{"id":18505,"date":"2024-03-21T19:25:28","date_gmt":"2024-03-21T19:25:28","guid":{"rendered":"https:\/\/staging2022.42crunch.com\/?p=18505"},"modified":"2024-03-25T17:36:19","modified_gmt":"2024-03-25T17:36:19","slug":"so-your-api-has-been-breached-now-what","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/so-your-api-has-been-breached-now-what\/","title":{"rendered":"So, your API has been Breached,  Now What?"},"content":{"rendered":"<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Last week I had the privilege of presenting some real-world API security case studies at the annual <\/span><a href=\"https:\/\/nordicapis.com\/speakers\/axel-grosse\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">API Summit in Austin<\/span><\/a><span style=\"font-weight: 400;\">, Texas. On foot of several requests, I have summarized in this post some of the key steps an enterprise should undertake, once they discover that their API has been compromised. <img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-18507 alignright\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/03\/OMG_Popart_worried-CISO.jpg\" alt=\"\" width=\"700\" height=\"400\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/03\/OMG_Popart_worried-CISO.jpg 700w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/03\/OMG_Popart_worried-CISO-300x171.jpg 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/span><\/p>\n<p style=\"font-weight: 400;\"><b>Dissecting the API Security Problem<\/b><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The root cause of many API security breaches has been a common misconception made by security teams that<\/span><span style=\"font-weight: 400;\"> existing investments in Web application firewalls and Static and Dynamic application testing solutions mean that their APIs are protected. Wrong! <\/span><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/42crunch.com\/wp-content\/uploads\/2024\/02\/42c-versus-waap-data-sheet-New-design.pdf\"><span style=\"font-weight: 400;\">traditional web application firewall<\/span><\/a><span style=\"font-weight: 400;\"> (WAF) and <\/span><a href=\"https:\/\/thenewstack.io\/application-security-tools-are-not-up-to-the-job-of-api-security\/\"><span style=\"font-weight: 400;\">security code testing solutions<\/span><\/a><span style=\"font-weight: 400;\"> are not up to the task of finding the API vulnerabilities:\u00a0<\/span><\/p>\n<ul style=\"font-weight: 400;\">\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">APIs require contextual awareness for effective detection and blocking, something that legacy WAFs are unable to deliver.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SAST tools are designed to work with web applications constructed as for example Java Servlet HttpRequest.Bodypages or .Net ASP pages.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Most DAST tools can\u2019t provide an intelligent assessment of API security without a deeper understanding of the API endpoints.<\/span><\/li>\n<\/ul>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">APIs must not be treated like applications and are subject to a different range of attacks and vulnerabilities as identified by the <\/span><a href=\"https:\/\/42crunch.com\/owasp-api-security-top-10\/\"><span style=\"font-weight: 400;\">OWASP API Top 10<\/span><\/a><span style=\"font-weight: 400;\">. Many of the breaches I examined were attributable to one of these Top 10 attacks, and many others besides. You can learn more about the minutiae of some of the <a href=\"https:\/\/42crunch.com\/webinar-top-things-you-need-to-know-about-api-security\/\" target=\"_blank\" rel=\"noopener\">more common OWASP API security risks<\/a> in this <\/span><span style=\"font-weight: 400;\">recent webinar <\/span><span style=\"font-weight: 400;\">from 42Crunch. So an important starting point is to dissect what particular vulnerabilities you have been exposed to, in order that you can remediate against them.<\/span><\/p>\n<p style=\"font-weight: 400;\"><b>OpenAPI Specification &#8211; Declare, Test and Scan<\/b><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The fastest route to identifying the faults usually lies by consulting with the development team that built the API in order to analyze the associated OpenAPI Specification (OAS) or Swagger file that defines how the API should operate. Leveraging the declarative nature of the OAS file in combination with 42Crunch\u2019s API-specific testing tools (API Audit &#8211; static testing of the API and API Scan &#8211; dynamic testing of the API) you can quickly assess the Data Validation and Security Conformance of the vulnerable API.\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><b>Proof and Implement<\/b><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Given that a standard WAF still isn\u2019t optimized to protect APIs, 42Crunch developed <a href=\"https:\/\/staging2022.42crunch.com\/micro-api-firewall-protection\/\">API Protect<\/a>, a purpose-built API micro-firewall that enforces in real-time the API security policy to protect your APIs. API Protect complements the testing tools from 42Crunch and can be used as part of the testing process to prove that changes implemented at design and development time will be effective prior to deployment.\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Once you have shored up the API by attaining a sufficiently high \u201csecurity score\u201d in the testing process, it is vital to ensure that the runtime implementation of your application retains that protection. API Protect is deployed from <\/span><span style=\"font-weight: 400;\">within the CI\/CD pipeline and will automatically reconfigure every time updates are made to your spec. This gives peace of mind to security teams knowing that as the API specifications and security policies evolve over time, the underlying APIs and web applications will remain protected.<\/span><\/p>\n<p style=\"font-weight: 400;\"><b>Conclusion<\/b><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">It is important to appreciate that <\/span><span style=\"font-weight: 400;\">an immediate plan of action must be implemented to ensure business continuity and that in parallel, a longer-term strategy should be adopted to prevent a recurrence of the damage and to protect the company\u2019s overall API estate. <\/span><span style=\"font-weight: 400;\">42Crunch has many demonstrable cases of intervening to generate immediate results but also is trusted by enterprises to implement a long-term API Security strategy.\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><b>Key learning points<\/b><\/p>\n<ul style=\"font-weight: 400;\">\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Inadequate traditional security measures:<\/b><span style=\"font-weight: 400;\"> Existing Web Application Firewalls (WAF) and application SAST and DAST tools are failing to counter specific API-related threat vectors. Legacy security measures will fail to detect vulnerabilities as they are not tailored for the application&#8217;s API-driven architecture.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>API attack requires an API-specific security solution:<\/b><span style=\"font-weight: 400;\"> An API-specific micro-firewall provides a tailored solution to protect against API-specific threats at runtime.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Do not sacrifice security over user experience:<\/b><span style=\"font-weight: 400;\"> Such an approach leaves applications exposed to deeper intrusions long before any breaches are detected.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Automate and future-proof:<\/b><span style=\"font-weight: 400;\"> The solution implemented must allow for ongoing automated improvements. The sheer volume of APIs in a digital enterprise requires a solution capable of automating protection to scale security without the constant need for manual intervention.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Foster wider collaboration:<\/b><span style=\"font-weight: 400;\"> The solution should not only address immediate vulnerabilities but also lay the groundwork for a security-focused development culture.<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/42crunch.com\/freemium\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18520\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/03\/Freemium-CTA.png\" alt=\"\" width=\"1904\" height=\"642\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week I had the privilege of presenting some real-world API security case studies at the annual API Summit in Austin, Texas. On foot of several requests, I have summarized in this post some of the key steps an enterprise should undertake, once they discover that their API has been compromised. Dissecting the API Security [&hellip;]<\/p>\n","protected":false},"author":18,"featured_media":18511,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"Key steps an enterprise should undertake, once they discover that their API has been compromised.","_seopress_titles_desc":"I have summarized in this post some of the key steps an enterprise should undertake, once they discover that their API has been compromised or breached. This includes an immediate plan of action and a longer-term strategy.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"disabled","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18505"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=18505"}],"version-history":[{"count":2,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18505\/revisions"}],"predecessor-version":[{"id":18527,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18505\/revisions\/18527"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/18511"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=18505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=18505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=18505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}