WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
Ā
API Security with Postman and Qualys
1. API Security with Postman
and Qualys
Security Solution Architect, Application Security
Qualys, Inc.
2. 2
APIs Are
Everywhere Highly exposed
Greater likelihood of attack
Constantly being probed
Internet-facing APIs
Custom / domain-speciļ¬c
For employees or contractors
Often built without security
considered
Internal APIs
Unknown risk posture
No access to source code
Often process critical data
Vendor APIs
Cloud provider not
responsible for security of
your apps and APIs
APIs in public clouds
3. 3
https://owasp.org/www-project-api-sec
urity/
OWASP API
Security Top 10
API1 Broken Object Level Authorization
API2 Broken User Authentication
API3 Excessive Data Exposure
API4 Lack of Resources & Rate Limiting
API5 Broken Function Level Authorization
API6 Mass Assignment
API7 Security Misconļ¬guration
API8 Injection
API9 Improper Assets Management
API10 Insuļ¬cient Logging & Monitoring
4. OWASP API
Security Top 10 -
Highlights
API1 Broken Object Level Authorization
API2 Broken User Authentication
API5 Broken Function Level Authorization
6. API5 Broken Function Level Authorization
API5 Broken
Function Level
Authorization
7. API2 Broken
User
Authentication
API2 Broken User Authentication
SolarWinds CVE-2020-10148
Administration bypass
Lack of authentication
Request processed before authentication
is veriļ¬ed
10. Note on API8
Injection
Frequently, practitioners feel that XSS
attacks are not valid for APIs due to
JSON responses
If JSON is written into an application
with a UI, the attack may execute
Microservices - Be aware of all areas
the responses are used
16. Wrap-up
Qualys can utilize existing Postman collections
Quickly scan APIs for vulnerabilities
API Security is important
The OWASP API Security Top 10 is an
excellent resource