SlideShare a Scribd company logo

2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: API Vulnerabilities

APIsecure_ Official, profile picture
APIsecure_ Official

The document discusses API vulnerabilities, highlighting common exploitation methods and their evolution over time. It emphasizes that two-thirds of analyzed incidents involve improperly configured APIs and advocates for robust security measures, including documentation, testing, and real-time protective actions. The ultimate goal is to ensure APIs are built and used as intended while maintaining continuous security throughout their lifecycle.

Technology
Related topics:
API Security Insights
1 of 48
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Learn from the Past Secure the Present Plan for the Future API Vulnerabilities
© Noname Security. All rights reserved. 2 It's Great to Meet You Hila Zigman, VP Product Noname Security
Background 01.
© Noname Security. All rights reserved. The Traditional Exploitation - “Implementation” Vulnerabilities Mostly common in C, C++ Exploits Kernels, Web Browsers, Media Players and etc.. Requires deep understanding of the compiler 01 02 03
© Noname Security. All rights reserved. 5 Vulnerability Example
© Noname Security. All rights reserved. 6 Vulnerability Example
© Noname Security. All rights reserved. 7 Real World Examples
© Noname Security. All rights reserved. Code Execution Mitigations - Ever Increasing Complexity 2004 Dep - Windows XP Service Pack 2 2005 2008 ASLR 2012 2015 Sandbox technologies Windows Kernel ASLR Seccomp / SE Linux and other zero trust technologies Stack Canary 2017
© Noname Security. All rights reserved. Design / Logical Flaws There is no dependence on programming languages Requires deep understanding of the application’s logic or environment Usually a very short exploitation time 01 02 03
© Noname Security. All rights reserved. 10 Vulnerability Example
© Noname Security. All rights reserved. 11 Vulnerability Example Empty Password
© Noname Security. All rights reserved. 12 Real World Examples
© Noname Security. All rights reserved. 13 The Attacker’s Fundamental Equation Attack surface Likelihood of a vulnerability
APIs as an Attack Surface 02.
© Noname Security. All rights reserved. 15 APIs as Structured Data HTML JSON
© Noname Security. All rights reserved. 16 APIs Evolution - Direct Proxy to The Data and Controls SOAP REST
© Noname Security. All rights reserved. 17 APIs Evolution - Direct Proxy to The Data and Controls GraphQL
© Noname Security. All rights reserved. 18 APIs Growth Month Total API Count Jan 2006 Jan 2008 Jan 2010 Jan 2012 Jan 2014 Jan 2016 Jan 2018 0 4000 8000 12000 20000 16000
© Noname Security. All rights reserved. 19 APIs Sprawl
© Noname Security. All rights reserved. 20 APIs Configuration Example
© Noname Security. All rights reserved. 21 By 2022, API abuses will become the most-frequent attack vector. Public API policies represented a significant security gap. Two-thirds of the incidents analyzed involved improperly configured APIs APIs Are a Top Attack Vector
Real World Examples 03.
© Noname Security. All rights reserved. 23 Broken Authorization - Facebook (06/05/2021)
© Noname Security. All rights reserved. 24 Broken Authorization - Coinbase (02/22/2022)
© Noname Security. All rights reserved. 25 Broken Authentication - Peloton (05/2/2021)
© Noname Security. All rights reserved. 26 Excessive Data Exposure - 7-Eleven (07/12/2019)
What Can Be Done 04.
© Noname Security. All rights reserved. What Do We Aspire Every API will be built according to the way it was designed Every API will be used the way it was intended 01 02
