapter have a black hat graphql look at that that's that is a beefy book and then what is this wi I got two questions do you want one of these which one you want the this one okay you want the book black hat for graph look we've solved this very

easily fine did you have a question well um so API basically is a security tool between the user and the program pretty much right I mean it could be used as such right well I mean I think it goes back to like I said I I think API security is a is an advancement it's better for security because again you're eliminating a lot of vulnerabilities because you're really with an API you're defining how someone should come in and use it now that doesn't mean there's not abuse cases but it does improve security overall isn't an API basically a mediator between the user and and the external code code yes yeah so I mean if you and going back to the restaurant

example right it's like your waiter so that would be your your your way you're communicating to the restaurant that I want this yeah and later we carry all the all right we are out of time please get with Tim if you have any other questions but let's give Tim round call than contact information I got thank you sir