hAPI hAPI Joy Joy: Understanding the risks in a world of API integrations

I started by accident right and I was just like I left a consulting firm I went to work at a new company my old company I said to them how much notice do you need and they're like whoa [ __ ] if you can do excuse me this talk is going to be about a PG-13 um I'll let you know if it gets to R but uh so they said you know if you can do stuff on the side you can leave in two weeks we'll finish some projects you'll do some stuff that'll be great so I went to my new boss I said hey man you know is it possible for me to do some stuff on the side and he's like I don't know and he went and he negotiated with HR to get me an exception right which is crazy because I was working for Bank of America so the Monday I started at Bank of America that night I started as secure ideas and the plan was just to have a really great Christmas for my family like make a little bit of money stop not do it anymore like help the company transition that was 12 years ago and 26 staff members so I'm not exactly sure how that plan worked but sometime in like December I had a guy call me and he's like Hey Kevin do you know anybody who would be interested in sponsoring this conference and I'm like me how much is it and he told me it was a conference out in DC I'm like oh yeah cool so I paid him the money signed the contract all that kind of stuff about two weeks later the dude calls me up and he's like Hey Kevin do you have a logo we need a logo for the website like that you're sponsoring and I'm like a logo [ __ ] you're right I need a logo like if I want to be a real business right like I'm gonna be a big boy when I'm older right whatever right I need a logo so I created our logo and I was so proud of this like let me be very clear I am not artistic okay um I go to museums and go huh that's a snow shovel and they're like no it's art that's real art in New York it's a snow shovel hanging from the ceiling I don't understand it I think it came from Ace Hardware but so I build the logo then I go out to the conference and I'm really proud of myself right like I got a real business card I'm real and I go and I see a friend of mine he and I are going to speak together Tom Esten we're doing that guy is so smart and so we're going to do this presentation and he I said man hey here's my card and I handed my business card right like I'm all excited and he looks at it and he says to me Hey Kevin why do you have the Key Bank logo on your business card and I went I don't have the Key Bank logo on my business card he's like yeah you do and he pulls out an ATM card and I'm like [ __ ] I have the KeyBank logo on my business card so we hired somebody at logo design Guru to create the lock with the light bulb uh so that's this is why me making fun of logos is really not important because so in case you guys aren't worried or wondering um I'm going to speak on API security for the next hour now if you've ever seen me speak before or if you've ever met me you will know what that means is I'm going to tell random things that pop into my head for about an hour and I'm going to hope to keep them all related to API security but I've already failed at that because we have an entire conversation about logos right but I'm going to do my best I'm Kevin and for the people who don't know I am the founder of secure ideas right we are a I I found I found out recently we are referred to as a lifestyle business right it was just the weirdest name like what do you mean a lifestyle business does that mean I'm a workaholic and uh we are a small boutique pen test company that's what we do we don't do IR we don't do forensics what we do is we break in we tell you your baby is ugly and we go home and let me be very clear all babies are ugly we lie to parents up until the point the kid is like three months old right oh your baby's beautiful no it's not it's a barely formed adult like a person their skull has holes in it they don't have kneecaps they Bend in weird ways and they fall over they're ugly I got two kids I'll tell you right now when they were born they handed me I went oh my God she's beautiful and I was wrong I just the way it is right but about three months they start to become real people and you're like okay that one's cute that one not so good don't ask right it happens so I'm the founder of secure ideas I'm also an is faculty member I am an open source fanatic I run a whole bunch of Open Source projects I'm the vice chair of the projects committee for owasp which is really not an accomplishment I don't think anybody else wanted the job I speak all over the place which is nuts because I suck at it um and I do some Star Wars stuff that's me in the costumes I build screen accurate Star Wars costumes and then visit kids in the hospital and raise money for charity right so my favorite pitcher up there is the Darth Vader that's me in the Darth Vader they brought 300 blind kids in and they had them watch the movie which I thought was interesting that they still referred to it I'm not I'm not trying to make a joke like that was interesting right like how language works like oh they watched the movie and in my head I'm thinking no but but right and then we stood there for three hours and the kids felt what the characters look like I will acknowledge that I am crying in that helmet that's why I don't do face characters right when you walk into a child's hospital room and they got tubes everywhere and they just light up because Chewbacca showed up it's worth the fake hair in my eyes the tap it in right there right like it is nuts I recommend it highly everybody should join should should go out and help even if you don't want to wear the costumes right we need help getting dressed that sounds wrong a little bit like hi could you help me dress I'm a little bit of a diva but um right so like and I'm on stilts do you know what sucks about those stilts I'm not coordinated I am amazed I haven't fallen off of this stage and it's a flat floor right like I just suck at things like were you in Sports no I'm an avid endorsement so what we're going to talk about today is apis we're going to talk about some of the different things the benefits and the risks of how apis work and how we integrate with them and I want to be very clear I named this talk Happy Happy Joy Joy uh one because I thought it was funny uh two uh okay let's be clear one and two were because I thought it was funny three was because I want to be very clear that when we finish this talk when I'm finished telling you my dumb stories when I tell you about how we broke into that bank we stole that data we did