SlideShare a Scribd company logo

Peeling the Onion: Making Sense of the Layers of API Security

M
Matt Tesauro

This document provides an overview of API security from multiple perspectives: API security posture, runtime security, and security testing. It discusses the complex API ecosystem involving various stakeholders. The document also outlines common API attack classes like DDoS, data breaches, and abuse of functionality. Finally, it provides key takeaways that APIs have complex interconnected systems, require coordination across teams, and need to be evaluated from different security perspectives.

Technology
1 of 34
Download to read offline
Peelingthe Onion Making Sense of the Layers of API Security
Tableofcontents Overview Quick overview of APIs in general 01 APISecurity Overview of API Security 02 APISecurityLandscape All the parts that make up the API ecosystem 03 APISecurityConcerns Items to consider when securing your API 04 Conclusion Key Takeaways 05
Overview 01 Quick overview of APIs in general
APISecurity I believe that API Security is different enough from ‘traditional’ AppSec that it needs special attention. I also believe that API use is only going to grow over time.
Who’sthisguy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
APIs areSimple… Wikipedia: An application programming interface (API) is a connection between computers or between computer programs.
APIs aresimplynotSimple XML-RPC, SOAP REST, gRCP, GraphQL Type Data Encoding: XML, JSON, binary (protobuf, thrift, …) INfra Transport HTTP(S), HTTP/2, HTTP/3, QUIC Load balancer, API Gateway, Control plane ● Product Teams ● Developers ● Network Admins ● InfoSec / AppSec ● API Gateway Admins ● Security Operations (SOC/IR) ● Mobile Teams Stakeholders
APILandscape https://apilandscape.apiscene.io/
APIBreadth anddepth Over time your APIs will grow: ● Breadth growth More and more API endpoints get added ● Depth growth APIs calls create calls to other APIs, rinse & repeat, especially for microservices
CardinalDirections& APIs North/South traffic ● Traffic from the client to an API usually through an API gateway ● Originates outside the ‘data center’ or VPC e.g. external East/West traffic ● Traffic between internal APIs frequently bypassing an API gateway ● Originates inside the ‘data center’ or VPC e.g. internal
A BetterDefinitionof an API From a security controls point of view, an API is really a combination of: ● Method ○ GET, POST, PUT, … ● Hostname ○ example.com ● Path ○ /v2/users/all GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
APISecurity 02 Overview of API Security
These arenotthe APISyou’relookingfor
APISecurityDefined For the purposes of this talk: API Security includes determining the state of security from the perspectives of: ● API Security Posture ● API Runtime Security ● API Security Testing (hopefully continuous)
APISecurityPosture Getting a broad, holistic view of your API landscape including: ● An inventory of every API (the security control definition) ○ Those going through an API gateway ○ Those not going through an API gateway / legacy ○ Internal APIs (east/west) ● Mapping of data going to and from the APIs ○ Classify data traversing the APIs ● Who, What, from Where ○ Who is calling the API? ○ What data are they sending/receiving? ○ Where did the call originate?
APIRuntimeSecurity Understanding the ‘normal’ operations of running APIs including: ● Watching / inspecting traffic to and from the API ○ Inline or out of band ○ Understand all types (REST, gRPC, GraphQL, …) ● Creating behavior based models of traffic for anomaly detection ○ Heuristic, ML, ‘AI’ modeling ○ Continual learning methods ● Thresholds for abnormal traffic, triggering alerts ○ Policies on sensitive or large volumes of data ○ Respond to alerts, manual, semi-auto or automatically ○ Blocking, geo-fencing, deny external traffic
APITesting Assess the security state of a running API ● DAST not SAST ○ SAST isn’t API specific so out of scope ○ Bonus points for continuous or CI/CD friendly ● Understand the APIs available methods ○ Swagger/OpenAPI spec files ○ Recorded traffic (http or other) ○ Automatic understanding based on traffic +1 ● Forwarding results to the right people ○ Issue tracker integrations e.g. Jira ○ Ability to see vulnerable requests/responses ○ Ability to re-test specific issue