© Noname Security. All rights reserved. How It Can Be Done 1. Document any API in a swagger document or a spec file and make sure its aligned with the organization policy 2. Built any API according to the spec file and test it for vulnerabilities or undesired behavior 3. Deploy any API according to the organization’s policy. Leverage API Gateways and WAFs to insure authentication, rate limiting, DOS protection and etc.. 4. Protect the APIs in real time, discover and block malicious users, rouge APIs and etc.
© Noname Security. All rights reserved. 30 Look at The Four Components of APIs Traffic Code Documentation Environment API
© Noname Security. All rights reserved. 31 API Security Scope Posture Management Inventory every API and Identify API security vulnerabilities Runtime Security Detection and prevention of attackers and suspicious behavior in real time APIs SDLC Continuously test APIs to identify API security risks before they emerge.
© 2021 Noname Security. All rights reserved. 32 Noname’s 360 Degrees of Security Coverage Assess every API, including legacy and shadow APIs, with data classification. Identify misconfigurations and vulnerabilities in source code, network configuration and policy. Runtime Security Behavioral-based models for runtime API threat detection. Automated and semi-automated blocking and remediation of threats. Secure SDLC Continuously test API endpoints to identify API risks before they emerge. Automated and dynamic test development and incorporation into CI/CD pipelines. Posture Management
© Noname Security. All rights reserved. Thank You
© Noname Security. All rights reserved. Noname Reference Architecture Workflow Integrations 34 Network and Cloud API Gateway Leverage APIs and Native Network Traffic and Gateway Services Development Platforms Flexible Engine Deployment on-premise, hybrid or SaaS (single tenant) Posture Attack Prevention Testing
© Noname Security. All rights reserved. 35 The Traditional Exploitation - “Implementation” Vulnerabilities ● Mostly common in C, C++ ● Exploits Kernels, Web Browsers, Media Players and etc.. ● Requires deep understanding of the compiler
© Noname Security. All rights reserved. 36 A “Good” API ● Exact scope ● Scope correlates to spec ● Managed by an API-GW ● Active ● Unique ● Serves a specific role ● Organizational requirements are enforced ● Authenticated ● Load balanced and Rate limited ● WAF defended
© Noname Security. All rights reserved. 37 Rogue API - Types ● The unmanaged API ● The deprecated API ● The dormant API ● The duplicated API ● The “unknown” API ● The unauthenticated API ● The wrongful scope API ● The misrouted API
© Noname Security. All rights reserved. 38 Security Through The Entire Life Cycle
© Noname Security. All rights reserved. 39 Secure The Environment Inventory Ass the Risk Protect the Production Secure Any New Release
© Noname Security. All rights reserved. 40 Broken Authorization - Run Time Issue Request Response
© Noname Security. All rights reserved. Request Response 41 Broken Authorization - Run Time Issue
© Noname Security. All rights reserved. 42 Broken Authorization - Run Time Issue Request Response
© Noname Security. All rights reserved. Request Response 43 Broken Authorization - Run Time Issue
© Noname Security. All rights reserved. Request Response 44 Broken Authorization - Run Time Issue
© Noname Security. All rights reserved. 45 Broken Authorization - Run Time Issue Request Response Request Response
© Noname Security. All rights reserved. 46 Broken Authorization - Run Time Issue Request Response Request Response
© Noname Security. All rights reserved. 47 Lack of Automation
© Noname Security. All rights reserved. 48 Broken Authentication - (02/15/2021)

