[00:00:00] Stan Wisseman: Welcome to another episode of Reimagining Cyber. This is Stan Wisseman, and I'm joined by my co host, Rob Aragao. So I heard you, you picked up and, and moved south for the week, right?
[00:00:14] Rob Aragao: Hey, Stan, that's right. Took the next couple of weeks to do some remote work take advantage of my in laws place down here in Florida and experience some good warm weather in the evenings when I can get out there and enjoy it while the sun's still longer than it is up in the Boston area, that's for sure.
[00:00:28] Stan Wisseman: So Rob, you sound a little different. Yeah, it
[00:00:30] Rob Aragao: sounds a little different because I don't have the normal headset that I use for these podcasts, unfortunately. So I had the headset on my desk and I'm like, I know I put everything in my backpack and I went to my backpack this morning, I'm like.
[00:00:44] Stan Wisseman: I'm
[00:00:45] Rob Aragao: like, I have a feeling I actually is here in that I may have taken it out and put it somewhere, but I just came off another meeting.
[00:00:51] And I was like, I'm just going to go to this before
[00:00:53] Stan Wisseman: trying to find it. Well, you sound okay. And so let's go ahead and dive in. So Rob, as you know, [00:01:00] we've had several episodes on application security, but we've never had an episode specifically on what's pretty much the glue in today's digital universe.
[00:01:08] APIs or what application programming interfaces for folks that don't know what that means and now it's turning into like that digital lifeline, you know, for our infrastructure and it's it's It really what allows all these different software components and pieces and parts of the organization to communicate with each other smoothly and it's turning out to be very crucial, right, for anything from like serverless computing to our use of clouds to microservices.
[00:01:40] APIs are what is the stitching that pulls all that together. So picture this, Rob, I mean, I'm sure that you have a. a banking app on your phone, right? I mean, and you, you seamlessly check your balance and, and transfer funds [00:02:00] and never wonder, you know, how that slick real time kind of interface is possible.
[00:02:05] It's APIs, right? I mean, when we first had those mobile apps, it was really clunky because it really was a web interface almost, right? From that beginning. And it's really and, and Thinking about web apps, I mean, that has been a radical evolution as well. You know, we, we had those monolithic kind of structures before.
[00:02:24] And now we have this whole API driven kind of ecosystem that we're seeing today, and that's really shifting it to much more of a dynamic and flexible way of interconnecting these architectures. And so I, I think that how we build, how we build web apps, much less any other application nowadays has to think about.
[00:02:43] That interconnectivity and how you leverage APIs effectively. But, but here's the kicker, you know, as we've grown more dependent on, on these APIs, especially with multi cloud, I mean, I mentioned cloud, but when you're [00:03:00] using multiple cloud environments, it's even especially more important. There, there's, there's this paradox, right?
[00:03:05] We, we, we are leaning more into use of APIs, but at the same time, they're now becoming a prime target for cyber threat actors, right? And, and, you know, we, I, I, I shared this recent study out recently on a, on a blog about API security in 2024, it was funded by Fastly and they, they shed some light on the fact that there's a trend of significant under investment in API security measures.
[00:03:33] And this is happening even though, you know, API has become more critical. And cyber attacks are increasing. So it was sort of a, a wake up call in a way, right?
[00:03:42] Rob Aragao: It is. And I think API has been around for quite some time, right? The, the sheer use of API is it continued to just explode for obvious reasons, as you would call it, you know, all these different environments in the cloud interacting between these applications, different data sets behind it all.
[00:03:56] And, but yeah, as you, as you're pointing out, there are [00:04:00] some serious risks associated to, you And I think there, there's definitely a much more of a emphasis we've seen on how you secure the APIs, you know? So, so if you kind of break down some of those different areas of risk, when you look at APIs is typically, you know, pretty solid documentation to support how the API works and therefore makes it easier for developers to kind of, you said, stitch them together, right, to, to get the outcome that they desire and connecting these applications.
[00:04:29] But it's also a bit of a blueprint, right, for the, for the bad guys, right, and we've seen that in multiple different areas, you know, some different types of standards and frameworks, you know, some cases are very detailed with some particular kind of control mechanisms that, Yeah, it provides a glimpse, in some cases, the blueprint
[00:04:44] Stan Wisseman: to the attacker.
[00:04:45] I mean, and you need that blueprint in some respects for the developer, because they need to know how to effectively use that API, right? They need
[00:04:52] Rob Aragao: to know, exactly, or else, right? So what good is it if you can't scale it out for additional connections for these applications for the developers? But, you know, [00:05:00] again, at the end, that's, that's, you know, one of the areas, as you were calling out, that has definitely driven more of awareness of, of API security being an area that people need to focus in on.
