Akamai_ API Security Best Practices - Real-world attacks and breaches
0 likes3,664 views
The document discusses API security best practices, highlighting real-world incidents of API-related breaches affecting organizations. It emphasizes the importance of robust authorization checks and outlines the OWASP API Security Top 10 vulnerabilities from 2019 to 2023. The Akamai API Security Platform is presented as a solution for detecting and mitigating API threats and vulnerabilities throughout the API lifecycle.
![© 2024 Akamai
27
© Akamai API Security. All rights
reserved.
[ Optus Data Breach]
● Company: Optus
● Industry: Telco
● Impact: ~600M USD
● Vulnerability:
○ Unauthenticated, publicly exposed
API Endpoint
○ Excessive Data Exposure
○ Incrementing Customer Identifiers](https://image.slidesharecdn.com/akamaiapisecuritybestpractices-241003005801-ee2d4c54/85/Akamai_-API-Security-Best-Practices-Real-world-attacks-and-breaches-27-320.jpg)
Akamai_ API Security Best Practices - Real-world attacks and breaches
- 1. © 2024 Akamai 1 API Security Best Practices: Lessons Learned from Real-World Attacks and Breaches Boon Wah, Tay 郑文华 鄭文華 정문하 テイブーンワ API Security Solutions Specialist Senior Solutions Engineer 28 Sep 2024
- 2. © 2024 Akamai 2 API - Application Programming Interface
- 3. © 2024 Akamai 3 API – Application Programming Interface • Set of rules or programming to allow applications to interface or communicate between each other. • Simply put.. a piece of code talking to another piece of code • API architecture is usually explained in terms of client and server. The application sending the request is called the client, and the application sending the response is called the server. Your Program (in language X) Your Program (in language Y) ● Operating systems APIs ● Remote APIs ● Database APIs ● Web APIs
- 4. © 2024 Akamai 4 APIs Power the Modern World Mission Critical Operations, Digital Transformation, and Information Availability – All Rely on APIs
- 5. © 2024 Akamai 5 API Security Incidents - Major Data Breach - Fraudulent Financial Transactions
- 7. © 2024 Akamai 7 https://www.bankinfosecurity.com/google-settles-google-api-data-leak-lawsuit-for-350m-a-24296?trk=feed_main-feed-card_feed-article-content • Google+ API that allowed outside developers to access users' private profile data. • Up to 438 third-party apps likely had access to the API. • Access to data including photos, relationship status, email and home addresses • Discovered in March 2018 a glitch dating to 2015
- 8. © 2024 Akamai 8 APIs Attacks Are the New Normal Recent major breaches caused by API exploitation 76% of organizations have had an API-related breach in the past year* Sensitive Health Data for 3.9M Customers $35M hit to revenue $34M Customer Funds Stolen Reputation Damaged 2.8 M Customer IDs $50M Fine Proposed 22.5M Gov Identity Records 68% of citizens at risk for identity theft 37m Customer Records Brand Impact & Fines Likely 300K Customer Emails Public Apology National Registration Dept of Malaysia 500K+ Customers’ PII Exposed Brand Impact and Fines 3200+ Apps Exposed 200 Million Records Source Code & Customer PII Critical IP Stolen *API Security Disconnect, Akamai Study, 2022
- 9. © 2024 Akamai 9 API Attacks - Business Logic Flaws
- 10. © 2024 Akamai 10 API Attacks are Different Web Security Protection Attacker Web / Mobile App API Back-end Data / App Crown Jewel Yesterday’s Attacks Today’s Attacks
- 11. © 2024 Akamai 11 API Attacks are Different Web Security Protection Attacker Web / Mobile App API Back-end Data / App • Attackers, are going right around your web & mobile app, straight to the API and then the back-end, where the valuable data (crown jewel) is stored!!! • Attackers are by-passing all the traditional web & mobile app security protection. • API breaches exploit business logic flaws or gaps in authorization or weak authentication and the like. Crown Jewel
- 12. © 2024 Akamai 12 OWASP API Security Top 10 2019 https://owasp.org/www-project-api-security/
