3. 3
Contents
WHAT ARE APIS ?
ARE THEY WORTH THE RISK ?
THE THREE ATTACK VECTORS TO WATCH OUT FOR
FIVE SIMPLE MITIGATION STRATEGIES YOU MIGHT HAVE OVERLOOKED
CONCLUSION
4. WHAT ARE APIS ?
APIs are like windows into an application
5. 5
APIs are the building blocks of digital transformation
IOT Devices
Cloud
Mobile
Partners/External
Divisions
External
Developers
Data
Your
Digital
Business
7. 7
Digital transformation as a maturity model
Low digital maturity High digital maturity
Offline/In-Person Web Mobile Omnichannel Ecosystem
How Do APIs Increase an Organization’s Risk?
8. 8
Digital Transformation in Retail
Low digital maturity High digital maturity
RETAIL STORE
CATALOG & CALL CENTER
WEB STOREFRONT
AFFILIATE CHANNELS
MOBILE STOREFRONT
SHOPPER PROFILE APIs
PRODUCT CATALOG APIs
PERSISTENT CART APIs
IN-STORE/PROXIMITY APIs
INVENTORY/LOGISTICS APIs
PERSONALIZED PROFILE APIs
ADVANCED PAYMENT APIs
LOYALTY PARTNER APIs
MARKETPLACE APIs
SMART PRODUCT APIs
Offline / In-Person Web Mobile Omnichannel Ecosystem
9. 9Low digital maturity High digital maturity
Offline / In-Person Web Mobile Omnichannel Ecosystem
DEALER
SERVICE CENTER/MECHANIC
BRAND CONTENT
ONLINE PRODUCT DATA
RATINGS & REVIEWS
DEALER APIs
PRODUCT DATA APIs
DRIVER PROFILE APIs
DIAGNOSTIC APIs
VEHICLE FEATURE APIs
HISTORY/MAINTENANCE APIs
OTA UPDATE APIs
UBI APIs
LOCATION & CONTEXT APIs
INSURANCE APIs
VEHICLE SHARE APIs
Digital Transformation in Automotive
10. 10Low digital maturity High digital maturity
DROPOFF / PICKUP CENTER
COURIER
WEB RESEARCH
WEB SCHEDULING
WEB TRACKING
RATE AND SLA APIs
SERVICE APIs
TRACKING APIs
FLEET TRACKING APIs
SUPPLY CHAIN APIs
TRAFFIC MANAGEMENT APIs
ENROUTE REDIRECT APIs
PROOF OF DELIVERY APIs
TRAFFIC DATA APIs
3PL SERVICES APIs
3P PICKUP/DROPOFF APIs
Digital Transformation in Transportation & Logistics
Offline / In-Person Web Mobile Omnichannel Ecosystem
11. 11Low digital maturity High digital maturity
PRACTITIONER OFFICE
OFFLINE HEALTH RECORDS
CALL CENTER
ONLINE RESEARCH
CLAIMS & HISTORY
APPOINTMENT APIs
PLAN SELECION APIs
INSURER INTEGRATON APIs
TELEHEALTH APIs
BIOTELEMETRY APIs
EHR APIs
MONITORING DEVICE APIs
CARE ANALYTICS APIs
PARTNER SERVICES APIs
Digital Transformation in Healthcare
Offline / In-Person Web Mobile Omnichannel Ecosystem
12. 12Low digital maturity High digital maturity
RETAIL BANKING ONLINE BANKING LOCATION & SERVICE APIs
ACCOUNT APIs
ALERT/MONITORING APIs
MOBILE PAYMENT APIs
DIRECT DEPOSIT APIs
INVESTMENT APIs
P2P MOBILE PAYMENT APIs
LOYALTY PARTNER APIs
P2P LENDING APIs
WEALTH MANAGEMENT APIs
Digital Transformation in Financial Services
Offline / In-Person Web Mobile Omnichannel Ecosystem
13. 13Low digital maturity High digital maturity
BROADCAST MEDIA
PROPRIETARY STB
ONLINE PURCHASE
GUIDE & METADATA
STREAMING MEDIA APIs
METADATA APIs
ENTITLEMENT APIs
VIEWER PROFILE APIs
QUAD-PLAY APIs
SERVICE DASHBOARD APIs
WALLET/PAYMENT APIs
PARTNER ENTITLEMENT APIs
CONTENT-KEYED APIs
AD NETWORK APIs
EVENT APIs
Digital Transformation in Media & Entertainment
Offline / In-Person Web Mobile Omnichannel Ecosystem
14. 14Low digital maturity High digital maturity
BROADCAST SPORTS
DISCONNECTED DEVICES
SCORES & STATS
ONLINE CONTENT
SCORES & STATS APIs
TRACK & MONITOR APIs
FITNESS PROFILE APIs
REAL-TIME 2ND SCREEN APIs
MULTI-DEVICE PROFILE APIs
FITNESS PLATFORM APIs
HEALTH CONNECTIVITY APIs
DATA SUBSCRIPTION APIs
Digital Transformation in Sports & Fitness
Offline / In-Person Web Mobile Omnichannel Ecosystem
15. 15Low digital maturity High digital maturity
PROPRIETARY RESERVATIONS
TRAVEL AGENT
FARES & SCHEDULES
ONLINE BOOKING
ONLINE CHANNELS
FARE & SCHEDULE APIs
STATUS & ALERT APIs
TRAVELER PROFILE APIs
IDENTITY & ACCESS APIs
LOCATION-AWARE APIs
ENROUTE SERVICES APIs
LOYALTY PARTNER APIs
MULTI-MODE TRAVEL APIs
Digital Transformation in Travel & Hospitality
Offline / In-Person Web Mobile Omnichannel Ecosystem
18. 18
Niantic's API for Pokemon Go Cracked
API functions as the access
point for accessing DB and
algorithm
3rd parties found the API
and created apps that aid
in the capture
Server side issues
(including downtime)
increased as a result
Pokevision FastPokeMap
20. 20
Outside the Enterprise
Internet of Things
Mobile
SaaS/Cloud Solutions
AWS, Google, SFDC …
Partner Ecosystems
External Developers
