teissTalk: Overcoming your internal cultural AppSec challenges

teissTalk host Geoff White was joined by  Eduardo B Santos, Tech Manager (AppSec & Red Team), BEES Bank Brasil; and Hainan Hu, EMEA Application Security, Amazon

 

Views on news

 

APIs have evolved from being the integrator of systems into the primary method of connecting and sharing the world’s applications. Unfortunately, though, APIs have become a leading attack vector too. APIs are either public or private.

 

Public APIs let consumers connect with a company’s services like Google Maps, while private APIs are used by the organization that created them to integrate specific data and application functions or share information with trusted partners. Because of this, private APIs have become prime targets for attackers. Meanwhile, according to a recent survey of 600 cybersecurity professionals, 74% admitted to not having a complete API inventory or knowledge of APIs that contain sensitive data.

 

Many companies don’t realize the major role that malicious automation or bot attacks play in the abuse of APIs. Attackers use bots to exploit API vulnerabilities to gain access to user accounts and extract information from them at scale. Another problem is that many companies mistakenly believe their existing API security stack, which may include WAFs and API gateways, can fully protect their APIs.

 

APIs and their vulnerabilities have been thrown in sharp relief by recent API breaches (T-Mobile and Optus).

 

More about APIs and App-security by design

 

About half of businesses still haven’t got an API inventory. There are, however, tools that can help manage your APIs such as API Builder, where you’ll have the inventories of your APIs in the code, which you can scan to track them. An alternative solution is to leverage external reconnaissance tools to scan public facing APIs to ensure that none of them offers any opportunities to breach the corporate system.

 

Nowadays tokens are used to call an API instead of credentials. If you combine it with MFA, threat actors won’t be able to attack the API with your credentials. Oauth2 is an alternative way to securing APIs, which also uses tokens that can be revoked, refreshed etc. Rate limiting, establishing the scale of data that can be called, can be a good way of preventing threat actors  from asking for tens of millions of records and grab them. However, rate limiting has to be deployed correctly, as well as based on specific use cases and combined with other methods.

 

The panel’s advice

 

APIs, although they operate behind the scenes, should be regarded as an integral part of the front end of the business.