Apidays Helsinki & North 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
APIdays_official
249 views
25 slides
Jun 04, 2024
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
From Chaos to Calm: Navigating Emerging API Security Challenges
Eli Arkush, Principal Solutions Engineer, API Security at Akamai
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check ...
Slide Content
From Chaos
to Calm:
Navigating Emerging API
Security Challenges
Eli Arkush | Principal Solutions Engineer, API Security
to Calm:
Navigating Emerging API
Security Challenges
Eli Arkush | Principal Solutions Engineer, API Security
Traditional vs Modern Apps
GET /dashboard.aspx
Fetch messages/notifications/news
Returns HTML
view
GET /api/v2/messages
GET /api/v2/notifications
GET /api/v2/news
Returns RAWdata
Fetch messages/notifications/news
User Service
GET /dashboard.aspx
Fetch messages/notifications/news
Returns HTML
view
GET /api/v2/messages
GET /api/v2/notifications
GET /api/v2/news
Returns RAWdata
Fetch messages/notifications/news
User Service
APIs are Oversharing
image credit: NYTimes
image credit: NYTimes
See the full report, which
sheds more light on API
attack trends and remedies.
akamai.com/lp/soti/lurking-in-the-shadows
sheds more light on API
attack trends and remedies.
akamai.com/lp/soti/lurking-in-the-shadows
API Attacks By Vertical -2023
5
5
API Focussed Attacks By Region -2023
6
6
We’re making all the same mistakes
with API security that we made with
web security 20 years ago.
Chris Eng -Chief Research Officer -Veracode
Akamai State of the Internet (SOTI) API -The Attack Surface that Connect Us All.
7
with API security that we made with
web security 20 years ago.
Chris Eng -Chief Research Officer -Veracode
Akamai State of the Internet (SOTI) API -The Attack Surface that Connect Us All.
7
API Common Attack Vectors
DDoS Injection Logic Abuse
DDoS Injection Logic Abuse
DDoS Attacks -Global
Availability helps create Trust
10
https://xkcd.com/932
10
https://xkcd.com/932
Daily Web Application Attacks (millions)
11
11
Loyalty Program Fraud
Travel | Airlines | Ecommerce
Device
Loyalty Account 1
Loyalty Account 2
Loyalty Account 3
Loyalty Account 4
Loyalty Account 5
Loyalty Account 6
2
1See this behaviour in your APIs
Investigate these
accounts for fraud
Travel | Airlines | Ecommerce
Device
Loyalty Account 1
Loyalty Account 2
Loyalty Account 3
Loyalty Account 4
Loyalty Account 5
Loyalty Account 6
2
1See this behaviour in your APIs
Investigate these
accounts for fraud
Loyalty Program Fraud
Travel | Airlines | Ecommerce
Device
Loyalty Account 1
Loyalty Account 2
Loyalty Account 3
Loyalty Account 4
Loyalty Account 5
Loyalty Account 6
See this behaviour in your APIs
Investigate these
accounts for fraud
2
1
Travel | Airlines | Ecommerce
Device
Loyalty Account 1
Loyalty Account 2
Loyalty Account 3
Loyalty Account 4
Loyalty Account 5
Loyalty Account 6
See this behaviour in your APIs
Investigate these
accounts for fraud
2
1
Case Study -Ride Sharing Company
14
(1) POST /addDriver
(1) Error message with UUID
(2) POST /getConsentScreenDetails
(2) PII and access token
Ride Sharing
Company
14
(1) POST /addDriver
(1) Error message with UUID
(2) POST /getConsentScreenDetails
(2) PII and access token
Ride Sharing
Company
Ride Sharing Company: Account Takeover
(1)
(2)
(1)
(2)
Ride Sharing Company: Excessive Data Exposure
API3:2023 —Broken Object Property Level Authorization
The APIs exposed much more data than required to operate
API3:2023 —Broken Object Property Level Authorization
The APIs exposed much more data than required to operate
Ride Sharing Company: BOLA
API1:2023 —
Broken Object
Level Authorization
Users can access
resources that are
not owned by them
API1:2023 —
Broken Object
Level Authorization
Users can access
resources that are
not owned by them