Within the Enterprise
Secure Data
Application Portfolio
ID/Authentication
Reporting & Analytics
Internal Teams
The Three Attack Vectors to Watch Out For
Many API developers come directly from a web design background, and may bring with them some
bad habits
Identity
Identity attacks exploit flaws in authentication,
authorization, and session tracking. In particular, many of
these are the result of migrating bad practices from the web
world into API development.
Parameters
Parameter attacks exploit the data sent into an API,
including URL, query parameters, HTTP headers, and/or
post content
Main-in-the-middle
Simplify These attacks intercept legitimate transactions and
exploit unsigned and/or unencrypted data being sent
between the client and the server. They can reveal
confdential information (such as personal data), alter a
transaction in flight, or even replay legitimate transactions.
21. 21
Attack Vector: Parameters
API functions as the access point for accessing DB and algorithm
– In the traditional web world, parameterization was limited and indirect
– Subject to the capabilities of URLs and forms
APIs in contrast and offer much more explicit parameterization
– The full power of RESTful design: GET, POST, PUT, DELETE
(And don’t stop there… what about effects of HEAD, etc)?
This creates a greater potential attack surface
– Injection, bounds, correlation, and so on
22. 22
Attack Vector: Identity
We had it surprisingly good in the Web world
– Browser session usually tied to human
– Dealing with one identity is not so tough
Security tokens abound, but solutions are mature
– Username/pass, multi-factor, SAML, etc
APIs rapidly becoming more difficult
– Non-human entities
– Multiple layers of relevant identities
Me, my attributes, my phone, my developer, my provider…
23. 23
API keys
“An application programing interface key (API key) is a code
generated by websites that allow users to access their
application programming interface. API keys are used to track
how the API is being used in order to prevent malicious use or
abuse of the terms of service.
Many applications publishing APIs require clients to use an API key to
access to their functionality
(Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
27. 27
Strategy 1:
Validate Parameters
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:
Turn on SSL Everywhere
Strategy 4:
Apply Rigorous Authentication
and Authorization
Strategy 5:
Use Proven Solutions
• Rigorous validation of consumer supplied
inputs – and API output
• Use schema validation
28. 28
Strategy 2:
Apply Explicit
Threat Detection
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:
Turn on SSL Everywhere
Strategy 4:
Apply Rigorous Authentication
and Authorization
Strategy 5:
Use Proven Solutions
• Blacklist dangerous tags like <SCRIPT>
• Virus scanning of attachments
• Very large messages can all be effective
denial-of-service attacks
29. 29
Strategy 3:
Turn on SSL Everywhere
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:
Turn on SSL Everywhere
Strategy 4:
Apply Rigorous Authentication
and Authorization
Strategy 5:
Use Proven Solutions
30. 30
Strategy 4:
Apply Rigorous
Authentication and
Authorization
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:
Turn on SSL Everywhere
Strategy 4:
Apply Rigorous Authentication
and Authorization
Strategy 5:
Use Proven Solutions • Multiple identity profile (Roles, Geo
location,IP,User agent,Time of day...)
• OAuth for people
31. 31
Strategy 5:
Use Proven Solutions
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:
Turn on SSL Everywhere
Strategy 4:
Apply Rigorous Authentication
and Authorization
Strategy 5:
Use Proven Solutions
• Separate out API implementation and API
security into distinct tiers
• API Gateway ( Access control, Threat
detection, Confidentiality and integrity,
Audit management)
32. Conclusion
APIs represent a great opportunity for the enterprise to
integrate applications quickly and easily. But APIs can be a
double-edged sword: promising agility, while at the same time
increasing risk. But if an organization can address API security
as an architectural challenge long before any development
takes place, it can reap the rewards of this technological
breakthrough safely and securely.