APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io)
0 likes108 views
The document discusses the rise of APIs and the associated security challenges, highlighting a 348% increase in API attacks and nearly 1 billion records breached due to vulnerabilities. Firetail is introduced as a solution providing hybrid API security to address these issues by embedding security within application code. The paper emphasizes the importance of proactive security measures and visibility for effective API management and threat prevention.
APIsecure 2023 - Learning from a decade of API breaches and why application-centric security is the right path, Jeremy Snyder (FireTail.io)
- 1. LEARNING FROM A DECADE OF API BREACHES JEREMY SNYDER, FOUNDER JEREMY@FIRETAIL.IO
- 2. JEREMY SNYDER MY STORY ▸ UNC BA ’97, GMU MBA ‘04 ▸ 1998-2004 TRADOS (lang tech) ▸ 2005-2006 Rivermine (telecom) ▸ 2006-2010 Twinity (metaverse) ▸ 2010-2011 AWS (30x MRR) ▸ 2014 REAN Cloud ($1M in 6 mos) ▸ 2016-2020 DivvyCloud (20x ARR+) ▸ 2020-2021 Rapid7 M&A (3 deals)
- 3. THE LANDSCAPE & THE PROBLEM
- 4. APIS ARE EVERYWHERE EVERY MOBILE APP EVERY IOT DEVICE MODERN WEB APPS REFACTORED ENTERPRISE APPS CLOUD-NATIVE APPS are all just frontend UIs talking to a backend API. This is the backbone of the modern web.
- 6. Source: https://iot-analytics.com/2021-global-iot-spending-grow-24-percent/, https://nordicapis.com/tracking-the-growth-of-the-api-economy/, https://www.goodbarber.com/blog/the-growth-of-mobile-apps-what-do-statistics-say- a1095, https://www.forbes.com/sites/tomtaulli/2020/01/18/api-economy--is-it-the-next-big-thing/?sh=711ec09842ff, https://cisomag.eccouncil.org/api-security/, https://www.globenewswire.com/news-release/ 2020/10/22/2112642/0/en/API-Management-Market-to-reach-US-21-68-billion-By-2028-Global-Insights-on-Trends-Expansion-Plans-New-Product-Launch-Growth-Opportunities-Key-Players-Value-Chain-Analysis-and-Futur.html, Tyler Jewell, MD Dell Technologies Capital THE RISE AND RISE OF APIS ▸ Private API volumes are predicted to overtake public APIs ▸ F5 estimates 200M APIs exist already, growing to 1.7B active APIs by 2030 ▸ API economy (Twilio, Plaid, data-as-a-service): Currently > 50,000 public APIs in the world, with 40 more public API services per week “THE WORLD IS ON COURSE TO HAVING A TRILLION PROGRAMMABLE ENDPOINTS. THE MOMENTUM BEHIND CONTAINERS, SERVERLESS, MULTI-CLOUD AND APIS IS INCREASING INTO THIS YEAR, SO THE WORLD WILL PROBABLY DOUBLE THE NUMBER OF ENDPOINTS THAT ARE GENERATED. THIS IS GOING TO CREATE ALL SORTS OF NEW PROBLEMS THAT NEED TO BE SOLVED.”
- 7. Source: Akamai State of the Internet Report 2021
- 8. CRAWL -> WALK -> RUN EVOLUTION TO OUR CURRENT STATE 90s 2000s Today App EDI SOAP & XML REST / GraphQL & JSON Model Web 1.0 Client / server Distributed, API- centric Infrastructure Data center / co-lo Virtual machines Serverless functions / containers ©2022 FireTail Inc, All rights reserved.
- 9. LEARNING FROM A DECADE OF API DATA BREACHES
- 10. AND SO… APIS ARE ALSO A PROBLEM ▸ API sprawl is a looming threat to our economy - APIs are becoming the low-hanging fruit for attackers ▸ API Attacks grew 348% in Q3/Q4 2021 ▸ Close to 1 billion (with a B) records have been breached ▸ “Vulnerabilities in apps handling API data are the direct cause of these breaches. Nothing else is to blame.” https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/, https://web.archive.org/web/20210127101627/https://www.cloudvector.com/api-data-breaches-in-2020/, https://devops.com/api- sprawl-a-looming-threat-to-digital-economy, https://devops.com/api-sprawl-a-looming-threat-to-digital-economy, Gartner BY 2022, API ABUSES WILL MOVE FROM AN INFREQUENT TO THE MOST FREQUENT ATTACK VECTOR
- 11. SURVEY RESULTS TOP 6 PROBLEMS WITH APIS, REPORTED BY CISOS 1. Lack of API inventory 2. Enforcing perimeter security (gateway+logic, not fi rewall) 3. End-to-end tracing of code to API 4. Number of required security con fi gs per API 5. API change management, security implications 6. Gap between developers and security teams
- 12. BREACH DATA ANALYSIS HIGH LEVEL STATISTICS 577M+ records breached 13M records per breach event 43 unique, documented breach/research events Top attack vectors can be broken down into a few categories
- 13. BREACH DATA ANALYSIS ATTACK VECTORS FOR APIS
- 14. BREACH DATA ANALYSIS BUT THERE’S MORE…
- 15. ALMOST ALL BREACH EVENTS ARE MULTI-VECTOR
- 16. BREACH DATA ANALYSIS BREACH VECTORS