More Related Content

PDF
Threat Modelling
n|u - The Open Security Community
 
PDF
Threat Modeling Everything
Anne Oikarinen
 
PDF
Securing DevOps through Privileged Access Management
BeyondTrust
 
PDF
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
PPTX
Application Security Architecture and Threat Modelling
Priyanka Aash
 
PPTX
Threat modeling web application: a case study
Antonio Fontes
 
PPTX
Introduction to Web Application Penetration Testing
Rana Khalil
 
PPTX
Threat modelling with_sample_application
Umut IŞIK
 
Threat Modelling
n|u - The Open Security Community
 
Threat Modeling Everything
Anne Oikarinen
 
Securing DevOps through Privileged Access Management
BeyondTrust
 
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Threat modeling web application: a case study
Antonio Fontes
 
Introduction to Web Application Penetration Testing
Rana Khalil
 
Threat modelling with_sample_application
Umut IŞIK
 

What's hot (20)

PPTX
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
PDF
Iso 27001
Adam Miller
 
PPTX
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
PDF
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
Varun Mithran
 
PDF
Customer identity and access management (ciam)
Nuvento Systems Pvt Ltd
 
PPTX
Security Information and Event Management (SIEM)
hardik soni
 
PPTX
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
PDF
Scalable threat modelling with risk patterns
Stephen de Vries
 
PPTX
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
PDF
Value proposition of SSI tech providers - Self-Sovereign Identity
SSIMeetup
 
PPTX
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
PDF
Mender; the open-source software update solution
Mender.io
 
PPTX
WHY SOC Services needed?
manoharparakh
 
PPTX
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
PDF
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
THOR Apt Scanner
Florian Roth
 
PPTX
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PDF
The Five Pillars of Customer Identity and Access Management (CIAM)
WSO2
 
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
Iso 27001
Adam Miller
 
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
Varun Mithran
 
Customer identity and access management (ciam)
Nuvento Systems Pvt Ltd
 
Security Information and Event Management (SIEM)
hardik soni
 
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
Scalable threat modelling with risk patterns
Stephen de Vries
 
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Value proposition of SSI tech providers - Self-Sovereign Identity
SSIMeetup
 
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Mender; the open-source software update solution
Mender.io
 
WHY SOC Services needed?
manoharparakh
 
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
THOR Apt Scanner
Florian Roth
 
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Web Application Penetration Testing Introduction
gbud7
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
The Five Pillars of Customer Identity and Access Management (CIAM)
WSO2
 
Ad

Similar to 2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: API Vulnerabilities (20)

PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
PPTX
Apidays London 2024 - Securing APIs, Beyond the Basics with Advanced Security...
apidays
 
PDF
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
PDF
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PDF
SecDevOps for API Security
42Crunch
 
PDF
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24
 
PDF
411 Reference - API Standards and Repository.pdf
samvardu
 
PDF
eb-The-State-of-API-Security.pdf
Sajid Ali
 
PDF
Better API Security with Automation
42Crunch
 
PDF
Better API Security With A SecDevOps Approach
Nordic APIs
 
PDF
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
PDF
Guidelines to protect your APIs from threats
Isabelle Mauny
 
PDF
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
PPTX
The Inconvenient Truth About API Security
Distil Networks
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
Apidays London 2024 - Securing APIs, Beyond the Basics with Advanced Security...
apidays
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
apidays
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
United States Cybersecurity Institute (USCSI®)
 
SecDevOps for API Security
42Crunch
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24
 
411 Reference - API Standards and Repository.pdf
samvardu
 
eb-The-State-of-API-Security.pdf
Sajid Ali
 
Better API Security with Automation
42Crunch
 
Better API Security With A SecDevOps Approach
Nordic APIs
 
Api economy and why effective security is important (1)
IndusfacePvtLtd
 
Guidelines to protect your APIs from threats
Isabelle Mauny
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
The Inconvenient Truth About API Security
Distil Networks
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
Ad

More from APIsecure_ Official (20)

PDF
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
PDF
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
PDF
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
PDF
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
PPTX
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
PPTX
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
PPTX
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
PDF
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
PPTX
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
PDF
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
APIsecure_ Official
 
PPTX
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
PPTX
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
PPTX
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
PDF
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
APIsecure_ Official
 
PDF
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
PDF
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
PDF
2022 APIsecure_API Discovery: First step towards API Security
APIsecure_ Official
 
PPTX
2022 APIsecure_We’re Not in AppSec Anymore Toto
APIsecure_ Official
 
PPTX
2022 APIsecure_Anomaly detection is no longer a strategy
APIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
APIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
APIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
2022 APIsecure_API Discovery: First step towards API Security
APIsecure_ Official
 
2022 APIsecure_We’re Not in AppSec Anymore Toto
APIsecure_ Official
 
2022 APIsecure_Anomaly detection is no longer a strategy
APIsecure_ Official
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: API Vulnerabilities