- 13. © 2024 Akamai 13 OWASP API Security Top 10 2023 https://owasp.org/www-project-api-security/ API1:2023 Broken Object Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs
- 14. © 2024 Akamai 14 OWASP Top 10 2019 to 2023 API1:2023 - Broken Object Level Authorization API2:2023 - Broken Authentication API3:2023 - Broken Object Property Level Authorization API4:2023 - Unrestricted Resource Consumption API5:2023 - Broken Function Level Authorization API8:2023 - Security Misconfiguration API9:2023 - Improper Inventory Management API1:2019 - Broken Object Level Authorization API2:2019 - Broken User Authentication API3:2019 - Excessive Data Exposure API4:2019 - Lack of Resources & Rate Limiting API5:2019 - Broken Function Level Authorization API6:2019 - Mass Assignment API7:2019 - Security Misconfiguration API8:2019 - Injection API9:2019 - Improper Assets Management API10:2019 - Insufficient Logging & Monitoring API6:2023 - Unrestricted Access to Sensitive Business Flows API7:2023 - Server Side Request Forgery API10:2023 - Unsafe Consumption of APIs Legend Unchanged Renamed Merged New Removed
- 15. © 2024 Akamai 15
- 16. © 2024 Akamai 16 Broken Object Level Authorization (BOLA) • User A can access other users’ record (or data object) • API Endpoint have insufficient access controls – No Authorization Check of the data object • Violation of Zero Trust leads to Major Data Breach or Fraudulent Transactions User A User A Data User B Data User C Data User N Data Rightful Access (1-to-1 Mapping) Data Access due to No Authorization Check (1-to-Many Mapping)
- 17. © 2024 Akamai 17
- 18. © 2024 Akamai 18
- 19. © 2024 Akamai 19
- 20. © 2024 Akamai 20 Broken Object Level Authorization What if I replace id1 with id2 and view someone else’s data Alice Attacker GET/accounts/id1/financial_info GET/accounts/id2/financial_info
- 21. © 2024 Akamai 21 Data Exfiltration Legit Behavior JWT Token of Francis API URI with User ID of Francis
- 22. © 2024 Akamai 22 Data Exfiltration Legit Behavior Personal Data of Francis
- 23. © 2024 Akamai 23 Data Exfiltration Anomaly User ID had changed Same JWT Token of Francis was used API Hacking
- 24. © 2024 Akamai 24 Data Exfiltration Anomaly API Hacking Now Reading Other People’s Data
- 25. © 2024 Akamai 25 Data Exfiltration Anomaly API Hacking Now Reading More Other People’s Data
- 26. © 2024 Akamai 26 Data Exfiltration Data Exfiltration API Hacking All of them are 200 OK! That’s Bad!!! Appear Normal to WAF or API Gateway
- 27. © 2024 Akamai 27 © Akamai API Security. All rights reserved. [ Optus Data Breach] ● Company: Optus ● Industry: Telco ● Impact: ~600M USD ● Vulnerability: ○ Unauthenticated, publicly exposed API Endpoint ○ Excessive Data Exposure ○ Incrementing Customer Identifiers
- 28. © 2024 Akamai 28 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142
- 30. © 2024 Akamai 30 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142 "No authenticate needed. That is bad access control. All open to internet for any one to use."
- 31. © 2024 Akamai 31 https://mango.pdf.zone/finding-former-australian-prime-mi nister-tony-abbotts-passport-number-on-instagram API and Boarding Pass
- 32. © 2024 Akamai 32
- 33. © 2024 Akamai 33 The Akamai API Security Platform Complete API security covers the entire lifecycle of an API Locate and inventory all of your APIs and related risk, from both the inside-out and outside-in Discovery Uncover vulnerabilities and misconfigurations to speed remediation and ensure compliance Detect and block API attacks with real-time traffic analysis powered by machine learning Find and remediate API vulnerabilities during the development lifecycle Posture Runtime Testing
- 34. © 2024 Akamai 34 Applications are at the center of everything we do. We protect the applications you build everywhere, every time without compromising performance or customer experience.
- 35. © 2024 Akamai 35 Boon Wah, Tay Senior Solutions Engineer Akamai Technologies https://www.linkedin.com/in/boonwah/ Thank You!