APISecurity Landscape 03 All the parts that make up the API ecosystem
All the world’s a stage, and all the men and women merely players API stakeholders Wait, what?
Settingthestage
Breakingdownthelandscape WAF Stakeholders: Network Ops, AppSec, Product Teams, … Web App Stakeholders: Product Teams, AppSec, Marketing, … Mobile App Stakeholders: Mobile & Product Teams, AppSec, …
Breakingdownthelandscape IdP Stakeholders: Identity and Access, AppSec, InfoSec, … APIGateway Stakeholders: Gateway Admins, Product, AppSec, … APIs Stakeholders: Product Teams, AppSec, Marketing, …
Breakingdownthelandscape Cloud Stakeholders: Cloud Team, Product, AppSec, Finance, … SOC Stakeholders: IR Team, Product Team, InfoSec / AppSec, …
APISecurity Concerns 04 Items to consider when securing your API
APISecurityislike anonion, Lotsoflayers
AttackClasses DDOS - Distributed Denial Of Service ● Network DDOS ○ Traditional flood of traffic ○ Controls are fairly standardized ● HTTP Flood ○ Uses HTTP methods (GET, POST, …) ○ Mirrors legit traffic ○ Single client/customer ‘over consuming’ ● Application DOS ○ Consumption attacks (CPU, RAM, …) ○ Can be single or few requests ○ Lack of pagination Posture RUntime Testing
AttackClasses Data breach / leak attacks ● Internal services made public ○ Misconfiguration / Lack of API Gateway ○ Lack of Policy enforcement ● Excessive data exposure ○ Verbose API responses ○ Return full data objects, clients ‘filter’ ○ Injection attacks ● Auth-n and Auth-Z weakness ○ Allows account/token takeover ○ BOLA - Client can request others’ data Posture RUntime Testing
AttackClasses Abuse of Functionality ● Business Logic Flaws ○ Normal use-case, unintended use ○ Attackers use your API for their purpose ○ Automatic testing won’t find these ● Examples ○ Spamming using your API ○ Denial of Inventory - products in a cart ○ Carding - validate stolen card data ○ Ad Fraud / Evil SEO ● See “OWASP Automated Threat Handbook” Posture RUntime Testing
OWASP APITop10 Risk Posture Runtime Testing 01: Broken Object Level Authorization 02: Broken User Authentication 03: Excessive Data Exposure 04: Lack of Resource & Rate Limiting 05: Broken Function Level Authorization
OWASP APITop10 Risk Posture Runtime Testing 06: Mass Assignment 07: Security Misconfiguration 08: Injection 09: Improper Assets Management 10: Insufficient Logging & Monitoring
Conclusion 05 Key Takeaways
APIstakeholderSoup Product Team AppSec Onion Network Ops Mobile Team InfoSec IAM Team
Key Takeaways Complexity APIs seem simple on the surface but quickly become a complex collections of systems with many moving parts Perspectives API security has many perspectives which need to be taken into account when evaluating an API security program Coordination Beyond the multiple IT systems, secure APIs require tight coordination between many different teams Multifaceted Protecting APIs includes evaluation from the perspective of security posture, runtime security and testing
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik THANKS! Doyouhave anyquestions? matt.tesauro@owasp.org https://www.linkedin.com/in/matttesauro/ @matt_tesauro

Recommended

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 

Recommended

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
API Management in Azure
API Management in AzureAPI Management in Azure
API Management in Azure
Tomasso Groenendijk
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
Daniel Toomey
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
Nordic APIs
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Kong
KongKong
Kong
Troublemaker Khunpech
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays
 

More Related Content

What's hot

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 

What's hot (20)

API Management in Azure
API Management in AzureAPI Management in Azure
API Management in Azure
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
Kong
KongKong
Kong
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 

