1 of 48

The Security Hitchhiker’s Guide to API Security

Share your thoughts/ photos on LinkedIn!

#Infosec2023

Timothy De Block

Directory Advisory Service – Antigen Security

infosecnashville.com

2 of 48

AGENDA

The who am I slide
Why this talk?
API basics
How to secure your APIs
Resources for API security
Questions

ISSA InfoSec Nashville 2023 | www.infosecnashville.com

2

3 of 48

ISSA Infosec 2023

3

10/2/23

4 of 48

WHY THIS TALK?

ISSA Infosec 2023

4

10/2/23

5 of 48

API IN THE NEWS

ISSA Infosec 2023

5

10/2/23

6 of 48

API BASICS

ISSA Infosec 2023

6

10/2/23

https://twitter.com/TodaysTechWorl1/status/1481117811095502854

7 of 48

WHAT IS AN API?

ISSA Infosec 2023

7

10/2/23

8 of 48

WHAT IS AN API

ISSA Infosec 2023

8

10/2/23

9 of 48

WHAT IS AN API?

ISSA Infosec 2023

9

10/2/23

“API stands for Application Programming Interface. It is a set of rules, protocols, and tools for building software applications. An API defines how different software components should interact with each other. In simpler terms, an API is a way for different software systems to communicate with each other. It allows developers to create software applications that can access and use the functionalities of other applications, platforms, or services without having to understand the underlying code"

10 of 48

TYPES OF API

ISSA Infosec 2023

10

10/2/23

11 of 48

API EXAMPLES – GOOGLE DRIVE

ISSA Infosec 2023

11

10/2/23

Download files from Drive and upload files to Drive.
Search for files and folders stored in Drive.
Let users share files, folders, and drives to collaborate on content.
Combine with the Google Picker API to search all files in Drive, then return the file name, URL, last modified date, and user.
Create third-party shortcuts that are external links to data stored outside of Drive, in a different datastore or cloud storage system.
Create a dedicated Drive folder to store application-specific data so the app cannot access all the user's content stored in Drive.
Integrate your Drive-enabled app with the Drive UI using the Google Drive UI.
Apply labels to Drive files, set label field values, read label field values on files, and search for files using label metadata terms defined by the custom label taxonomy.

10/2/23

The Roads API identifies the roads a vehicle was traveling along and provides additional metadata about those roads, such as speed limits.

Snap to roads This service returns the best-fit road geometry for a given set of GPS coordinates.
Nearest roads This service returns individual road segments for a given set of GPS coordinates.
Speed limits This service returns the posted speed limit for a road segment. The Speed Limit service is available to all customers with an Asset Tracking license.

18 of 48

ISSA Infosec 2023

18

10/2/23

19 of 48

API POLICIES

ISSA Infosec 2023

19

10/2/23

Private – Internal
Partner – third-party integration
Public – anyone can use

20 of 48

SWAGGER AND POSTMAN

ISSA Infosec 2023

20

10/2/23

21 of 48

HOW TO BUILD AN API

ISSA Infosec 2023

21

10/2/23

22 of 48

ISSA Infosec 2023

22

10/2/23

23 of 48

ISSA Infosec 2023

23

10/2/23

24 of 48

ISSA Infosec 2023

24

10/2/23

25 of 48

WHO USES APIs?

ISSA Infosec 2023

25

10/2/23

Postman – State of API Report 2023

26 of 48

HOW TO SECURE YOUR APIs

ISSA Infosec 2023

26

10/2/23

27 of 48

INVENTORY

ISSA Infosec 2023

27

10/2/23

28 of 48

REQUIREMENTS AND STANDARDS

ISSA Infosec 2023

28

10/2/23

29 of 48

REQUIREMENTS AND STANDARDS

ISSA Infosec 2023

TOOLING

ISSA Infosec 2023

35

10/2/23

ISSA Infosec 2023

41

10/2/23

Reports used

Google API report
Postman – State of API Report Aug 2022 & 2023

vAPI

https://github.com/roottusk/vapi

OWASP – Open Web Application Security Project

https://exploresec.com/api

42 of 48

ISSA Infosec 2023

42

10/2/23

Books:

"API Security in Action" by Neil Madden: This book provides a comprehensive look at various techniques and tools for securing APIs.
"OAuth 2 in Action" by Justin Richer and Antonio Sanso: Dive deep into the OAuth 2.0 framework which is widely used for API authorization.

Blogs:

APIsecurity.io (42Crunch): This website has a weekly newsletter and news related to API vulnerabilities, breaches, and best practices.

Online Courses & Tutorials:

Pluralsight: Offers various courses on API security.

Research Papers & Articles:

Google Scholar: Search for API security-related research papers to get in-depth knowledge on specific topics.
Arxiv.org: A free distribution service and an open-access archive for scholarly articles. You can find preprints related to API security.

Edited for redundancy

43 of 48

QUESTIONS?

ISSA Infosec 2023

43

10/2/23

44 of 48

Recommended API inspection methods?

ISSA Infosec 2023

44

10/2/23

Static Analysis
Dynamic Analysis
Penetration Testing
Traffic Monitoring and Analysis
API Scanning
Threat Modeling
Code Review
Compliance Auditing
Dependency Scanning
Rate Limiting Analysis
Logging and Monitoring

https://www.exploresec.com/infosecnash2023-q

45 of 48

How can you effectively discovery APIs in your environment and get an accurate inventory?

ISSA Infosec 2023

45

10/2/23

Network Monitoring
API Management Tools
Asset Scanning
Documentation Review
Source Code Analysis
Collaborate with Developers
Cloud Service Inventory
Security Scanners
Interview and Surveys
DNS Query Analysis

https://www.exploresec.com/infosecnash2023-q

Audit logs
Contract and Vendor Management
Regular Audits and Assessments
Setup API Catalog or Directory

46 of 48

QUESTIONS?

ISSA Infosec 2023

46

10/2/23

47 of 48

CONTACT INFORMATION

ISSA Infosec 2023

47

10/2/23

Email:

Timothy.DeBlock@antigensecurity.com

Twitter

- TimothyDeBlock

Timothy De Block – Director Advisory Services

https://exploresec.com

48 of 48

ISSA InfoSec Nashville 2023 | www.infosecnashville.com

Speaker Name

Speaker Contact Info

Thank You