[00:05:10] To that point, right? OWASP has a specific top 10 list associated to API security, which is great.
[00:05:16] Stan Wisseman: Let's just pause for a second. I mean, most of our listeners, right? Probably know what OWASP is, but in case they don't, it's, you know, it's the open web application security project, right? And it's a nonprofit that's been focused on helping raise the bar on, you know, Specifically, many times web application security for the last 20 plus years, right?
[00:05:38] I think it started in 20 2001 timeframe. I could be wrong on that. But they, they, their flagship is the OWASP top 10, right? Reports on those, you know top 10 critical web application vulnerabilities. And to your point, they released in 2019, the. API security. Yeah. Top 10. Yeah. And, and,
[00:05:57] Rob Aragao: and looking at that, if you kind of just look at it from [00:06:00] a top level, there are some very key areas around authorization, authentication, security misconfigurations within there too.
[00:06:08] So, you know, it, it does do a good job of giving you some areas to focus in on or on API
[00:06:13] Stan Wisseman: security. Yeah. And, and, and they did a refresh in 2023. Right. You know, so that was, that was good. The the, the, the takeaway I, I've And talking to a number of folks is that it does provide that benchmark of and give you sort of that foundation of what you need to be thinking about for securing your API's.
[00:06:33] But you also need to augment that even with some of the the core. Critical vulnerabilities that you found and find, and they were lost top 10. So, you know, the, the API security addresses things like broken object level authentication or authorization and excessive data measure. But you also with the web application, top 10 have you know, injection flaws and cross site scripting that could still be exploited with your API.
[00:06:59] So [00:07:00] you need to sort of think about both. When you're, when you're looking at how you're going to secure your, your APIs. Yeah.
[00:07:05] Well,
[00:07:05] Rob Aragao: Stan, why don't you maybe jump into a little bit about API security breaches themselves and some of that, that
[00:07:10] Stan Wisseman: discussion? Yeah. Yeah. So I mean, some real world examples, cause I mean, we were talking in the abstract to how they can be vulnerable and stuff, but do you remember that Quest diagnostic breach?
[00:07:19] Yes. Yes. Yes. Yep. Yep. There, there's so many, right? There's, it's hard to remember all the different breaches, right? But It was a third party billing company called the American Medical Collection Agency, and they experienced a data breach affecting approximately 11. 9 million Quest patients. And that was an API vulnerability that was left exposed, and medical records were able to be extricated through that exposed API.
[00:07:45] And incidents like that sort of underscore the need. To have that kind of comprehensive security testing that mimics the authentic real world situations, including some of those tricky multi factor or authentication setups that are [00:08:00] required. You need a test to make sure that they're, they're working properly.
[00:08:05] You know, sometimes it helps to pull back and look at an analogy that would work. And imagine having a security system that checks not only your doors and your windows, But also test the locks with every type of key that's out there. Well, that's what we need. We need the same kind of thing for our applications and, and the use of APIs that we need to make sure that when a hacker comes knocking our, our digital vaults aren't just going to swing open.
[00:08:34] Right. And and, and, and, and a concept that. we've talked about in the past is this thing we call an attack surface, right? Yes. And the, that attack surface is sort of what you have as exposures that could be leveraged by threat actors. And an application layer, the attack surface is expanding. With all these APIs.
[00:08:58] So again, if you think about a door [00:09:00] analogy, right, you have, you're, you're increasing the number of doors and windows into your application, right? That, you know, you're, so you have to leverage tools like schemas and dynamic and static testing to get a better understanding of what's out there and have a, you know, that understanding of, you know, What's being exposed?
[00:09:22] What is your attack surface in the context of APIs, right? And I, and I think this, this is easier when it's a smaller environment. I mean, if you think about enterprise grade applications and the complexity and how expansive the different environments are being used. I mean, it can get crazy.
[00:09:41] Complicated going back to the house analogy. If you're talking about a small cottage, okay, it's a little easier to fortify, right? And some kind of sprawling digital estate. Yeah. And, and, and, you know, so it calls it to the question, the scalability and how we can actually do this in a way that is [00:10:00] effective across your inventory of applications and organization.
[00:10:03] I think one of the challenges that we run into right is. Actually discovering that's right where those APIs are, right? Yep. Yep. And,
[00:10:10] Rob Aragao: and, and so that's a great lead in, right? That those are kind of the, the key areas of how do you get in and figure out where all these different APIs exist, but also how do they map out, right, the interconnection points.
[00:10:23] And so, you know, what are the end points that they're actually communicating with and. With the different functions that are being used between all of them. You know, the structures, the data behind that. So, so going through that, I think that's also been an area of, of focus is you need to understand what APIs you actually are using.