Similar to Peeling the Onion: Making Sense of the Layers of API Security

5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
WSO2
 

Similar to Peeling the Onion: Making Sense of the Layers of API Security (20)

Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
 
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj U...
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
 
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon...
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API Integrations
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG PortugalApidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 

More from Matt Tesauro (20)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Peeling the Onion: Making Sense of the Layers of API Security

  • 1. Peelingthe Onion Making Sense of the Layers of API Security
  • 2. Tableofcontents Overview Quick overview of APIs in general 01 APISecurity Overview of API Security 02 APISecurityLandscape All the parts that make up the API ecosystem 03 APISecurityConcerns Items to consider when securing your API 04 Conclusion Key Takeaways 05
  • 3. Overview 01 Quick overview of APIs in general
  • 4. APISecurity I believe that API Security is different enough from ‘traditional’ AppSec that it needs special attention. I also believe that API use is only going to grow over time.
  • 5. Who’sthisguy? ● Reformed programmer & AppSec Engineer ● Noname Security - Distinguished Engineer, Noname Labs ● 14 years in the OWASP community ○ OWASP DefectDojo (core maintainer) ○ OWASP AppSec Pipeline (co-leader) ○ OWASP WTE (leader) ● 22+ years using FLOSS and Linux ● Currently a Go language fanboy ● Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) ● Founder 10Security
  • 6. APIs areSimple… Wikipedia: An application programming interface (API) is a connection between computers or between computer programs.
  • 7. APIs aresimplynotSimple XML-RPC, SOAP REST, gRCP, GraphQL Type Data Encoding: XML, JSON, binary (protobuf, thrift, …) INfra Transport HTTP(S), HTTP/2, HTTP/3, QUIC Load balancer, API Gateway, Control plane ● Product Teams ● Developers ● Network Admins ● InfoSec / AppSec ● API Gateway Admins ● Security Operations (SOC/IR) ● Mobile Teams Stakeholders
  • 9. APIBreadth anddepth Over time your APIs will grow: ● Breadth growth More and more API endpoints get added ● Depth growth APIs calls create calls to other APIs, rinse & repeat, especially for microservices
  • 10. CardinalDirections& APIs North/South traffic ● Traffic from the client to an API usually through an API gateway ● Originates outside the ‘data center’ or VPC e.g. external East/West traffic ● Traffic between internal APIs frequently bypassing an API gateway ● Originates inside the ‘data center’ or VPC e.g. internal
  • 11. A BetterDefinitionof an API From a security controls point of view, an API is really a combination of: ● Method ○ GET, POST, PUT, … ● Hostname ○ example.com ● Path ○ /v2/users/all GET to example.com/v2/users/all!= DELETE to example.com/v2/users/all POST to uat.example.com/v2/user/admin!= POST to example.com/v2/user/admin
  • 14. APISecurityDefined For the purposes of this talk: API Security includes determining the state of security from the perspectives of: ● API Security Posture ● API Runtime Security ● API Security Testing (hopefully continuous)
  • 15. APISecurityPosture Getting a broad, holistic view of your API landscape including: ● An inventory of every API (the security control definition) ○ Those going through an API gateway ○ Those not going through an API gateway / legacy ○ Internal APIs (east/west) ● Mapping of data going to and from the APIs ○ Classify data traversing the APIs ● Who, What, from Where ○ Who is calling the API? ○ What data are they sending/receiving? ○ Where did the call originate?