this oh by the way please add with permission to the end of every one of my stories right because you're like like you stand up and you say well you know what I was stealing money from this bank by the way getting into the Vault of a bank Scrooge McDuck lied to us vaults are not that interesting I was very very disappointed the first time I went into one right or broke into one I guess is the right way to say that um one of the things I want you to do is when you leave here I do not want you walking out saying oh my God Kevin scared the [ __ ] out of me I never want to use apis because that is not my message my message here is apis are the way of the future right they are the way we are moving most of our applications in some level are using apis today and that is not changing the problem is most of the people that are rolling out apis don't understand the risks of what they're doing they don't understand the problems that can happen because of the way they roll out the API and let's be very clear we're humans we suck at risk assessments there's a real easy way to tell you this I was out in Oklahoma right I was at a b-sides decent one of the guys who runs besides okay is over there and I keep saying it's b-sides okay like really not besides great besides best I'm just saying right besides decent mediocre but I'm out there and I say in the audience right I'm like hey how big of you are actively afraid of sharks like half the hands went up in the room I'm like no I want to be very clear here like you are actively like oh my God I could be attacked by a shark and like half the hands in the room stayed up and I said you all understand you are in a landlocked state the only way a shark is attacking you is if they are transporting it from one aquarium to another aquarium and you run into that truck you guys know tornadoes you know yeah yeah sharks spinning around the earth right no what you should be afraid of is cows and soda machines why because cows and soda machines kill more people a year than sharks do cows will [ __ ] you up they're big they're mean and people think they're oh it's Betsy I'll Pat it I'll tip it no that cow will knock you over and the soda machines nobody has any sympathy for people dying from a soda machine right why did you die from a certain like you get to the Pearly Gates or whatever the image is you've got in your head whatever okay I'm not judging right and the people in the afterlife say to you how'd you die and they're like I was trying to steal change from a soda machine I pulled it on top of myself that's what happens people like I really need a Mountain Dew and they die but Discovery Channel doesn't have soda machine week why because we suck at risk assessments and as we go through all of the different things with apis it's obvious that we look at the benefits right so let's talk about apis what is an API it's a programmatic interface isn't that fancy right application programmatic interface I like polysyllabic words I do my favorite word is defenestration do you guys know what it means to defend or straight something right throw it out the window here's what I want to know what happened to the English language that it decided it needed a word specifically for throwing something out a window French Revolution is that really what it was you make it it sounds good we'll go with it right like hey what do we what do you call somebody getting thrown off a cliff being thrown off a cliff what do you call somebody being thrown through a window they were defenestrated right it just doesn't make sense to me my other favorite word is onomatopoeia what I know exactly it doesn't matter what it means canonicalization is another good one what does it mean simplify to its most unique form but it's not right so application programmatic interfaces these are interfaces that you can interact with from your application from your client from your system from your device they are not necessarily designed for a person to interact with them right and that's important to understand but and I say it's important to understand is because many times when we test apis because that's what we do right our job is to break things and so we regularly test apis we are we have been told by many companies that we are one of the few pen test companies that actually test apis right I don't know that's true I'd have talked to other pen testers like how did you test that API I ran nessus against it man you suck but when we sorry man didn't mean right exactly that's the way it should be right that should be a shirt right but here's the problem when people develop them when they build them they assume that the other side is another program and so it can be trusted not to be malicious because those people have obviously never run malware right like oh people won't interact with this I did right so we have to think about this and this has become a major portion of what we do on the internet today and mainly because of Integrations right these apis there they are either data sources or functionality I can send a request the API and it will do magic and then give me a response of what the results of that magic was like for example I want to do Payment Processing what do I do I take the cardholder data I shove it across to an API the API processes it talks to the bank determines whether they can pay for that does all that kind of cool stuff and then I get a yep you can accept the payment or you can't right that's an API that's functionality that I don't want to build my I shouldn't tap the microphone sorry to whoever was just listening to that I am so sorry um uh but I don't want to build my own payment processor right my name is Kevin not MasterCard thank you and they don't even really do whatever you know what I mean okay but so I use the functionality or there's data sources right I want to build a system that interacts with bank customers I'm not part of the bank right and I want to give them this other functionality and so I'm going to call the banks API to get access to customer record data things like that we just saw it what last week Optus the second biggest cell phone provider in Australia had an API of every customer's sign up data including pictures of their ID right on an API that did not require authentication exposed to the internet an attacker stole a ton of data so you get data from these things and then of course you have the third parties right we [Music] have a client portal our client portal is where we deliver reports we get the data from our customer for the pen test things like that and then when we generate the report we will actually interact with the customers