Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

APIdays_official 138 views 17 slides Jun 01, 2024

Slide 1 of 17

About This Presentation

Security Vulnerabilities in your APIs
Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific

Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)

------

Check out our conference...

Size: 1.12 MB

Language: en

Added: Jun 01, 2024

Slides: 17 pages

Slide Content

ABOUT ME
•Slovakia
•Software Engineer
•~10years of experience in Software Engineering
•Mostly in chemical analysis area, some side projects
•Currently in Thermo Fisher Scientific
•What am I interested in?
•Distributed systems, DDD, Security, AI
•Skiing, tennis, hiking, travelling

Security
vulnerabilities
in your APIs
ApiDaysHelsinki & North 2024

“
”
SECURITY IS LIKE SPINACH. ONE KNOWS IT IS VERY
BENEFICIAL BUT DOESN’T REALLY EAT IT THAT MUCH.
It is the same with SW engineers and security. They mostly understand that their APIs should be secure,
however active pursuit of that is not really their priority and they tend to neglect it.

SECURITY NEGLIGENCE
•„86 % of developers do not see securityas a top priority“
•What might be the reason?
•Deadlines-Knowledge-Management support
•Misconceptions
•It’s not my problem –DevSecOps department solves it
•3
rd
party stuff is secure
•We are not target for hackers
•Security slows down development
•Why they shouldchange their perception?
•Save the product/company from a PR nightmare
•Contribution to the product success
•Do not be the hackers’ best friend
•Proactive approach more efficient (time & money) than reactive
•Security skills make you more valuable in the job market

SECURITY NEGLIGENCE
•What might go wrong?
•Data breaches
•Sensitive data
•Unauthorized access
•Resources, functionalities
•Denial-of-service attack
•Business logic abuse
•Having one discount-code and using it multiple times
•Removing good reviews of the competitor's restaurant
•They’re usually hard to catch by some code-scanning tools

REAL WORLD EXAMPLE
•One famous application
•Free account –limit of operations per day
•Paid account –unlimited
•Business logic abuse→No check when offline

WHAT IS NECESSARY TO PREVENT
SUCH THINGS TO HAPPEN IN YOUR APIS?
•Knowledge
•Regular checkingof APIs for vulnerabilities
•Tools
•Code-reviews
•Testing done by external company

KNOWLEDGE.
WHERE TO START?
•„33% don’t know what makes their code vulnerable“
•OWASP-Open Web Application Security Project
•Online community
•Free resources, methodologies regarding SW security
•Top 10 security vulnerabilities list
•OWASP Cheat Sheet
•CWE-Common Weaknesses Enumeration
•Complement to OWASP

OWASP VULNERABILITY
EXAMPLE #1
•API6:2019 -Mass Assignment
•https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/

OWASP VULNERABILITY
EXAMPLE #2
•API1:2023 Broken Object Level Authorization
•https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-
authorization/

KNOWLEDGE.
VULNERABLE PLACES
Where does the security “happen”?
•Web browsers / other types of API clients
•Network
•API hosting machine
•Application code –boundaries (middleware)
•Application code –3
rd
party libraries
•Application code –“business code”

TOOLS
•Web browsers –Developer tools functionality
•Static code analysis
•CI pipeline –CodeQL
•AI tools –explanation of piece of code by e.g., GitHub Copilot
•Runtime (penetration) testing -FuzzAPI

“
”
THE ONLY TRULY SECURE SYSTEM IS ONE THAT IS POWERED
OFF, CAST IN A BLOCK OF CONCRETE AND SEALED IN A
LEAD-LINED ROOM WITH ARMED GUARDS -AND EVEN THEN
I HAVE MY DOUBTS.
GENE SPAFFORD, SECURITY EXPERT
•It is not black, nor it is white
•Usability vs. security
•X-factor authentication vs. fast login
•Constant evolution
•Code changes
•Code -context changes
•Library updates
•New ways to attack

A FEW “MUSTS”…
•Authentication & authorization
•Input validation & sanitization
•Do not put secrets directly into the code
•Regularly check for vulnerabilities in 3
rd
party libraries
•Make use of API security testing tools

HOW TO PROCEED?
•Resources:
•https://owasp.org/API-Security/
•https://cheatsheetseries.owasp.org/index.html
•https://cwe.mitre.org/top25/
•Online courses
•UDEMY: Hacking REST APIs -A beginner's guide
•UDEMY: Website Hacking / Penetration Testing

THANK YOU!
Resources:
-https://owasp.org/
-https://cwe.mitre.org/top25/
-https://www.securecodewarrior.com/press-releases/secure-code-warrior-survey-finds-86-of-developers-do-not-view-application-security-as-a-top-priority
[email protected]
https://www.linkedin.com/in/ldurovsky/

Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Apidays Helsinki &amp; North 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific

About This Presentation

Slide Content

Slide 1

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx

Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific