Name: OWASP API Security - The Attacker's Perspective
Start: 2020-10-15T18:00:00Z
End: 2020-10-15T18:00:44.000Z
Location: BrightTALK
Rating: 0

Traceable identifies all of your APIs, and evaluates your API risk posture, stops API attacks that lead to incidents such as data exfiltration, and provides analytics for threat hunting and forensic research. With our solution, you can confidently discover, manage and secure all of your APIs, quickly deploy, and easily scale to meet the ongoing needs of your organization.

As the majority of sensitive data now flows through API's in organizations, data leakage needs to be prevented by monitoring behavioral anomalies anchored around sensitive data sets. We will cover how building baselines of sensitive data usage by the standard user population vis a vis suspicious users, API call flow, inter API time intervals, and device fingerprinting, etc., can help prevent sensitive data exfiltration via APIs. This session will also include examples of how a range of API Abuse patterns have been detected using this approach.

Data Breaches: How API's have become the top attack vector for data loss

Learn from real-world API attacks and vulnerabilities from API Security researcher, Dr. Katie Paxton-Fear. 

In this discussion, Katie shares a few cautionary tales about how different teams left their APIs exposed and unintentionally opened their organization to API attacks and abuse. Take this opportunity for you to learn firsthand about how other organizations found themselves vulnerable to attacks and then revisit your API security practices and posture.

API Hacking Stories - Cautionary Tales

In this talk we will take a look at the practical issues of security APIs through the length of the MITRE framework. We will discuss:

- An overview of MITRE framework
- How well known API attack vectors map to known adversary tactics and technique
- A real-world use case of an attack that has started as an API breach and got developed into a full-fledged MITRE-style att@k
- Effective mitigations for API exploits

Renata Budko, Head of Product, Traceable AI
Upendra Mardikar, Chief Security Officer, Snap Finance

*replay from August 4, 2022 Traceable Forum (hosted by SANS Institute): Solving the Next Generation of Application Security Solutions Forum - https://t7e.ai/jvpqrs

Anatomy of an API Attack: Applying MITRE Framework to API Threat

To expand on Mark Andreessen’s famous 2011 postulate about software eating the world. . . “APIs are now eating the world”.

But how can we secure them?

AppSec practices now heavily depend on API security. However, traditional application security tools such as legacy WAFs, RASP, as well as the long list of testing solutions like SCA, SAST and DAST don’t look at the unique behavior and functionality of APIs, so they are ineffective at detecting and blocking API attacks.

To effectively protect APIs, we need to understand the context around each API, a capability which one-off scanners can’t do.

Learn from Traceable AI CTO and co-founder, Sanjay Nagaraj, as he looks at the evolution of APIs and provides a new industry framework to help you identify the must-haves in an API security platform.

Shift Left API security - the Right way

API’s are the inter-connectivity pipe through which data flows between apps and to/from users including threat actors. As the amount of sensitive data which flows through API’s increases manifold it is imperative that security teams get a better understanding of the volumes of traffic leaving their apps.

From fake accounts creation to account takeovers to data exfiltration to API Fraud the abuse of API’s needs a new approach to ensure API’s don’t become the attack vector for data breaches.

*recording from APISecure 2022

API Abuse: Data breaches Now & Future

API security begins with being able to automatically monitor, catalog and track changes to APIs and their distributed interactions in real time. In this session we talk about the need for an actionable API Catalog, functionality that such a catalog needs to provide and how security teams can go about creating one.

API Catalog: First step towards API Security

Modern business success is defined by the ability of leaders to inspire their teams to innovate and deliver value for their customers. In a rapidly changing and competitive market, speed and velocity is the key to success.

However, modern applications also face incredibly complex technical and business challenges. Learn from serial entrepreneur and investor Jyoti Bansal about the key principles that leaders need to account for when building their teams and defining their culture.

*session from APISecure 2022

Harnessing the Speed of Innovation

API Security starts with understanding your API inventory and the business risk of your APIs.  In this educational session with Dr. Katie Paxton-Fear, she shares her perspective on the API hacking tools in her kit as she researches and studies API security.  She will share how she approaches an API security hacking/testing exercise in order to evaluate a potential target and then the tools she would use to assess APIs for specific vulnerabilities.

API Hacking Toolbox

Just like the James Webb Telescope provides unparalleled visibility into the cosmos, we’re in the middle of a similar revolution in application observability and security, eBPF. This webinar will explain and explore how observability through extended Berkeley Packet Filter can be leveraged for greater API security and how it can unlock deep application and API insight.

