How APIs Expose Business Logic Flaws with Chuck Herrin
Chuck Herrin, CTO at Wib, came down to the Ranch to explain the risks and threats currently facing APIs, or application programming interfaces. Simply put, APIs facilitate people and applications in communicating with other applications, but Chuck sees the lack of protocols, regulations, and security plans laid out for these APIs as a massive security threat. Breaking down the process using an API hack he performed as an example, Chuck talks about what the state of API security is and where it needs to be headed.
[00:00] Bringing a background in finance into the cybersecurity API world
[05:25] "Hacking" a bank’s API using business logic instead of hacking
[12:17] Implementing standard API protocols and processes
[14:27] Flipping the API language and preparing injection threats
[19:03] Evolving defenses overtime to meet both new needs and new risks
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What does your current role look like and how does it relate to API security?
Chuck began his career in tech and security in the banking industry, and felt particularly concerned over time with the lack of security around APIs and related technology. Now, with his CTO position at Wib, Chuck works with Wib to focus on providing continuous visibility into API attack surfaces. Outside of just the newness and the tech of APId, Chuck explains that there are critical infrastructure and national security ramifications for API security.
“The basic premise is: If you could do it differently, knowing what you know now, what would you build in an API security platform? What I'm bringing to the table is 20 years as a defender in US financial services, where I know what we need from a governance perspective.”
Akamai recently ran a study of internet traffic. What were their findings about APIs?
As someone well researched in his work with APIs, Chuck pays close attention to recent studies, like one from Akamai, that recently claims 91% of their global internet traffic is API traffic. Chuck explains that this is a huge development in the popularity and impact of APIs on global security, especially when relating it to a separate study that estimates 50% of APIs are actually unmanaged. Although this stat seems shocking, many in the industry believe even that estimate is low, and the issue might be even worse than studies are showing.
“91% of the traffic that Akamai handles is API traffic. So, 91% of global internet traffic is API traffic. Another stat which is a little harder to prove estimates that roughly 50% of API's are completely unmanaged.”
You actually performed a hack live on an API, but it wasn't even a hack at all. Can you tell me that story?
At the most recent Black Hat, Chuck dissected and presented a few case studies, one of which was a bank’s API, hacked using a logic-based attack. Using the errors in business logic present within the banking API, Chuck’s team was able to bypass the front-end system and transfer fees, managing to convert money into more valuable currency over and over again. The wildest part, to both Chuck and to presentation attendees, was that this didn’t require tech hacking, it only required exploiting business logic.
“We didn't tear apart the mobile app and find the stored credentials, the API keys, which are probably in there. We didn't crack any passwords. We just abused the logic, and it responded in the way it was designed and here we are.”
If we can’t anticipate every possible business logic flaw or abuse case, how can we reduce the impact and blast radius of API threats?
Reducing the impact of API security threats feels daunting, but Chuck explains that security has to go back to the basics in order to identify and acknowledge what has to change over time. You can't protect what you can't see and our teams have to evolve over time to defend against the changing attackers we might end up facing with APIs. When push comes to shove, Chuck firmly believes in having a defense strongly informed by the offenses and threats around you.
“This was cloud security 10 years ago, and it's API security today, right? History doesn't repeat, but it rhymes. It's the same basics and same fundamentals. Now, you need to change tooling. The attackers evolve over time, and your defenses have to evolve over time.”