More Related Content Similar to apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif (20) apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif 1. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
moesif
Top API Security Threats Teams Should Know
And Ways to Mitigate Them
2. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
Who am I?
● Co-founder and CEO of Moesif, the
API analytics platform
● Focus on API strategy, security, and
observability
● I love IPAs!
derric@moesif.com
3. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
APIs are super powerful!
Developer
using your
API
Programmatic Access
Direct Access to Data
Large Resource Limits
4. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
1. Insecure Pagination and Resource Limits
API pagination is a common attack vector for scraping data from an API.
Data leak can occur even if no direct PII, but due to other attack vectors
like rainbow tables and dictionary attacks
First Call: GET /items?skip=0&take=10
Second Call: GET /items?skip=10&take=10
5. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
1. Insecure Pagination and Resource Limits
Artificial limits on pagination like provide very little in protection.
They only make your API “chatty”
● Delays can circumvent rate limits
● Randomness bypasses some detectors
6. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
1. Insecure Pagination and Resource Limits
Monitor for anomalous behaviors such as “large number of items
touched within a time period” at user level.
7. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
2. Insecure API Key Generation
● Many API anomaly detection systems leverage some form of
request fingerprinting from IP address, User Agent, etc.
● Hackers leverage large pools of API keys and connected devices to
circumvent some of these protections to appear from different
devices and look like different users.
8. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
2. Fix Insecure API Key Generation
Prevent users from generating unlimited API keys programmatically.
Sign up and key creation should be limited.
SAML/SSO OAuth1/2 Captcha/2FA
9. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
3. Increased Risk of Key Exposure
● APIs are expected to be accessed over indefinite time periods
● Users of APIs directly touch keys such as to paste into Postman
● API keys are bearer tokens not requiring any other evidence
10. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
3. Reduce Risk of Key Exposure
Short lived API Keys that
can be “refreshed”
Leverage environment
variables or a secure
keystore
1
2
11. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
4. Exposure to DDoS/Availability Issues
● APIs are by definition consumed programmatically such that all
traffic looks like bot traffic
● This limits traditional DDoS prevention mechanisms like Captchas
● A real customer could inadvertently bring down your API
12. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
4. Reduce Exposure to DDoS/Availability
Rate Limits is the API equivalent of Captchas
Resource
Specific Limits
User Specific
Limits
Deactivate an
Abuser
Easy to Inspect
14. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
5. Fix Incorrect Server Security
● Leverage good server hygiene
● Keep SSL certificates updated and secure
● Block non-HTTPS traffic (close port 80 and unused ports)
● Audit security headers like Cross Origin Sharing and error
messages
15. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
6. Incorrect Cache Headers
● Caching servers cannot understand nonstandard headers used by
many APIs like X-API-Key, X-Custom-Key, etc
● Even if you don’t cache, your customers may cache due to:
○ Exceeding rate limits
○ Connection limits or bandwidth cost
○ Reduce round trip latency
16. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
6. Fix Incorrect Cache Headers
● Ensure Cache-Control headers are properly configured
● Unless your API requires caching, disable it by overriding the
Cache-Control header in your gateway. Or set the Vary header.
17. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
7. Insufficient Logging & Monitoring
● Insufficient monitoring is on the new OWASP Top 10 API list
● Logging only internal execution logs can hide unauthorized errors,
caching errors, etc
● Time to detect a breach on average takes over 200 days!
18. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
7. Fix Insufficient Logging & Monitoring
● Leverage a modern API management and API observability stack to
automatically track access logs at the edge
What Was Accessed
Who Accessed It
19. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
8. Insecure Dependencies and 3rd Party Vendors
● API-driven applications are becoming inherently complex and
depend on many other APIs such as internal logging systems,
external APM, etc
● Features like encryption-at-rest don’t protect against insecure cloud
applications. Very few attacks involve physical access to storage
media.
● Third party vendors may have unreported vulnerabilities while
internal applications may have insecure or noncompliant access
control.
20. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
8. Secure Dependencies and 3rd Party Vendors
● Leverage zero-knowledge security using features like client-side
encryption and Bring Your Own Key (BYOK).
● This means not even the vendor can access your data.
● Modern SaaS vendors can handle encryption on the fly with a
stateless design reducing in house maintenance vs typical on-
premises.
21. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
9. Not securing internal endpoints
● Many APIs have both endpoints used by external users but also by
internal services (i.e. service users)
● If inadvertently open, can provide a large attack surface
● Internal endpoints many times bypass usual checks
22. Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
9. Secure internal endpoints
● Just like you wouldn’t share the same root password with every
employee, internal services require secure access as if an external
customer
Audit
Friendly
Individual RBAC Ability to
Deactivate
Short Lived
Tokens
Editor's Notes It’s easy to assume adding a limit of 100 items or 1000 items will fix this. The magical part about APIs is almost every access requires an API Key.
If a request doesn’t have an API key, you can automatically reject it which is lightweight on your server The magical part about APIs is almost every access requires an API Key.
If a request doesn’t have an API key, you can automatically reject it which is lightweight on your server