SlideShare a Scribd company logo

apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif

Download as PPTX, PDF
apidays
apidays

apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Top 10 API security threats every API team should know Derric Gilling, CEO at Moesif

Technology
1 of 25
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved moesif Top API Security Threats Teams Should Know And Ways to Mitigate Them
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved Who am I? ● Co-founder and CEO of Moesif, the API analytics platform ● Focus on API strategy, security, and observability ● I love IPAs! derric@moesif.com
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved APIs are super powerful! Developer using your API Programmatic Access Direct Access to Data Large Resource Limits
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 1. Insecure Pagination and Resource Limits API pagination is a common attack vector for scraping data from an API. Data leak can occur even if no direct PII, but due to other attack vectors like rainbow tables and dictionary attacks First Call: GET /items?skip=0&take=10 Second Call: GET /items?skip=10&take=10
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 1. Insecure Pagination and Resource Limits Artificial limits on pagination like provide very little in protection. They only make your API “chatty” ● Delays can circumvent rate limits ● Randomness bypasses some detectors
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 1. Insecure Pagination and Resource Limits Monitor for anomalous behaviors such as “large number of items touched within a time period” at user level.
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 2. Insecure API Key Generation ● Many API anomaly detection systems leverage some form of request fingerprinting from IP address, User Agent, etc. ● Hackers leverage large pools of API keys and connected devices to circumvent some of these protections to appear from different devices and look like different users.
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 2. Fix Insecure API Key Generation Prevent users from generating unlimited API keys programmatically. Sign up and key creation should be limited. SAML/SSO OAuth1/2 Captcha/2FA
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 3. Increased Risk of Key Exposure ● APIs are expected to be accessed over indefinite time periods ● Users of APIs directly touch keys such as to paste into Postman ● API keys are bearer tokens not requiring any other evidence
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 3. Reduce Risk of Key Exposure Short lived API Keys that can be “refreshed” Leverage environment variables or a secure keystore 1 2
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 4. Exposure to DDoS/Availability Issues ● APIs are by definition consumed programmatically such that all traffic looks like bot traffic ● This limits traditional DDoS prevention mechanisms like Captchas ● A real customer could inadvertently bring down your API
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 4. Reduce Exposure to DDoS/Availability Rate Limits is the API equivalent of Captchas Resource Specific Limits User Specific Limits Deactivate an Abuser Easy to Inspect
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 4. Reduce Exposure to DDoS/Availability
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 5. Fix Incorrect Server Security ● Leverage good server hygiene ● Keep SSL certificates updated and secure ● Block non-HTTPS traffic (close port 80 and unused ports) ● Audit security headers like Cross Origin Sharing and error messages
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 6. Incorrect Cache Headers ● Caching servers cannot understand nonstandard headers used by many APIs like X-API-Key, X-Custom-Key, etc ● Even if you don’t cache, your customers may cache due to: ○ Exceeding rate limits ○ Connection limits or bandwidth cost ○ Reduce round trip latency
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 6. Fix Incorrect Cache Headers ● Ensure Cache-Control headers are properly configured ● Unless your API requires caching, disable it by overriding the Cache-Control header in your gateway. Or set the Vary header.
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 7. Insufficient Logging & Monitoring ● Insufficient monitoring is on the new OWASP Top 10 API list ● Logging only internal execution logs can hide unauthorized errors, caching errors, etc ● Time to detect a breach on average takes over 200 days!
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 7. Fix Insufficient Logging & Monitoring ● Leverage a modern API management and API observability stack to automatically track access logs at the edge What Was Accessed Who Accessed It
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 8. Insecure Dependencies and 3rd Party Vendors ● API-driven applications are becoming inherently complex and depend on many other APIs such as internal logging systems, external APM, etc ● Features like encryption-at-rest don’t protect against insecure cloud applications. Very few attacks involve physical access to storage media. ● Third party vendors may have unreported vulnerabilities while internal applications may have insecure or noncompliant access control.
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 8. Secure Dependencies and 3rd Party Vendors ● Leverage zero-knowledge security using features like client-side encryption and Bring Your Own Key (BYOK). ● This means not even the vendor can access your data. ● Modern SaaS vendors can handle encryption on the fly with a stateless design reducing in house maintenance vs typical on- premises.
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 9. Not securing internal endpoints ● Many APIs have both endpoints used by external users but also by internal services (i.e. service users) ● If inadvertently open, can provide a large attack surface ● Internal endpoints many times bypass usual checks
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 9. Secure internal endpoints ● Just like you wouldn’t share the same root password with every employee, internal services require secure access as if an external customer Audit Friendly Individual RBAC Ability to Deactivate Short Lived Tokens
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved API threats are real but can be prevented with the right mindset
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved Lastly, some abuse is unintentional. Let them know.
Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved A P I A n a l y t i c s

