Designing for API Doomsday
2 likes222 views
The Akamai Security Summit highlights the increasing threats to APIs, emphasizing their vulnerability to attacks such as credential stuffing and DDoS. It outlines the importance of effective security measures including API gateways, WAFs, and bot management to mitigate risks in interconnected business ecosystems. Organizations are encouraged to develop a comprehensive API protection plan that includes assessing their API ecosystem and implementing robust security measures.
![Akamai Security Summit World Tour | Stockholm
Coffee Anyone?
“Only my mobile app will call my API”
curl https://api.orderinput.com/v1/sku
-u sku_4bC39lelyjwGarjt:
-d currency=usd
-d inventory [type]=finite
-d inventory[quantity]=500-d price=3
-d product=prod_BgrChzDbl
-d attributes[size]=medium]
http 200 OK
https ://success.api.orderinput.com/v1/sku
-idAPI response includes some interesting data
Simple order request
to order entry APIs
order_number=14586](https://image.slidesharecdn.com/c1uyeauqxohkcbmqrkxg-signature-587515aed30083c870d01db1e2585ac6b98269badcad99f42aa7e5d1b4021898-poli-190524113620/85/Designing-for-API-Doomsday-21-320.jpg)
Designing for API Doomsday
- 1. Akamai Security Summit World Tour | Stockholm1 Designing for Doomsday: Effective API Security Approaches from the Edge Gerd Giese, Manager Cloud Security Architects, EMEA
- 2. Akamai Security Summit World Tour | Stockholm Why Are We Here? API Because APIs Are Everywhere.
- 3. Akamai Security Summit World Tour | Stockholm Rise of API Traffic
- 4. Akamai Security Summit World Tour | Stockholm Rise of API Traffic By Content Type
- 5. Akamai Security Summit World Tour | Stockholm Rise of API Traffic By Content Type
- 6. Akamai Security Summit World Tour | Stockholm Things On The Internet Make The Majority Of API Calls 66% Source: Akamai SOTI Q1 2019
- 7. Akamai Security Summit World Tour | Stockholm World’s Biggest Data Breaches & HacksWhy Are We Here? Because Data Theft Is Still Rampant. Source: https://informationisbeautiful.net
- 8. Akamai Security Summit World Tour | Stockholm Web APIs Are A Primary Target Web sites & Web APIs share the same (old) attack vectors – but APIs are often unprotected APIs are more performant and less expensive to attack compared with traditional web forms 4Xmore Credential Stuffing attacks on APIs
- 9. Akamai Security Summit World Tour | Stockholm 67% of login attempts
- 10. Akamai Security Summit World Tour | Stockholm API Credential Stuffing Looks Like DDoS Source: Akamai SOTI 1Q19 28 billion credential stuffing attempts in 8 month (Observed on Akamai Intelligent Edge Platform, 2018)
- 11. Akamai Security Summit World Tour | Stockholm Let’s Examine Some Real World Incidents
- 12. Akamai Security Summit World Tour | Stockholm How to Identify Corporate APIs? IP Addresses xxx.xxx.xxx.xxxxxx.x xx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Step 2 Reverse lookup +/- 10 IP Addresses This Photo by Unknown Author is licensed under CC BY-SA List of Hostnames to attack Step 1 Trying ZT / Scanning for typical hostnames Hostnames auth. api. developer. download.