  • 16. APIRuntimeSecurity Understanding the ‘normal’ operations of running APIs including: ● Watching / inspecting traffic to and from the API ○ Inline or out of band ○ Understand all types (REST, gRPC, GraphQL, …) ● Creating behavior based models of traffic for anomaly detection ○ Heuristic, ML, ‘AI’ modeling ○ Continual learning methods ● Thresholds for abnormal traffic, triggering alerts ○ Policies on sensitive or large volumes of data ○ Respond to alerts, manual, semi-auto or automatically ○ Blocking, geo-fencing, deny external traffic
  • 17. APITesting Assess the security state of a running API ● DAST not SAST ○ SAST isn’t API specific so out of scope ○ Bonus points for continuous or CI/CD friendly ● Understand the APIs available methods ○ Swagger/OpenAPI spec files ○ Recorded traffic (http or other) ○ Automatic understanding based on traffic +1 ● Forwarding results to the right people ○ Issue tracker integrations e.g. Jira ○ Ability to see vulnerable requests/responses ○ Ability to re-test specific issue
  • 18. APISecurity Landscape 03 All the parts that make up the API ecosystem
  • 19. All the world’s a stage, and all the men and women merely players API stakeholders Wait, what?
  • 21. Breakingdownthelandscape WAF Stakeholders: Network Ops, AppSec, Product Teams, … Web App Stakeholders: Product Teams, AppSec, Marketing, … Mobile App Stakeholders: Mobile & Product Teams, AppSec, …
  • 22. Breakingdownthelandscape IdP Stakeholders: Identity and Access, AppSec, InfoSec, … APIGateway Stakeholders: Gateway Admins, Product, AppSec, … APIs Stakeholders: Product Teams, AppSec, Marketing, …
  • 23. Breakingdownthelandscape Cloud Stakeholders: Cloud Team, Product, AppSec, Finance, … SOC Stakeholders: IR Team, Product Team, InfoSec / AppSec, …
  • 24. APISecurity Concerns 04 Items to consider when securing your API
  • 26. AttackClasses DDOS - Distributed Denial Of Service ● Network DDOS ○ Traditional flood of traffic ○ Controls are fairly standardized ● HTTP Flood ○ Uses HTTP methods (GET, POST, …) ○ Mirrors legit traffic ○ Single client/customer ‘over consuming’ ● Application DOS ○ Consumption attacks (CPU, RAM, …) ○ Can be single or few requests ○ Lack of pagination Posture RUntime Testing
  • 27. AttackClasses Data breach / leak attacks ● Internal services made public ○ Misconfiguration / Lack of API Gateway ○ Lack of Policy enforcement ● Excessive data exposure ○ Verbose API responses ○ Return full data objects, clients ‘filter’ ○ Injection attacks ● Auth-n and Auth-Z weakness ○ Allows account/token takeover ○ BOLA - Client can request others’ data Posture RUntime Testing
  • 28. AttackClasses Abuse of Functionality ● Business Logic Flaws ○ Normal use-case, unintended use ○ Attackers use your API for their purpose ○ Automatic testing won’t find these ● Examples ○ Spamming using your API ○ Denial of Inventory - products in a cart ○ Carding - validate stolen card data ○ Ad Fraud / Evil SEO ● See “OWASP Automated Threat Handbook” Posture RUntime Testing
  • 29. OWASP APITop10 Risk Posture Runtime Testing 01: Broken Object Level Authorization 02: Broken User Authentication 03: Excessive Data Exposure 04: Lack of Resource & Rate Limiting 05: Broken Function Level Authorization
  • 30. OWASP APITop10 Risk Posture Runtime Testing 06: Mass Assignment 07: Security Misconfiguration 08: Injection 09: Improper Assets Management 10: Insufficient Logging & Monitoring
  • 33. Key Takeaways Complexity APIs seem simple on the surface but quickly become a complex collections of systems with many moving parts Perspectives API security has many perspectives which need to be taken into account when evaluating an API security program Coordination Beyond the multiple IT systems, secure APIs require tight coordination between many different teams Multifaceted Protecting APIs includes evaluation from the perspective of security posture, runtime security and testing
  • 34. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik THANKS! Doyouhave anyquestions? matt.tesauro@owasp.org https://www.linkedin.com/in/matttesauro/ @matt_tesauro