Safeguarding Digital Assets_ Uncovering Security Risks in APIs - Automation Guild 2024 (1).pptx
PricillaB1
21 views
25 slides
Jul 22, 2024
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
APIs (Application Programming Interfaces) are omnipresent. API security testing has become increasingly important, yet it is often overlooked. Security flaws in APIs can lead to a wide range of nefarious activities such as data theft, account hijacking, and more. API security has grown to be of utmo...
Slide Content
Safeguarding Digital Assets: Uncovering Security Risks in APIs
Hello there!! đź‘Ş @pricillabelwin I'm Pricilla Bilavendran, Team Leader Billennium IT Services, Malaysia.
Table of contents Introduction to API Security 01 OWASP Top 10 for APIs 02 The Role of Testers in API Security 03 Recap 04 @pricillabelwin
Introduction Why API Security Testing? 01
—Cory Doctorow, Canadian Blogger and Journalist “ We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back ” @pricillabelwin
Evolving API Landscape Exponential Growth 83% of internet traffic is from APIs Major Attack Target Most frequent attack vector High Profile Breaches High profile API breaches weekly Regulatory Compliance Privacy policies, Vulnerability Detection, Testing @pricillabelwin
High-Profile API Breaches
@pricillabelwin
Why APIs are targeted ? Direct entry point to apps and databases Direct Access to sensitive data (backend) Quick and Easy compared to the Classic Cyber Attack Access to entire system API Documentation provides insights on Business logic @pricillabelwin
What do we lose? Access to confidential data Disrupt operations, or even take control of a system Financial losses Reputation damage @pricillabelwin
OWASP Top 10 for APIs 02 Common API Security Risks
What’s OWASP? OWASP (Open Web Application Security Project) is an online community focused on improving the security of software. It works to identify, document, and promote methods for preventing security vulnerabilities in web applications and services. @pricillabelwin
What’s OWASP Top 10? @pricillabelwin The OWASP Top 10 is an industry-standard list published by OWASP comprising the ten most critical web application security risks.
OWASP Top 10 for APIs @pricillabelwin The OWASP Top 10 for APIs is similar to the OWASP Top 10 for web applications, but it’s more focussed on the security risks for APIs. First list was released in 2019 and the updated list is released in 2023.
@pricillabelwin API Security Top 10 2023 API 01:2023 Broken object level authorization API 02:2023 Broken authentication API 03:2023 Broken Object Property Level Authorisation API 04:2023 Unrestricted resources consumption API 05:2023 Broken function level authorization API 06:2023 Unrestricted access to sensitive business flows API 07:2023 Server side request forgery API 08:2023 Security misconfiguration API 09:2023 Improper inventory management API 10:2023 Unsafe consumption of APIs
Role of Testers in API Security 03
According to Postman’s 2023 State of API Report:
Shift Left Approach @pricillabelwin Identify and address security issues early reduces the risk of vulnerabilities in the later stages of development. Active participation in security discussions during the requirements and design phase. Incorporate security testing tools and practices in the early stages of development.
Collaboration is the Key @pricillabelwin Developers bring in-depth knowledge of the codebase, while testers provide a critical eye for potential security vulnerabilities. Conduct joint code reviews focused on security aspects. Provide feedback and insights on secure coding practices.
API Testing is a necessity @pricillabelwin Testing API endpoints t horoughly for common security issues. Conduct penetration testing to identify potential weaknesses. Creating awareness on the API Vulnerabilities .
Use strong Authorization methods Implement “Zero Trust” Approach Perform Regular Security Scans Audit All Third-Party Applications Use Secure Communication Protocols Implementing Rate Limiting and Throttling Monitor API Usage and Activities Retire the unused API Versions Best Practices
Recap 04
APIs are most attacked vector. API Security Testing is everyone’s responsibility . Stay updated on the API Vulnerabilities and API Trends. Testers can make a difference. @pricillabelwin
https://securiti.ai/blog/biggest-data-breaches-caused-by-api-mistakes https://www.wired.com/story/i-scraped-millions-of-venmo-payments-your-data-is-at-risk/ https://owasp.org/www-project-api-security/ https://www.postman.com/state-of-api/ https://www.postman.com/pynt-io/workspace/pynt/collection/21132333-8064f672-29e5-4d7f-bef4-3004cd6dd636 References @pricillabelwin
Thanks Do you have any questions? Please keep this slide for attribution @pricillabelwin
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 21
- Slides 25
- Age 499 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views