Recommended

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
apidays
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 

Recommended

apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
APIdays Paris 2019 - Zero Downtime in API Management by Waldemar Rosenfeld, A...
apidays
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
WSO2
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays
 
INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...
INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...
INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...
apidays
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulikapidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
Apigee | Google Cloud
 
[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0
[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0
[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0
WSO2
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
Nordic APIs
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...
apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...
apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...
apidays
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
Nordic APIs
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Lucas Jellema
 
Best Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingBest Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated Testing
WSO2
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
11 PHP Security #burningkeyboards
11 PHP Security #burningkeyboards11 PHP Security #burningkeyboards
11 PHP Security #burningkeyboards
Denis Ristic
 

More Related Content

What's hot

[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
WSO2
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
Nordic APIs
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Lucas Jellema
 
Best Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingBest Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated Testing
WSO2
 

What's hot (20)

[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
 
INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...
INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...
INTERFACE, by apidays - Lessons learned from implementing our custom ‘Big Da...
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulikapidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0
[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0
[WSO2 API Manager Community Call: Streaming API Support in WSO2 API Manager 4.0
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...
apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...
apidays LIVE Paris 2021 - Detecting and Protecting PII by Rob Dickinson, Resu...
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
 
Best Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingBest Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated Testing
 

Similar to apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif

Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
WSO2
 
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfWeb sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
aquacareser
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
Kim Clark
 
Hacking DevOps
Hacking DevOpsHacking DevOps
Hacking DevOps
Phillip Marlow
 

Similar to apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
11 PHP Security #burningkeyboards
11 PHP Security #burningkeyboards11 PHP Security #burningkeyboards
11 PHP Security #burningkeyboards
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure website
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfWeb sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Hacking DevOps
Hacking DevOpsHacking DevOps
Hacking DevOps
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?
 

