SlideShare ist ein Scribd-Unternehmen logo

Top API Security Issues Found During POCs

42Crunch
42Crunch

WATCH WEBINAR: https://youtu.be/LLVOouA4pbs Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. "This is an eye opener" is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar. Through a mix of slides and demos, we will describe the top 5 issues our security audit reports, what they are and why they matter, including: - Potentials attacks linked to each issue - How they can be remediated - Example request/response and reports

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
Securing an API World TOP 5 OF POCS ISSUES ISABELLEMAUNY ISABELLE@42CRUNCH.COM
WHAT’S IN A PLATFORM?
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL Deploy & Protect API Firewall is automatically configured from OAS file and deployed in line of traffic. The firewall can protect APIs deployed in containers (such as Docker or Kubernetes) or as reverse proxy in front of API Gateways. Develop Developer documents the API contract with OpenAPI/Swagger. API Contract security is audited from your IDE using 42Crunch plugin. Integrate & Test API Contract quality is enforced via CI/CD pipeline. Builds are blocked when minimal security requirements defined by security teams are not met. API implementation is tested via Conformance Scan Design Developer initiates security work at design time. Best practices and recommendations are documented.
OPENAPI SECURITY AUDITING
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL • Developers describe the API contract in a language they know • Audit is available from IDEs and CI/CD pipelines • Actionable report with zero false positives Key Benefits • Instant visibility into API security status • Governance of corporate security standards • Required security is declared instead of developed/maintained manually across multiple tools/environments DEVELOPERS INITIATE SECURITY AT DESIGN TIME The 42C Audit service performs 200+ security checks
SAMPLE REPORT
SOME STATISTICS! More than 3000 OpenAPI/ Swagger files tested in POCs! 20% of OAS files are invalid ✓ Structural and semantic issues ✓ Not spec compliant Average score is 25 ✓ Lowest score was 1 ✓ Highest score was 70 7
8
SECURITY SECTION DEFINITION Lack of security definition ✓ There is security but it is not defined in the OAS file ✓ Security is defined but not applied at API or operation level Access control mainly via APIkey or similar ✓ JWT used as access token (no OAuth) ✓ Long-lived API keys HMAC-based signatures on the rise! ✓ Each request is signed with symmetric/asymmetric key. ✓ Not possible to describe with OAS today, but we are working on it. Vote/Comment here https://github.com/ OAI/OpenAPI-Specification/issues/1953 if you’re interested! 9
WHY THIS MATTERS… API key vs. OAuth: Make an informed decision ✓ How sensitive is your API ? ✓ What would be the damage if the APIkey is lost, found in an app or log, stolen via a MITM attack ? ✓ How much does the API key give access to ? ✓ Would a short-lived access token be better suited to the risk? If you’re adopting OAuth now, remember that authorization_code with PKCE is the grant type you want to use in 95% of cases! 10
DATA CONSTRAINTS Data is poorly constrained ✓ Unbounded array sizes ✓ Undefined strings ✓ Unbounded numbers Why this matters ? ✓ Data leakage (API3) ✓ Overflow protection (API4) ✓ Injection protection (API8) Base for Input/Output Validation ! 11
BUT YOU KNOW THE DATA! 12
WHAT ABOUT THIS INSTEAD? 13
OUR APIS NEVER FAIL !! (AND THEY DON’T RETURN DATA…) 14
OTHER COMMON ISSUES FOUND BY AUDIT 15
RESPONSES MATTER ! Which responses are you going to return ? ✓ API3 : Data leakage and exception leakage Which error codes are valid ? Do you control them ? ✓ Do you have tests that can trigger any of those codes ? Take ownership of your schemas! ✓ Are they strict enough ? ✓ Where do you validate against them ? ✓ Are you sure you are doing that systematically ? 16
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL DEMO: SCHEMA VALIDATOR Demo at : https://www.jsonschemavalidator.net
BUT SO DO REQUESTS ! Schemas on requests need to be strict as well Prevents Mass Assignment issues ( API6 ) Recommendation: one size does not fit all - Create different APIs per client type/consuming pattern. ✓ Security (do not expose unwanted data) ✓ Performance (reduce network traffic) 18
SLIDE  © COPYRIGHT 42CRUNCH | CONFIDENTIAL 19 42Crunch conformance scan detects misconfigurations and API vulnerabilities.
 • API Implementation is scanned from API contract • Ensures conformance to the API contract • Detects misconfigurations and misbehaviors Key Benefits • Early detection of data or exception leakage • Continuous scans for API vulnerabilities SECURITY TEAMS DETECT POTENTIAL ISSUES EARLY
SAMPLE REPORT
COMMON CONFORMANCE SCAN ISSUES Unknown error message types ✓ Bad data triggers unknown response types (text/html for example) Unknown response codes ✓ Bad data triggers undocumented responses Responses do not conform to schemas ✓ Schemas are not aligned to responses 21
BUT THE GOOD NEWS IS…
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL OPENAPI 
 INITIATIVE OpenAPI Specification (formerly Swagger Specification) is an API description format for REST APIs. An OpenAPI file allows you to describe your entire API, including: Available endpoints ( /users ) and operations on each endpoint ( GET /users , POST /users ) • Web Application Security is painful because the security is not handled from beginning • Developers cannot define how the web application is built and designed • After 20 years of R&D, detection and protection tools have to use AI to understand how the Web Application works... => Now we have a worldwide accepted and used API standard: OpenAPI Specification => We build a whitelist based on OAS OPEN API = POSITIVE SECURITY MODEL
SLIDE  © COPYRIGHT 42CRUNCH | CONFIDENTIAL SECURITY REQUIRES GOVERNANCE! • OpenAPI is the perfect format to represent the interface of your APIs • Make sure it truly represent what the API does • Use our unique Audit functionality to evaluate the completeness of your API contracts Start evaluating today from apisecurity.io or using our VSCode IDE extension. STRENGTHEN YOUR API CONTRACTS!
CONTACT US: INFO@42CRUNCH.COM Securing an API World Start testing your APIs today on apisecurity.io!
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL 42CRUNCH RESOURCES • 42Crunch Website • Free OAS Security Audit • OpenAPI VS Code Extension • OpenAPI Spec Encyclopedia • OWASP API Security Top 10 • APIsecurity.io