ticketing systems API to deliver findings to them they'll get our normal report but we'll also issue tickets into their jira system via API so we have this third-party integration right that is kind of nice so this is good so what are the benefits here well they're like bees I like bees as a matter of fact my daughter and I are going to be buying a hive next march when they start selling again putting bees in our yard which is way more information than you need but bees and apis in my mind are very similar right one nobody believes a bee should be able to fly most API code I've looked at shouldn't be able to run if you've ever written code you know I'm right right and they go everywhere and they spread pollen right it's true what do apis do they go everywhere and they spread data and everything and that can be good and can be bad just like bees if you've ever been stung by a bee are you allergic to it that sucks right it doesn't make the B bad data being stolen from an API doesn't necessarily make the API bad right it's just part of the systems it's part of the platform okay so that's great and all but let's start talking about some of the problems because let's be blunt the problems are what I break this is my focus I've been involved in I.T for way too damn long I started professionally in 1991. I got my first job right out of high school and I wrote code to help manage the control systems for the power grid right this should scare the crap out of you because that code is still running at some utilities today in 2022 yes and let me be very clear I'm not that good of a programmer now I sucked in 1991. right but when I started doing I.T when I started doing uh Building Systems I built the system Hey Kevin we need a bulletin board system some of you are old enough to remember that right okay you have a BBs set up a landtastic network from artisoft run coax cables with BNC connectors I'm old right and you managed it did I think about security no I didn't when I started writing code for other companies when I started deploying systems for other companies I wasn't focused on security why because bluntly I didn't care and this is sad because when I was 14 I got involved in freaking red boxes blue boxes right I played around with all that stuff of course I never did anything illegal I think I was doing 95 yesterday as I went past that cop but that's not true my car was doing 95. it drives I don't but we look at these systems and then as we start to roll out we have to understand the risks and I said that right I talked about sharks cows soda machines if we don't understand the risks that we're dealing with and I've got a few here and I want to be very clear I said some example risks I want to point that out this is not a comprehensive list and all of these risks depend on what your system does if your API is an API that sends smiley emoji of the day you probably don't have massive risks if every single time I call your API it returns a cool Snapple fact from the can cap right do they still do that please you top it off there's a little fact on the top of the cam or bottle or whatever the hell it's called right yes I got a yes so you could build an API that gave snapple facts right not a lot of risk but if you're building an API for the open banking infrastructure to help the unbanked in the 12th world countries I made that number up right and your interface is dealing with people's livelihoods your level of risk is higher and we talk about uh privacy availability yes availability it's one of the Triad and for some reason security always forgets it right but privacy is the first one privacy is dead but so are mainframes and many companies still have them right you know what's Dead next passwords oh yeah passwords are out by this time next year nobody's going to have a password [ __ ] I your password's still going to be winter 2023 but with a capital w privacy is crazy and a lot of people don't care about it right I actually don't I'm not a very private person what do you want to know about me right I was diagnosed with OCD I probably have Tourette's I'm just not going to go to the doctor to find out because there's no treatment for it you want my medical records I get migraines I've got bad lungs this is all being recorded my social security numbers on the internet it is you can Google it luckily though when I turned 18 I changed my name to Kevin Johnson and that's common so people can't find me I'm not as cool as John strand who's also named after an underwear model insurrectionist but by the way today is John strand's birthday so if you could tweet him happy birthday I'd appreciate it um but privacy is important and we say that right but we share everything we want on Facebook you know what privacy is right it's the cookie pop-up that says we use cookies please click here that is the main effect of gdpr pop-ups something we fought for years not to have on websites gdpr now mandates it oh I feel safer but even though I'm a very open person right I talk about whatever you want to know ask me a question I'll tell you right I also recognize that privacy is important I don't care if you know where I Bank VyStar by the way right but I do care if you're actively tracking everything I purchase you don't need to know that I bought that beehive you don't need to know that I bought bees it's weird to be able to say that you bought bees you don't pet them right but privacy is important and here's the issue and the reason I bring this up is when we start talking about apis is we start to expose these data points these functionalities these transactions what we end up doing is we end up not understanding what should be private I mean it's really easy for some people go well I'm under a HIPAA but that person who says I'm under HIPAA probably spells it with two P's because they're an idiot right or the other side right we have no HIPAA data really you have no HIPAA data none none whatsoever nope do you offer Insurance to your employees yes of course we do you have HIPAA data because when I filled out my insurance forms I gave them pre-existing conditions which meant my company has access to records of my pre-existing conditions well my company is not a hip HIPAA those hiva covered entities well my company is not a HIPAA covered entity I have HIPAA data I may have to worry about the privacy of that data plus what is private let me talk about pen testing I go break into a company four years ago I break into a company I go wild I took over all the machines you actually have to make that face when you're doing it what you do is that bypasses Windows Defender and crowdstrike and um it's ju