More from apidays

Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
apidays
 

More from apidays (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif

  • 1. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved moesif Top API Security Threats Teams Should Know And Ways to Mitigate Them
  • 2. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved Who am I? ● Co-founder and CEO of Moesif, the API analytics platform ● Focus on API strategy, security, and observability ● I love IPAs! derric@moesif.com
  • 3. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved APIs are super powerful! Developer using your API Programmatic Access Direct Access to Data Large Resource Limits
  • 4. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 1. Insecure Pagination and Resource Limits API pagination is a common attack vector for scraping data from an API. Data leak can occur even if no direct PII, but due to other attack vectors like rainbow tables and dictionary attacks First Call: GET /items?skip=0&take=10 Second Call: GET /items?skip=10&take=10
  • 5. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 1. Insecure Pagination and Resource Limits Artificial limits on pagination like provide very little in protection. They only make your API “chatty” ● Delays can circumvent rate limits ● Randomness bypasses some detectors
  • 6. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 1. Insecure Pagination and Resource Limits Monitor for anomalous behaviors such as “large number of items touched within a time period” at user level.
  • 7. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 2. Insecure API Key Generation ● Many API anomaly detection systems leverage some form of request fingerprinting from IP address, User Agent, etc. ● Hackers leverage large pools of API keys and connected devices to circumvent some of these protections to appear from different devices and look like different users.
  • 8. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 2. Fix Insecure API Key Generation Prevent users from generating unlimited API keys programmatically. Sign up and key creation should be limited. SAML/SSO OAuth1/2 Captcha/2FA
  • 9. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 3. Increased Risk of Key Exposure ● APIs are expected to be accessed over indefinite time periods ● Users of APIs directly touch keys such as to paste into Postman ● API keys are bearer tokens not requiring any other evidence
  • 10. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 3. Reduce Risk of Key Exposure Short lived API Keys that can be “refreshed” Leverage environment variables or a secure keystore 1 2
  • 11. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 4. Exposure to DDoS/Availability Issues ● APIs are by definition consumed programmatically such that all traffic looks like bot traffic ● This limits traditional DDoS prevention mechanisms like Captchas ● A real customer could inadvertently bring down your API
  • 12. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 4. Reduce Exposure to DDoS/Availability Rate Limits is the API equivalent of Captchas Resource Specific Limits User Specific Limits Deactivate an Abuser Easy to Inspect
  • 13. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 4. Reduce Exposure to DDoS/Availability
  • 14. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 5. Fix Incorrect Server Security ● Leverage good server hygiene ● Keep SSL certificates updated and secure ● Block non-HTTPS traffic (close port 80 and unused ports) ● Audit security headers like Cross Origin Sharing and error messages
  • 15. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 6. Incorrect Cache Headers ● Caching servers cannot understand nonstandard headers used by many APIs like X-API-Key, X-Custom-Key, etc ● Even if you don’t cache, your customers may cache due to: ○ Exceeding rate limits ○ Connection limits or bandwidth cost ○ Reduce round trip latency
  • 16. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 6. Fix Incorrect Cache Headers ● Ensure Cache-Control headers are properly configured ● Unless your API requires caching, disable it by overriding the Cache-Control header in your gateway. Or set the Vary header.
  • 17. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 7. Insufficient Logging & Monitoring ● Insufficient monitoring is on the new OWASP Top 10 API list ● Logging only internal execution logs can hide unauthorized errors, caching errors, etc ● Time to detect a breach on average takes over 200 days!
  • 18. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 7. Fix Insufficient Logging & Monitoring ● Leverage a modern API management and API observability stack to automatically track access logs at the edge What Was Accessed Who Accessed It
  • 19. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 8. Insecure Dependencies and 3rd Party Vendors ● API-driven applications are becoming inherently complex and depend on many other APIs such as internal logging systems, external APM, etc ● Features like encryption-at-rest don’t protect against insecure cloud applications. Very few attacks involve physical access to storage media. ● Third party vendors may have unreported vulnerabilities while internal applications may have insecure or noncompliant access control.
  • 20. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 8. Secure Dependencies and 3rd Party Vendors ● Leverage zero-knowledge security using features like client-side encryption and Bring Your Own Key (BYOK). ● This means not even the vendor can access your data. ● Modern SaaS vendors can handle encryption on the fly with a stateless design reducing in house maintenance vs typical on- premises.
  • 21. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 9. Not securing internal endpoints ● Many APIs have both endpoints used by external users but also by internal services (i.e. service users) ● If inadvertently open, can provide a large attack surface ● Internal endpoints many times bypass usual checks
  • 22. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved 9. Secure internal endpoints ● Just like you wouldn’t share the same root password with every employee, internal services require secure access as if an external customer Audit Friendly Individual RBAC Ability to Deactivate Short Lived Tokens
  • 23. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved API threats are real but can be prevented with the right mindset
  • 24. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved Lastly, some abuse is unintentional. Let them know.
  • 25. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved A P I A n a l y t i c s

Editor's Notes

  1. It’s easy to assume adding a limit of 100 items or 1000 items will fix this.
  2. The magical part about APIs is almost every access requires an API Key. If a request doesn’t have an API key, you can automatically reject it which is lightweight on your server
  3. The magical part about APIs is almost every access requires an API Key. If a request doesn’t have an API key, you can automatically reject it which is lightweight on your server