2. API Breaches
Users and hackers exploit APIs to gain from
companies assets
Compliance
Companies has to demonstrate proper effort in
securing their APIs
Lack of Talent
291 000 cybersecurity jobs are unfilled - ISC2
research (2019)
API
SECURITY
RISK
APIs are proliferating so are risks
associated with them
Cyberlands B.V.
3. Risk Case - API Data Breach - 2020
Cyberlands B.V.
400, 000 user records were stolen
£20 000 000 fine from ICO
4. Cyberlands B.V.
Risk Case - API Vulnerability - 2020
• Public method allows unathentificated enumeration of all user ID:
gitlab.company.local/api/v4/users/{id}
• https://gitlab.com/webpwn.keys method shows avatar_url
• Part of avatar_url is md5 hash from email
Headhunting Your Developers
Phishing Your DevOps
5. Cyberlands B.V.
Risk Case - API Abuse Fraud - 2016
if (datacash.response.reason == 'ACCEPTED' && datacash.response.status == 1)
placeOrder();
Tech-savvy user managed to get
free pizza
Because payments status was
checked on cliend side
6. Fixed Price Pentest
Get required security expertise and off-load
scope risks
Hourly Rate
Pay per use at maximum transparency
Dedicated Pentest Resource
A seasoned expert is reserved to solve your problems daily -
dedicated, semi or quarter-dedicated
Pentest
as a
Service
Focus on risks that matter to
your application and API
Cyberlands B.V.
7. Fair and Flexible Value
Our customers enjoy average 338% Return on Investment employing us:
penetrating testing provider with deep and proven expertise
Cyberlands B.V.
8. How it Works
Cyberlands B.V.
Scoping (1 week) Delivery (2 - 4 weeks) Remediation (up to 3 months)
• Typeform
• Google Meet
• eSigning
• Dedicated Chat
• Hacking Tools
• Executive Briefing
• Customer Portal
with findings
• Customer Portal
with findings
• Dedicated Chat
13. Selected
Projects
We helped customers from Fintech, SaaS, Cybersecurity, Finance
and many other spaces to identify and close their security gaps
Cyberlands B.V.
14. API Case Study: FCA-regulated British FinTech
Objective: Support PCI DSS compliance
Cyberlands B.V.
• audit Managed Kubernetes
(Google Cloud)
• audit external API
• bypass SSL Pinning
(Android)
Security goals
https://clutch.co/profile/cyberlands-bv#reviews
15. IoT Case Study: Korean Smart camera producer
Objective: Find IoT vulnerabilities
Cyberlands B.V.
• a backdoor discovered (third-party library)
• breached traffic encryption between cameras and cloud back-end
• took control over camera and cloud back-end
Security findings
• introduce third-party libraries risk management process
• change design of encryption controls
• implement cloud back-end controls
Recommendations
Tools used
Hardware
16. Front-End Case Study: WebApp API Assessment
Objective: Find front-end and API vulnerabilities
• unrestricted file upload
• API missing input validation
• WebForm missing input validation
• less-strength communication encryption
Security findings
• restrict uploading file types
• validate and sanitise input data
• implement input validation in webforms
• implement modern communication encryption
Recommendations
Cyberlands B.V.
Tools used
17. Mobile Case Study: Mobile Banking Application
Objective: Find MobileApp vulnerabilities - iOSAndroid
• insecure hashing algorithms
• weak authentification
• information exposure (debug log, cache)
• no jailbreak/root detection
Security findings
• change hashing algorithms
• add MFA
• suppress sensitive information in debug log and cache
• implement jailbreak/root detection
Recommendations
Cyberlands B.V.
Tools used
18. Cloud Case Study: AWS Infrastructure Assessment
Objective: Find out cloud infrastructure weaknesses
• EBS volumes were not encrypted and CloudTrail was off
• insecure rule were set for default security groups
• all ports were allowed to accept connections
• no MFA for critical functions
Security findings
• implement encryption process for volumes
• enable logging on API and enable MFA for critical functions
• setup zero trust for default security groups
• restrict access to ports based on business needs
Recommendations
Cyberlands B.V.
Tools used
19. What's
Happening Next
We're developing API monitoring service to ensure continuous
security of customer's apps - Start date is July 1, 2021
Cyberlands B.V.
20. Alex Bodryk, CISA, ITIL Expert
Director & Founder
The
Team
Sergey Khariuk
CTO & Founder
Eduard Babych, eCPPT Gold
Head of API Testing
Cyberlands B.V.
10Y+ exp designing and implementing infosec programmes in
GRC and SOC. Former Threat Intel analyst. Industry focus -
oil&gas, fintech, MSSPSOC
10Y+ exp delivering penetration testing and red team
engagements. Former Reverse Engineer. Industry focus -
airlines, fintech, gambling
7+ years in vulnerability research for software and hardware
products. Found major vulnerabilities in some most well-
known devices over the world
21. Flexible Pricing for clients
in UK and EU
• 10k GBP for PCI DSS external API pentest (example)
• 40 GBP hour for small projects - up to 80 hours
• Dedicated penetration testing experts on request
We offer money-back guarantee for each customer
Cyberlands B.V.
Start scoping
today!