- 13. Akamai Security Summit World Tour | Stockholm Origin Response User Request SaaS Partners API requests are within limits, all apps and SaaS partners perform API Risk Exposure in Business Ecosystems
- 14. Akamai Security Summit World Tour | Stockholm API Risk Exposure in Business Ecosystems DDoS attack on SaaS partner Origin not protected if only relying on partners’ security measures OriginDDoS Attack SaaS Partners
- 15. Akamai Security Summit World Tour | Stockholm Online Media Distribution Partner Ecosystem Media Company (Content Owner) authentication Content User DB SaaS Partner 1 Content Owner leverage SaaS Media Distributors 2 SaaS Partner provides content adaptation and distribution 3 Content Owner keeps User DB for authentication and authorization authentication
- 16. Akamai Security Summit World Tour | Stockholm Online Media Distribution Partner Ecosystem SaaS Partner SaaS Partner SaaS Partner Content Media Company (Content Owner) User DB AuthN / AuthZ SaaS Partners 1 A botnet is used to request videos from content distributors 2 AuthN and AuthZ requests and retries overwhelm the origin 3 All end user access to content is blocked, regardless of distributor
- 17. Akamai Security Summit World Tour | Stockholm Bot Attack Data on SAAS Partner several day period Normal user traffic ~100 req/sec Peak user traffic ~500 req/sec Botnet attack! Additional ~1200 req/sec
- 18. Akamai Security Summit World Tour | Stockholm SaaS Partner SaaS Partner SaaS Partner Content Media Company (Content Owner) Gateway WAF WAF WAF Key Take-aways: o A central DB may support many partners, an attack on one may affect everyone o Risk exposure is growing in large business ecosystems Effective Security Tools: ✓ WAF ✓ Bot Management ✓ API Gateway Lessons Learned
- 19. Akamai Security Summit World Tour | Stockholm What Is In Your API Response?
- 20. Akamai Security Summit World Tour | Stockholm Oh Snap! Two problems: 1. Attacker could check with only phone numbers 2. Attacker could send up to 75,000 phone numbers per request
- 21. Akamai Security Summit World Tour | Stockholm Coffee Anyone? “Only my mobile app will call my API” curl https://api.orderinput.com/v1/sku -u sku_4bC39lelyjwGarjt: -d currency=usd -d inventory [type]=finite -d inventory[quantity]=500-d price=3 -d product=prod_BgrChzDbl -d attributes[size]=medium] http 200 OK https ://success.api.orderinput.com/v1/sku -idAPI response includes some interesting data Simple order request to order entry APIs order_number=14586
- 22. Akamai Security Summit World Tour | Stockholm Coffee Anyone? “Sequential order numbers makes sense” http 200 OK https ://success.api.orderinput.com/v1/sku -id order_number=23697
- 23. Akamai Security Summit World Tour | Stockholm But Why?
- 24. Akamai Security Summit World Tour | Stockholm Lessons Learned • API responses contain valuable information • Restrict access to authorized apps only
- 25. Akamai Security Summit World Tour | Stockholm What Is In Your Code?
- 26. Akamai Security Summit World Tour | Stockholm Attack on Microservices • DevOps utilizes automation via API functions in the cloud • Developers sharing code via GitHub Code Sharing GitHub IT Dev Ops MicroserviceMicroservice API MicroserviceMicroservice API
- 27. Akamai Security Summit World Tour | Stockholm Gitrob Tool: Find & Remove Sensitive Data On GitHub • Search by organization • Flagging interesting files, like: o Private Keys o Usernames o Emails o Internal System Info Full service tool to identify the inside of corporate networks exposed to API attacks, phishing campaigns, and social engineering attacks! Source: https://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/
- 28. Akamai Security Summit World Tour | Stockholm Lessons Learned • Careful code sharing • API inspection & validation • Mitigation applied: • API Gateway: Dynamically assign and easily revoke API Keys Code Sharing GitHub IT Dev Ops MicroserviceMicroservice API MicroserviceMicroservice API
- 29. Akamai Security Summit World Tour | Stockholm Design Considerations for APIs Usage Model • What are the use cases? • Who are the intended users? • Who are the actual/current users? • Are some users more important? Data Points • Get your users to register • Issue API Keys • Traffic segregation Operational control • Susceptible to the same threats as websites • Cache-ability? • Are all API end points of equal importance? • Inadvertent data leakage
- 30. Akamai Security Summit World Tour | Stockholm What To Do…
- 31. Akamai Security Summit World Tour | Stockholm Develop An API Protection Plan Today Next Week : Within 3 months : Within 6 months : • Assess your API ecosystem • Identify potential security risks • Understand who accesses your APIs • Define appropriate security measures • Select a security solution • Drive a project to protect all APIs (public AND private)
- 32. Akamai Security Summit World Tour | Stockholm Thank you !