Traceable Co-Founder and CTO Sanjay Nagaraj and his team will cover:
- What is eBPF
- How eBPF works for observability
- What eBPF observability means for API Security
- How Traceable uses eBPF to catalog and protect APIs

eBPF - The Future of API Security and Observability

In this 4-part webinar series, Inon Shkedy (Head of Security Research at Traceable AI; co-author OWASP API Top 10) explores the OWASP API Top 10 project and provides detailed explanations about the API threats documented in the OWASP project.

In this episode, Inon reviews and explains API Penetration Testing:
- How to approach API pentesting
- How to find OWASP API Vulnerabilities
- How to leverage the predictable nature of REST APIs
- What to do if you get stuck during a pentest

API Security Webinar Series:
Episode 1 - Why OWASP API & #1 BOLA
Episode 2 - OWASP API Top 10 #'s 2 - 5
Episode 3 - OWASP API Top 10 #'s 6 - 10
Episode 4 - API Penetration Testing - This one!

To learn more about Traceable AI | https://traceable.ai
To request a live demo or meeting | https://www.traceable.ai/request-demo

API Security & the OWASP API Top10 - API Penetration Testing (Part 4 of 4)

In this 4-part webinar series, Inon Shkedy (Head of Security Research at Traceable AI; co-author OWASP API Top 10) explores the OWASP API Top 10 project and provides detailed explanations about the API threats documented in the OWASP project.

In this episode, Inon provides details about 5 additional API vulnerabilities:
- Mass Assignment
- Security Misconfiguration
- Injection
- Improper Assets Management
- Insufficient Logging & Monitoring 

Inon explains how these vulnerabilities have been exploited in the wild, why developers write code that is vulnerable to them, and how attackers can take advantage of the situation for their own profit.

API Security Webinar Series:
Episode 1 - Why OWASP API & #1 BOLA 
Episode 2 - OWASP API Top 10 #'s 2 - 5 
Episode 3 - OWASP API Top 10 #'s 6 - 10 - This one!
Episode 4 - API Penetration Testing 

To learn more about Traceable AI | https://traceable.ai
To request a live demo or meeting | https://www.traceable.ai/request-demo

API Security & the OWASP API Top10 (#6 - #10) - Part 3 of 4

In this 4-part webinar series, Inon Shkedy (Head of Security Research at Traceable AI; co-author OWASP API Top 10) explores the OWASP API Top 10 project and provides detailed explanations about the API threats documented in the OWASP project.

In this episode, Inon provides details about 4 API vulnerabilities:
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization 

Inon explains how these vulnerabilities have been exploited in the wild, why developers write code that is vulnerable to them, and how attackers can take advantage of the situation for their own profit.

API Security Webinar Series:
Episode 1 - Why OWASP API & #1 BOLA
Episode 2 - OWASP API Top 10 #'s 2 - 5 - This one!
Episode 3 - OWASP API Top 10 #'s 6 - 10
Episode 4 - API Penetration Testing

To learn more about Traceable AI | https://traceable.ai
To request a live demo or meeting | https://www.traceable.ai/request-demo

API Security & the OWASP API Top10 (BUA - BFLA) - 2 of 4

In this 4-part webinar series, Inon Shkedy (Head of Security Research at Traceable AI; co-author OWASP API Top 10) explores the OWASP API Top 10 project and provides detailed explanations about the API threats documented in the OWASP project.

In the first episode in the series, Inon shares the motivation behind the project and answers the following questions: 

- Why is there a need for a new OWASP project for APIs?
- How has application security changed in the last few years? 
- Why have APIs become such an attractive target for attackers? 

He also covers the most critical API vulnerability - Broken Object Level Authorization (BOLA) and explains how attackers have managed to exploit it in many large companies like Uber, Facebook, and Verizon.

API Security Webinar Series:
Episode 1 - Why OWASP API & #1-BOLA - This one!
Episode 2 - OWASP API Top 10 #2 - #5
Episode 3 - OWASP API Top 10 #6 - #10
Episode 4 - API Penetration Testing

To learn more about Traceable AI | https://traceable.ai
To request a live demo or meeting | https://www.traceable.ai/request-demo

API Security & the OWASP API Top10 (BOLA/IDOR) - Part 1 of 4

Digital transformation is driving applications and data to the cloud, where cloud-native applications enable innovation, growth, and opportunity. Protecting cloud-native applications is fundamentally different from protecting traditional IT systems. There is no fixed perimeter in the cloud, as microservices and applications connect through APIs. In the cloud, containers are created and destroyed depending on business demand, your infrastructure isn’t permanent, rather it’s ephemeral. A security professional looking at how to protect cloud-native applications must feel like Dorothy in the Wizard of Oz –  “Toto, I’ve got a feeling we’re not in Kansas anymore.”
 
