Digital Transformation and API Threats and Controls
Transcript of Digital Transformation and API Threats and Controls
Digital
Transformation
and API Threats
and Controls
Presented by
Jean- Michel Kaoukabani
JEAN-MICHEL KAOUKABANI
Head of Information Security Department
Previous positions: Head of IT audit, Head of MIS
Lecturer (Master in Systems and Network Security)
Lecturer-Information Security course
Email: Jm@jmkawkabani,com Security Blog: https://securerika.org
OUTLINE
API and digital transformation
APIs concern
APIs major Breaches
The API pain
APIs top ten vulnerabilities
APIs controls
API & DIGITAL TRANSFORMATION
The API concept goes back to the 40s .
The first use cases started in the late 90s and from 2000 to 2008
Drivers
Digital Transformation initiatives
Cloud Migrations
Internet of things
Platform and systems integration
Developers access allows innovative ideas and new services
Efficient for the evolving customers needs
Reusability and sharing of resources (ex PSD2)
Collaboration
Integration with vendor services
API traffic represents around 80% of all Internet traffic
Source: Security Magazine
Source: Salt Security Q3 2021
API CONCERNS
Source: Salt Security Q3 2021
Security remains the biggest concerns for companies
Customers are slowing rollout of new applications into production because of API security concerns
API CONCERNS
Source: Salt Security Q3 2021
API CONCERNS
Sample of big companies exposed to API data breaches in 2020.
Microsoft Teams
Uber
Vmware
Youtube
Tesla
Amazon AWS
Gitlab
Mercedes
MGM
CISCO
Google analytics and Firebase
Starbucks
Apple
Soundcloud
……..and the list is much longer!
API MAJOR BREACHES
Turning points
2018
1. GDPR and Cambridge Analytica scandal
2. British Airways PII of 380K customers +fine of over 183 million
pounds
2021
Facebook leak of 533 Million Accounts
Clubhouse
Office 365 JWT tokens
iPhone Automatic recorder S3 storage
Nox player (Android emulator) update
https://apisecurity.io/
https://www.cloudvector.com/api-data-breaches-in-2020/
WHAT’S THE API PAIN?
Lack of strategy, resources, Budget
APIs Zombies
Lack of visibility (which API s expose PII)
Security Inhibition
Assumption that authentication and authorization controls are enough to secure APIs is an illusion.
Most of WAFs and API Gateway solution lack the ability to build context or correlate activity so they
cannot detect API attacks. The business logic flaw requires additional controls.
API Top ten
VULNERABILITIES
1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring
OWASP
API Top ten
VULNERABILITIESLet’s Dissect Facebook data leak and link it to OWASP:
1. API to find “friends” by contacts’ phone numbers
2. Attackers submit generated number ranges
3. Entries were accepted per call
4. Leaked data includes names, Facebook IDs, phone numbers, emails
OWASP
Vulnerabilities exploited:
1. Broken Object Level Authorization
2. Excessive Data Exposure
3. Lack of Resources & Rate Limiting
Recommended Controls:
Enforce Authorization, limits on payloads, rate
limiting, Monitoring.
API CONTROLS
• Secure Coding and Awareness (OWASP Framework)
• Thorough testing (security and business logic) during all the lifecycle
• Run time protection
• Adopt a Strategy with trained resource and Budget
• Lifecycle Management (inventory, eliminate zombies, identify APIs that
expose PII)
• Combat Low and Slow attacks with active monitoring.
OPPORTUNITIES FOR IMPROVEMENT
• Increase efficiency of WAF and API gateways
• Use AI and ML to augment runtime security
OWASP
METHODOLOGY
API CONTROLS
OWASP
FOR DEVELOPERS
Education
Security requirements
Security Architecture
Standard security controls
Secure Software Development Life Cycle
API CONTROLS
OWASP
FOR DEVSECOPS
Understand the threat model
Understand the SDLC
Testing strategies
Work closely with developers and
operation
Focus on functionality but also on
orchestration
Communication of findings and follow up
API CONTROLS
Control the authorization process
Enforce strong passwords
Detect Bots and Brute force and prevent them
Never rely on the client to filter sensitive data
Where possible use MFA
Use IAM
API keys should not be for user
authentication but for client app
authentication
User Dockers (Limit memory, CPU,...)
Put limits for API callsDefine max size for
data and control typeEnforce a “Deny All”
AccessWhitelist/blacklist
properties
Security hardening (server, applications)
Secure protocols and certificate pinning
where possible
Limit the number of returned records
Apply strict patterns for all string parameters
Inventory, documentation and risk Analysis on a
regular basis
Log all failed authentication
attempts
Log all input validation errors and
analyse them
Regular Vulnerability scanning
Pentest
Technical
THANK YOU