- 17. BREACH DATA ANALYSIS A LITTLE BIT MORE… Not industry-speci fi c - APIs are everywhere But some industries have had a huge breach impact recently Manufactoring (automotive) Technology (software) Hospitality (airlines, hotels, rental cars)
- 18. BREACH DATA ANALYSIS PROJECTIONS FOR 2023 Year % breach accelera ti on # breach events # average records 2021 117% 7 11,167,142.86 2022 172% 12 1,347,045.67 2023 227% 17 2,901,174.71
- 19. TRACK OUR RESEARCH DATA AND ANALYSIS SHARED ONLINE FireTail’s API Data Breach Tracker: https:// fi retail.io/api-data-breach-tracker
- 21. API SECURITY BY DESIGN INTRODUCING FIRETAIL ▸ FireTail delivers hybrid API security - agentless and agent-based ▸ FireTail delivers API security libraries that can drop into application code ▸ The library enforces strong security posture and con fi g ▸ Authentication (public vs non-public) ▸ Authorization (who can access what) ▸ Validation (what routes, methods and queries are allowed) ▸ Sanitization (Allowed data/types in and out) ▸ Enterprise use cases for info sec teams are discovery and central audit, plus API security policy analysis (API security posture management) and integration with standard systems (ticketing, alerting, etc)
- 22. CORE PRINCIPLES FIRETAIL VISIBILITY OBSERVABILITY POLICY AUDIT DISCOVERY ENFORCEMENT Authentication, authorization, validation, sanitization in code Commercial version sends con fi guration and success / failure events to cloud backend Full view of API landscape across IT fl eet Finding APIs not running FireTail library via network traf fi c, code repos & cloud APIs APIs can be analyzed for con fi guration settings and security policy. API security posture management Full and centralized audit trail of all APIs with FireTail library implemented. Search and set alerts.
- 23. THE SOLUTION - ADOPTION PATH FIRETAIL DISCOVERY & INVENTORY POLICY AUDIT ATTACK PREVENTION 1 2 3 A 3 4
- 24. t Pre-production (dev / test / staging) Production Code & design phase: 1. Secure source code 2. Vulnerability elimination Pre-launch testing 1. Fuzzing test 2. Logic test Runtime protection 1. Cover top 4 attack vectors 2. D&R on central logs Contextual awareness 1. Feed into CNAPP / AppSec 2. Integrate with SecOps ©2022 FireTail Inc, All rights reserved.
- 25. WHY EMBED API SECURITY IN THE APPLICATION LAYER?
- 27. FIRETAIL LIBRARY LOGIC FLOW ▸ API calls are incoming ▸ Valid route/method evaluation ▸ Authentication check ▸ Payload inspection pass/fail ▸ Authorization (coming soon) ▸ Timestamps captured ▸ Entire event logged to SaaS backend
- 28. FIRETAIL API EVENT LOG ▸ Full logging of API call ▸ HTTP response code, error or success case ▸ Request payload logged (option) ▸ Timestamp telemetry { "_index" : "ps-epr-66046bc8-1531-4f75-b758-86d9d968b454771c5f92-2d0a-423a-a4b7-3ce61eb0b95444edcdd8-d30e-4fd7-a461-5423e9f2f72d", "_type" : "apirequest", "_id" : "X0LvQoABjrgaKFimMDRn", "_score" : 1.0, "_source" : { "request" : { "url" : "http://127.0.0.1:8080/yyy", "headers" : { "Host" : "127.0.0.1:8080", "Connection" : "keep-alive", "Sec-Ch-Ua" : "" Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"", "Cache-Control" : "no-cache", "Sec-Ch-Ua-Mobile" : "?0", "User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari "Sec-Ch-Ua-Platform" : ""Windows"", "Postman-Token" : "74c2d7fc-9e46-6220-07b6-257bf3f8c698", "Accept" : "*/*", "Sec-Fetch-Site" : "none", "Sec-Fetch-Mode" : "cors", "Sec-Fetch-Dest" : "empty", "Accept-Encoding" : "gzip, deflate, br", "Accept-Language" : "en-US,en;q=0.9,ar;q=0.8" }, "path" : "/yyy", "method" : "GET", "oPath" : "/<post_title>", "arguments" : { }, "ip" : "127.0.0.1" }, "response" : { "status_code" : 200, "content_length" : 3, "content_encoding" : null, "body" : "{}", "headers" : { "Content-Type" : "application/json", "Content-Length" : "3", "test" : "test" }, "content_type" : "application/json" }, "orgUUID" : "66046bc8-1531-4f75-b758-86d9d968b454", "apiUUID" : "44edcdd8-d30e-4fd7-a461-5423e9f2f72d", "appUUID" : "771c5f92-2d0a-423a-a4b7-3ce61eb0b954", "tokenUUID" : "e23fc787-52e0-427b-abc7-4ed318e84b88", "associated_user" : “riley@firetail.io” } }
- 29. FIRETAIL - FULLY HYBRID ARCHITECTURE FIRETAIL LIBRARY + SAAS
- 30. FIRETAIL OPEN- SOURCE & COMMERCIAL OFFERS
- 31. GET TO KNOW FIRE TAIL COMMERCIAL (FIRETAIL.APP) OR OPEN SOURCE (GITHUB)
- 32. THANK YOU! JEREMY@FIRETAIL.IO https://firetail.io - Coming soon! START A FREE TRIAL WITH US SOON TO GET FULL API VISIBILITY & SECURITY