This interactive discussion between Dana Gardner (Market Analyst @ Traceable AI), Steve Coplan (Strategic Product Marketing @ Aqua Security), and Sudeep Padiyar (Product Manager @ Traceable AI) explores the new challenges that security is facing, and helps viewers find their path to the yellow brick road that leads to a more robust cloud-native security posture.

This webinar will help you understand:
- How cloud-native is fundamentally different
- Overview of security options
- Ways to get started on your security posture

A New Perspective from Log4shell: Exploit Prevention from Containers to APIs

A software bill of materials (SBOM), like any other security feature, won't solve all our problems. 

But greater transparency in the software supply chain will:
1.) Support more secure software development
2.) Enable more informed decisions around software selection and purchase
3.) Allow organizations to respond much more quickly and efficiently respond to new vulnerabilities

This webinar will review the basics of SBOM, and use the recent log4j vulnerability to understand how SBOM can help—and also understand its limits. We'll close by offering some perspectives on how SBOM and related transparency efforts will grow and evolve in 2022 and beyond.

SBOM, Log4j, and the Future of Transparency in the Software Supply Chain

Join John Jeremiah, DevSecOps Evangelist, and Sudeep Padiyar, Product Manager, for a brief discussion on the Log4j / Log4shell Vulnerability and how Traceable can detect and protect you, and your organization, from the Log4shell vulnerability - introducing Traceable AI's QuickStart Protection Guide.

Log4shell Exploit Protection & QuickStart Guide with Traceable AI

Learn how to detect and prevent the Log4shell/Log4j vulnerability. 

In early Dec 2021, a new and severe vulnerability (​​CVE-2021-44228) has been identified in the widely used Apache Log4shell / Log4j Java logging package which gives the attacker the ability to run unauthenticated remote code execution on a targeted server. 

This vulnerability is actively being exploited. Well-known web services and applications such as Apple iCloud, Twitter, Amazon, Baidu, and Minecraft are reported to have all been targeted.

This webinar will help you understand:
 - How the Log4shell / Log4j vulnerability creates significant risk
 - Overview of mitigation strategies
 - How Traceable AI can detect and block the exploit
 - Extended Q&A

Detecting and Protecting the Log4shell Vulnerability

Do you really know how secure your cloud applications are? You have a web application firewall in place, an API gateway in place, and are using a cloud identity and access management service. So you’re goof right?

In this session we’ll learn about the top API vulnerabilities and see live how to find them and protect yourself against them.

We will explore the OWASP API Top 10 and the new security challenges and strategies to understand the application, how it is changing, and how to detect anomalies to block threats, making businesses more secure and resilient.

Join Inon Shkedy, Co-Leader of OWASP API Top 10 project and Traceable AI Security Researcher, and Anoop Kartha, API Security Evangelist to learn:
 - Why API vulnerabilities are different from traditional web application vulnerabilities
 - Why your traditional application security solutions aren’t enough
 - What are the top vulnerabilities you should be concerned about
 - How to detect and block bad actors from using these vulnerabilities against you

Hunting Down the Top API Security Threats to Your Applications

Inon Shkedy (Head of Security Research, Traceable ; co-author OWASP API Top 10) explores the OWASP API Top 10 project and provides detailed explanations about the API threats documented in the OWASP project.

In this 4th and final episode, Inon will focus on the attacker’s perspective on API security:

How the predictable nature of REST APIs can help you to find admin endpoints and write better payloads to exploit mass assignment?
How to approach API pentest? Which features and endpoints you should prioritize to maximize your time?
What to do when you get stuck and need to expand the attack surface? What are the best tools you can use to find more entry points to the tested application?
Inon will also explore these vulnerabilities from a developer perspective and answer questions on these topics and the OWASP API Top 10.

OWASP API Security - The Attacker's Perspective

OWASP

Application Security

APIs

Cloud Security

Cloud Native

Microservices

API Security

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

OWASP API Security - The Attacker's Perspective

Presented by

About this talk

More from this channel