Empfohlen

Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 

Empfohlen

Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
REST API Security by Design with Azure Pipelines
REST API Security by Design with Azure PipelinesREST API Security by Design with Azure Pipelines
REST API Security by Design with Azure Pipelines
42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
PrashantDhakol
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 

Weitere ähnliche Inhalte

Was ist angesagt?

REST API Security by Design with Azure Pipelines
REST API Security by Design with Azure PipelinesREST API Security by Design with Azure Pipelines
REST API Security by Design with Azure Pipelines
42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 

Was ist angesagt? (20)

Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
REST API Security by Design with Azure Pipelines
REST API Security by Design with Azure PipelinesREST API Security by Design with Azure Pipelines
REST API Security by Design with Azure Pipelines
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
 

Ähnlich wie Top API Security Issues Found During POCs

Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
WSO2
 

Ähnlich wie Top API Security Issues Found During POCs (20)

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
 
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
What It Takes to Build API Integrations
What It Takes to Build API IntegrationsWhat It Takes to Build API Integrations
What It Takes to Build API Integrations
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...
 
6 Best Practices that Make a Great API .pdf
6 Best Practices that Make a Great API .pdf6 Best Practices that Make a Great API .pdf
6 Best Practices that Make a Great API .pdf
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Top API Security Issues Found During POCs

