Treacherous 12 Part 3: Insure APIs

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Treacherous 12, number 3,
00:00
insecure Application Programming Interfaces,
00:00
also known as APIs.
00:00
In this lesson, we want to talk of
00:00
the risk of insecure APIs,
00:00
the impact the insecure APIs
00:00
can have in a Cloud environment,
00:00
and different techniques and controls to reduce
00:00
the risk of secure APIs in the Cloud.
00:00
[NOISE] Insecure APIs can have a huge impact.
00:00
A data breach that affected the IRS in 2015 resulted in
00:00
300,000 individual records being
00:00
exposed because of a vulnerable API.
00:00
We've talked about APIs before in domain 4.
00:00
APIs are leveraged heavily in Cloud applications
00:00
for transporting data from the user to the API,
00:00
or customers using APIs to access applications.
00:00
We also talked about APIs in terms of infrastructure,
00:00
and platform as a service because APIs are often
00:00
leveraged to orchestrate Cloud services.
00:00
The impact of insecure APIs can't be understated.
00:00
As that IRS breach demonstrates,
00:00
they can be widespread, and affect people.
00:00
Denial-of-service attacks can be launched through API,
00:00
vulnerabilities, and compromises
00:00
a application's availability,
00:00
and then also the integrity
00:00
and confidentiality of information that
00:00
traverses the API can be
00:00
compromised if not properly configured.
00:00
There are a number of important controls to
00:00
consider when trying to secure APIs in the Cloud.
00:00
First and foremost, testing.
00:00
There is no organization that officially certifies,
00:00
and validates the security of APIs,
00:00
so it's up to any
00:00
organization that's operating the Cloud,
00:00
and using APIs to do
00:00
their own security testing of the API.
00:00
Also, it's often common that developers want to
00:00
leverage third-party APIs, or open-source APIs.
00:00
This creates a security challenge for
00:00
organizations because they really should
00:00
create a list of approved APIs that
00:00
come from trusted sources
00:00
that have been tested and validated.
00:00
Another area where organizations
00:00
get opened up to the risk of
00:00
insecure APIs is through third parties.
00:00
When leveraging another application
00:00
in the Cloud environment,
00:00
which is common, you don't have visibility into
00:00
the APIs that that application may be utilizing.
00:00
Those APIs from that third party
00:00
may not be on your approved list.
00:00
You can address those risks by bringing up the fact,
00:00
trying to get the application company to
00:00
disclose the APIs that they use in
00:00
their application to see
00:00
whether they meet their standard.
00:00
Doing this kind of due diligence can
00:00
help you avoid the risks associated with
00:00
APIs when evaluating vendors and other third parties.
00:00
[NOISE] Quiz question.
00:00
How many records were exposed in
00:00
2015 IRS breach because of a vulnerable API?
00:00
Was it one, 4 million, two,
00:00
900,000, or three, 300,000.
00:00
[NOISE] If you said 300,000, you're correct.
00:00
Although there have been breaches
00:00
where millions of records are exposed,
00:00
the IRS breach was 300,000.
00:00
[NOISE] In summary, we talked about
00:00
the potential impact of
00:00
insecure APIs in the Cloud environments.
00:00
We also talked about a number of
00:00
different controls that can be implemented to
00:00
address APIs that organizations really need to do
00:00
their own API security testing,
00:00
create a list of trusted APIs,
00:00
and trusted sources for APIs,
00:00
and then do appropriate
00:00
due diligence when using applications in the Cloud
00:00
to ensure that the APIs that
00:00
that application leverages are trustworthy.
00:00
More treachery to come,
00:00
see you in the next lesson.
Up Next