Digital

Transformation

and API Threats

and Controls

Presented by

Jean- Michel Kaoukabani

JEAN-MICHEL KAOUKABANI

Head of Information Security Department

Previous positions: Head of IT audit, Head of MIS

Lecturer (Master in Systems and Network Security)

Lecturer-Information Security course

Email: Jm@jmkawkabani,com Security Blog: https://securerika.org

OUTLINE

API and digital transformation

APIs concern

APIs major Breaches

The API pain

APIs top ten vulnerabilities

APIs controls

API & DIGITAL TRANSFORMATION

The API concept goes back to the 40s .

The first use cases started in the late 90s and from 2000 to 2008

Drivers

Digital Transformation initiatives

Cloud Migrations

Internet of things

Platform and systems integration

Developers access allows innovative ideas and new services

Efficient for the evolving customers needs

Reusability and sharing of resources (ex PSD2)

Collaboration

Integration with vendor services

API traffic represents around 80% of all Internet traffic

Source: Security Magazine

Source: Salt Security Q3 2021

API CONCERNS

Source: Salt Security Q3 2021

Security remains the biggest concerns for companies

Customers are slowing rollout of new applications into production because of API security concerns

API CONCERNS

Source: Salt Security Q3 2021

API CONCERNS

Sample of big companies exposed to API data breaches in 2020.

Microsoft Teams

Twitter

Uber

Vmware

Youtube

Tesla

Amazon AWS

Gitlab

Mercedes

MGM

CISCO

Google analytics and Firebase

Starbucks

Apple

Soundcloud

……..and the list is much longer!

API MAJOR BREACHES

Turning points

2018

1. GDPR and Cambridge Analytica scandal

2. British Airways PII of 380K customers +fine of over 183 million

pounds

2021

Facebook leak of 533 Million Accounts

Clubhouse

Office 365 JWT tokens

iPhone Automatic recorder S3 storage

Nox player (Android emulator) update

https://apisecurity.io/

https://www.cloudvector.com/api-data-breaches-in-2020/

WHAT’S THE API PAIN?

Lack of strategy, resources, Budget

APIs Zombies

Lack of visibility (which API s expose PII)

Security Inhibition

Assumption that authentication and authorization controls are enough to secure APIs is an illusion.

Most of WAFs and API Gateway solution lack the ability to build context or correlate activity so they

cannot detect API attacks. The business logic flaw requires additional controls.

API Top ten

VULNERABILITIES

1. Broken Object Level Authorization

2. Broken User Authentication

3. Excessive Data Exposure

4. Lack of Resources & Rate Limiting

5. Broken Function Level Authorization

6. Mass Assignment

7. Security Misconfiguration

8. Injection

9. Improper Assets Management

10. Insufficient Logging & Monitoring

OWASP

API Top ten

VULNERABILITIESLet’s Dissect Facebook data leak and link it to OWASP:

1. API to find “friends” by contacts’ phone numbers

2. Attackers submit generated number ranges

3. Entries were accepted per call

4. Leaked data includes names, Facebook IDs, phone numbers, emails

OWASP

Vulnerabilities exploited:

1. Broken Object Level Authorization

2. Excessive Data Exposure

3. Lack of Resources & Rate Limiting

Recommended Controls:

Enforce Authorization, limits on payloads, rate

limiting, Monitoring.

API CONTROLS

• Secure Coding and Awareness (OWASP Framework)

• Thorough testing (security and business logic) during all the lifecycle

• Run time protection

• Adopt a Strategy with trained resource and Budget

• Lifecycle Management (inventory, eliminate zombies, identify APIs that

expose PII)

• Combat Low and Slow attacks with active monitoring.

OPPORTUNITIES FOR IMPROVEMENT

• Increase efficiency of WAF and API gateways

• Use AI and ML to augment runtime security

OWASP

METHODOLOGY

API CONTROLS

OWASP

FOR DEVELOPERS

Education

Security requirements

Security Architecture

Standard security controls

Secure Software Development Life Cycle

API CONTROLS

OWASP

FOR DEVSECOPS

Understand the threat model

Understand the SDLC

Testing strategies

Work closely with developers and

operation

Focus on functionality but also on

orchestration

Communication of findings and follow up

API CONTROLS

Control the authorization process

Enforce strong passwords

Detect Bots and Brute force and prevent them

Never rely on the client to filter sensitive data

Where possible use MFA

Use IAM

API keys should not be for user

authentication but for client app

authentication

User Dockers (Limit memory, CPU,...)

Put limits for API callsDefine max size for

data and control typeEnforce a “Deny All”

AccessWhitelist/blacklist

properties

Security hardening (server, applications)

Secure protocols and certificate pinning

where possible

Limit the number of returned records

Apply strict patterns for all string parameters

Inventory, documentation and risk Analysis on a

regular basis

Log all failed authentication

attempts

Log all input validation errors and

analyse them

Regular Vulnerability scanning

Pentest

Technical

THANK YOU