  • 1. Securing an API World TOP 5 OF POCS ISSUES ISABELLEMAUNY ISABELLE@42CRUNCH.COM
  • 3.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL Deploy & Protect API Firewall is automatically configured from OAS file and deployed in line of traffic. The firewall can protect APIs deployed in containers (such as Docker or Kubernetes) or as reverse proxy in front of API Gateways. Develop Developer documents the API contract with OpenAPI/Swagger. API Contract security is audited from your IDE using 42Crunch plugin. Integrate & Test API Contract quality is enforced via CI/CD pipeline. Builds are blocked when minimal security requirements defined by security teams are not met. API implementation is tested via Conformance Scan Design Developer initiates security work at design time. Best practices and recommendations are documented.
  • 5.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL • Developers describe the API contract in a language they know • Audit is available from IDEs and CI/CD pipelines • Actionable report with zero false positives Key Benefits • Instant visibility into API security status • Governance of corporate security standards • Required security is declared instead of developed/maintained manually across multiple tools/environments DEVELOPERS INITIATE SECURITY AT DESIGN TIME The 42C Audit service performs 200+ security checks
  • 7. SOME STATISTICS! More than 3000 OpenAPI/ Swagger files tested in POCs! 20% of OAS files are invalid ✓ Structural and semantic issues ✓ Not spec compliant Average score is 25 ✓ Lowest score was 1 ✓ Highest score was 70 7
  • 8. 8
  • 9. SECURITY SECTION DEFINITION Lack of security definition ✓ There is security but it is not defined in the OAS file ✓ Security is defined but not applied at API or operation level Access control mainly via APIkey or similar ✓ JWT used as access token (no OAuth) ✓ Long-lived API keys HMAC-based signatures on the rise! ✓ Each request is signed with symmetric/asymmetric key. ✓ Not possible to describe with OAS today, but we are working on it. Vote/Comment here https://github.com/ OAI/OpenAPI-Specification/issues/1953 if you’re interested! 9
  • 10. WHY THIS MATTERS… API key vs. OAuth: Make an informed decision ✓ How sensitive is your API ? ✓ What would be the damage if the APIkey is lost, found in an app or log, stolen via a MITM attack ? ✓ How much does the API key give access to ? ✓ Would a short-lived access token be better suited to the risk? If you’re adopting OAuth now, remember that authorization_code with PKCE is the grant type you want to use in 95% of cases! 10
  • 11. DATA CONSTRAINTS Data is poorly constrained ✓ Unbounded array sizes ✓ Undefined strings ✓ Unbounded numbers Why this matters ? ✓ Data leakage (API3) ✓ Overflow protection (API4) ✓ Injection protection (API8) Base for Input/Output Validation ! 11
  • 12. BUT YOU KNOW THE DATA! 12
  • 13. WHAT ABOUT THIS INSTEAD? 13
  • 14. OUR APIS NEVER FAIL !! (AND THEY DON’T RETURN DATA…) 14
  • 15. OTHER COMMON ISSUES FOUND BY AUDIT 15
  • 16. RESPONSES MATTER ! Which responses are you going to return ? ✓ API3 : Data leakage and exception leakage Which error codes are valid ? Do you control them ? ✓ Do you have tests that can trigger any of those codes ? Take ownership of your schemas! ✓ Are they strict enough ? ✓ Where do you validate against them ? ✓ Are you sure you are doing that systematically ? 16
  • 17.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL DEMO: SCHEMA VALIDATOR Demo at : https://www.jsonschemavalidator.net
  • 18. BUT SO DO REQUESTS ! Schemas on requests need to be strict as well Prevents Mass Assignment issues ( API6 ) Recommendation: one size does not fit all - Create different APIs per client type/consuming pattern. ✓ Security (do not expose unwanted data) ✓ Performance (reduce network traffic) 18
  • 19. SLIDE  © COPYRIGHT 42CRUNCH | CONFIDENTIAL 19 42Crunch conformance scan detects misconfigurations and API vulnerabilities.
 • API Implementation is scanned from API contract • Ensures conformance to the API contract • Detects misconfigurations and misbehaviors Key Benefits • Early detection of data or exception leakage • Continuous scans for API vulnerabilities SECURITY TEAMS DETECT POTENTIAL ISSUES EARLY
  • 21. COMMON CONFORMANCE SCAN ISSUES Unknown error message types ✓ Bad data triggers unknown response types (text/html for example) Unknown response codes ✓ Bad data triggers undocumented responses Responses do not conform to schemas ✓ Schemas are not aligned to responses 21
  • 23.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL OPENAPI 
 INITIATIVE OpenAPI Specification (formerly Swagger Specification) is an API description format for REST APIs. An OpenAPI file allows you to describe your entire API, including: Available endpoints ( /users ) and operations on each endpoint ( GET /users , POST /users ) • Web Application Security is painful because the security is not handled from beginning • Developers cannot define how the web application is built and designed • After 20 years of R&D, detection and protection tools have to use AI to understand how the Web Application works... => Now we have a worldwide accepted and used API standard: OpenAPI Specification => We build a whitelist based on OAS OPEN API = POSITIVE SECURITY MODEL
  • 24. SLIDE  © COPYRIGHT 42CRUNCH | CONFIDENTIAL SECURITY REQUIRES GOVERNANCE! • OpenAPI is the perfect format to represent the interface of your APIs • Make sure it truly represent what the API does • Use our unique Audit functionality to evaluate the completeness of your API contracts Start evaluating today from apisecurity.io or using our VSCode IDE extension. STRENGTHEN YOUR API CONTRACTS!
  • 25. CONTACT US: INFO@42CRUNCH.COM Securing an API World Start testing your APIs today on apisecurity.io!
  • 26.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL 42CRUNCH RESOURCES • 42Crunch Website • Free OAS Security Audit • OpenAPI VS Code Extension • OpenAPI Spec Encyclopedia • OWASP API Security Top 10 • APIsecurity.io