BOLA Detection -Relationship Violation
A violation of those relationships => BOLA
UserID: 1337
UserID: 430
Account: 7331
Account: 835
Account: 908UserID: 777
A violation of those relationships => BOLA
UserID: 1337
UserID: 430
Account: 7331
Account: 835
Account: 908UserID: 777
© 2022 Akamai
OWASP API Top 10
Goal Is Quality Code In Production
Write Code
Commit Code
BuildDeploy
Maintain
Detect ALLAPIs:
Zombie / Shadow
Classify ALL
Exposed Data
Triage CriticalIssues
Feedback into
Mitigation Tooling
Test Code
Detect Common
Security& Posture
Issue
Write Code
Commit Code
BuildDeploy
Maintain
Detect ALLAPIs:
Zombie / Shadow
Classify ALL
Exposed Data
Triage CriticalIssues
Feedback into
Mitigation Tooling
Test Code
Detect Common
Security& Posture
Issue
DDoS
attacks
OWASP
attacks
CVE
exploits
Known API
attacks
Bot
attacks
1
DDoS
protection
Rate
Limiting
Cloud
-based
Solutions
Web Application Firewall
Virtual patching of
vulnerabilities
Blocks known attack
patterns
Bot
Protections
Block
known bots
Built-in App
protection
Shadow
API
Auth.
partner
!
compromised
Logic
attacks
Mitigation
Behavioural Analysis
Detect:
Business Logic abuse
Zombies
Shadow API
Corp
Cloud
On-prem
attacks
OWASP
attacks
CVE
exploits
Known API
attacks
Bot
attacks
1
DDoS
protection
Rate
Limiting
Cloud
-based
Solutions
Web Application Firewall
Virtual patching of
vulnerabilities
Blocks known attack
patterns
Bot
Protections
Block
known bots
Built-in App
protection
Shadow
API
Auth.
partner
!
compromised
Logic
attacks
Mitigation
Behavioural Analysis
Detect:
Business Logic abuse
Zombies
Shadow API
Corp
Cloud
On-prem
API Security Maturity Levels
Coverage across the entire enterprise API estate
Discover shadow APIs
and ensure each one is
documented or
decommissioned
Organize your API
inventory
Look at common alert
types and identify
strategies and priorities to
reduce risk
Create response plans to
address possible attacks
from adversaries
Establish a formal API
threat hunting discipline
1
Shining a light
on the shadows
2
Getting
organized
3
Hardening the
API posture
4
Sharpening
threat detection
and response
5
Developing a
proactive
approach
Coverage across the entire enterprise API estate
Discover shadow APIs
and ensure each one is
documented or
decommissioned
Organize your API
inventory
Look at common alert
types and identify
strategies and priorities to
reduce risk
Create response plans to
address possible attacks
from adversaries
Establish a formal API
threat hunting discipline
1
Shining a light
on the shadows
2
Getting
organized
3
Hardening the
API posture
4
Sharpening
threat detection
and response
5
Developing a
proactive
approach
Takeaways
1.APIs are a primarytarget
1.Ensure sufficient protections are in place for DDoS,
Injectionattacks and Business Logicabuse
1.Ensure you know where ALL your APIs are located
1.Ensure you know what ALL your APIs are exposing
1.APIs are a primarytarget
1.Ensure sufficient protections are in place for DDoS,
Injectionattacks and Business Logicabuse
1.Ensure you know where ALL your APIs are located
1.Ensure you know what ALL your APIs are exposing
Come and meet the team!
Marc Sandell Bergqvist
Major Account Executive
Akamai Technologies
Anders Persson
Regional Sales Leader EMEA North
Akamai Technologies
Sebastian Moradi
Senior Major Account Executive
Akamai Technologies
Eli Arkush
Principal Solutions Engineer, API Security
Akamai Technologies
Marc Sandell Bergqvist
Major Account Executive
Akamai Technologies
Anders Persson
Regional Sales Leader EMEA North
Akamai Technologies
Sebastian Moradi
Senior Major Account Executive
Akamai Technologies
Eli Arkush
Principal Solutions Engineer, API Security
Akamai Technologies
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 249
- Slides 25
- Age 546 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views