apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif

Confidential and Proprietary. © 2021 Moesif, Inc. All Rights Reserved
moesif
Top API Security Threats Teams Should Know
And Ways to Mitigate Them

Who am I?
● Co-founder and CEO of Moesif, the
API analytics platform
● Focus on API strategy, security, and
observability
● I love IPAs!
derric@moesif.com

APIs are super powerful!
Developer
using your
API
Programmatic Access
Direct Access to Data
Large Resource Limits

1. Insecure Pagination and Resource Limits
API pagination is a common attack vector for scraping data from an API.
Data leak can occur even if no direct PII, but due to other attack vectors
like rainbow tables and dictionary attacks
First Call: GET /items?skip=0&take=10
Second Call: GET /items?skip=10&take=10

Artificial limits on pagination like provide very little in protection.
They only make your API “chatty”
● Delays can circumvent rate limits
● Randomness bypasses some detectors

Monitor for anomalous behaviors such as “large number of items
touched within a time period” at user level.

2. Insecure API Key Generation
● Many API anomaly detection systems leverage some form of
request fingerprinting from IP address, User Agent, etc.
● Hackers leverage large pools of API keys and connected devices to
circumvent some of these protections to appear from different
devices and look like different users.

2. Fix Insecure API Key Generation
Prevent users from generating unlimited API keys programmatically.
Sign up and key creation should be limited.
SAML/SSO OAuth1/2 Captcha/2FA

3. Increased Risk of Key Exposure
● APIs are expected to be accessed over indefinite time periods
● Users of APIs directly touch keys such as to paste into Postman
● API keys are bearer tokens not requiring any other evidence

3. Reduce Risk of Key Exposure
Short lived API Keys that
can be “refreshed”
Leverage environment
variables or a secure
keystore
1
2

4. Exposure to DDoS/Availability Issues
● APIs are by definition consumed programmatically such that all
traffic looks like bot traffic
● This limits traditional DDoS prevention mechanisms like Captchas
● A real customer could inadvertently bring down your API

4. Reduce Exposure to DDoS/Availability
Rate Limits is the API equivalent of Captchas
Resource
Specific Limits
User Specific
Limits
Deactivate an
Abuser
Easy to Inspect

4. Reduce Exposure to DDoS/Availability

5. Fix Incorrect Server Security
● Leverage good server hygiene
● Keep SSL certificates updated and secure
● Block non-HTTPS traffic (close port 80 and unused ports)
● Audit security headers like Cross Origin Sharing and error
messages

6. Incorrect Cache Headers
● Caching servers cannot understand nonstandard headers used by
many APIs like X-API-Key, X-Custom-Key, etc
● Even if you don’t cache, your customers may cache due to:
○ Exceeding rate limits
○ Connection limits or bandwidth cost
○ Reduce round trip latency

6. Fix Incorrect Cache Headers
● Ensure Cache-Control headers are properly configured
● Unless your API requires caching, disable it by overriding the
Cache-Control header in your gateway. Or set the Vary header.

7. Insufficient Logging & Monitoring
● Insufficient monitoring is on the new OWASP Top 10 API list
● Logging only internal execution logs can hide unauthorized errors,
caching errors, etc
● Time to detect a breach on average takes over 200 days!

7. Fix Insufficient Logging & Monitoring
● Leverage a modern API management and API observability stack to
automatically track access logs at the edge
What Was Accessed
Who Accessed It

8. Insecure Dependencies and 3rd Party Vendors
● API-driven applications are becoming inherently complex and
depend on many other APIs such as internal logging systems,
external APM, etc
● Features like encryption-at-rest don’t protect against insecure cloud
applications. Very few attacks involve physical access to storage
media.
● Third party vendors may have unreported vulnerabilities while
internal applications may have insecure or noncompliant access
control.

8. Secure Dependencies and 3rd Party Vendors
● Leverage zero-knowledge security using features like client-side
encryption and Bring Your Own Key (BYOK).
● This means not even the vendor can access your data.
● Modern SaaS vendors can handle encryption on the fly with a
stateless design reducing in house maintenance vs typical on-
premises.

9. Not securing internal endpoints
● Many APIs have both endpoints used by external users but also by
internal services (i.e. service users)
● If inadvertently open, can provide a large attack surface
● Internal endpoints many times bypass usual checks

9. Secure internal endpoints
● Just like you wouldn’t share the same root password with every
employee, internal services require secure access as if an external
customer
Audit
Friendly
Individual RBAC Ability to
Deactivate
Short Lived
Tokens

API threats are real but can be prevented with the
right mindset

Lastly, some abuse is unintentional. Let them
know.

A P I A n a l y t i c s

apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif

More Related Content

What's hot (20)

Similar to apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif (20)

More from apidays (20)

Recently uploaded (20)

apidays LIVE New York 2021 - Top 10 API security threats every API team should know by Derric Gilling, Moesif

Editor's Notes