[00:10:41] And, but you have to have the visibility beyond that to actually do the kind of the logical mapping of their usage across all the different components that they have out there, right? Now, now that's, that's a lot easier said in the statement than it is actually, right, being able to implement. And, and, and so one of the things that's actually kind of risen up to help with that is around the use [00:11:00] of API security gateways in essence.
[00:11:01] So think of it as a proxy, right? To get through. And what that does is it provides another level of security, right? Authentication of the identity of the API requests that are going through. I think that's important to think about and ensure that it's put in place to support again, additional layers of security when you're dealing with such the sprawl, such a vast attack surfaces you were just discussing relative to APIs
[00:11:23] Stan Wisseman: in general.
[00:11:25] Right. And again, that can give you that layer of governance, right? As far as you can also make it a policy kind of thing. So it's, it's a combination of, of. Visibility to have that awareness. And understanding what's being used and then testing to validate that there are no, you know, doors left open, et cetera.
[00:11:48] But I, but I think as you, you know, sort of like peel back the layers of API security and, and sort of get consensus on what's important. You know, I think many organizations find themselves kind of on their back foot, you know, they're, they're [00:12:00] kind of grappling. With this issue and how best to deal with the complexities of safeguarding APIs, I mean, and who owns it as a problem.
[00:12:10] I mean, many times I think there's this. You know, Venn diagram of who owns what within the context of the AppSec teams that are trying to secure the ultimately the application risk in the organization versus the developers. And it could be that the AppSec team doesn't necessarily have the skill sets to truly understand how best to take on this problem.
[00:12:33] And, and yet, You know, given tight budgets and and scarcity, scarcity of specialized knowledge like this it could be part of the the challenges of why people aren't investing as much as they should in this space. But I think you can leverage some of your existing tools out there to understand what's being exposed.
[00:12:54] I mean, I know in our case, you know, we have a dynamic scanner that can help with that discovery process. So if you're already [00:13:00] using that for web application vulnerability testing you can already take advantage of that for discovery as well as testing the APIs, including authentication type things.
[00:13:09] So you, you want to take you know, again, budgets may be tight, but take advantage of what you already have and, and perhaps in different use cases than what you previously had thought for to be able to help get visibility into this attack surface for APIs, as well as how to, to control it and, and put in place the measures you need to, because I just think it's going to be increasing significantly how the threat actors are going to leverage this.
[00:13:33] I mean, they know that. Organizations are not doing an adequate job of understanding what APIs are exposed. Much less secured. So it's just going to get worse. It'll get
[00:13:45] Rob Aragao: worse for sure. I mean, you know, think about it. We talk about these attack vectors that, you know, attack vectors through a compromised identity is one of the top points.
[00:13:53] API serves as an identity, right? To get into the application, to get into the data sets ultimately that they want. So for sure, [00:14:00] I see that as being just a continuous area of, you know, very much heavily targeted going forward. We we've seen it over the years, we've been talking the past several years. It's just going to get worse to your point for sure.
[00:14:11] Stan Wisseman: Yeah. So, so Rob, you know, I mean, I think as we mentioned, you know, you can't overlook this, this landscape. Right. And I think that the knowledge. Of what's being used in your inventory, as well as getting a clear view of the potential threats is key. And I think if you can take a proactive stance and an informed stance on API security, there's some great guidance out there now.
[00:14:37] Leverage what's available from OWASP as well as some other sources out there. I integrator approach. Of, of helping, you know, shield your organization from exploit through this, you know, set of windows or doors that are, are being opened up in your applications. And so you don't want those. Yeah. And I think, Stan, you
[00:14:58] Rob Aragao: know, your analogy is a great [00:15:00] one as it relates to, you know, kind of the small cottage versus that big digital estate.
[00:15:03] If you think about that, that's a great way to kind of paint the picture of, of what we're dealing with this API ecosystem. But we've called out, it's an area that is got a lot more attention to it now, which is great. But again, it's also one that does provide another easier path for the attacker to get in.
[00:15:19] So, you know, just working on understanding really what the different APIs are within your environment. Getting an understanding also of what the mappings are, as we discussed earlier. I think those are great starting points. And as you called out some of the additional kind of, capabilities to drive more, you know, understanding and awareness of just what's out there will help you overall.
[00:15:35] So good conversation. I know this is a sweet spot for you, Stan, around application security. And especially as you said, we haven't covered security in the past. I think it's definitely a hot topic. So good discussion overall, Stan.
[00:15:44] Stan Wisseman: Hey, thanks Rob.