Jayesh Ahire
Appearances
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Hello, listeners. Today, we are kicking off an amazing series for Cybersecurity Awareness Month, aka Halloween, entitled The Haunted House of APIs, sponsored by our friends at Traceable AI. In this series, we are building awareness around APIs, their security risks, and what you can do about it.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
So when we deal with early stage organizations, the problem is everybody is an engineer. There's no security when we are dealing with early stage companies. Everybody just wants to get things done. That's where we make a lot of mistakes when it comes to security. We take a lot of things for granted.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And I will say one of the things which we can do there is at least make sure the developers understand the security and making right choices.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
second thing to do that like to help them make the right choices just having any sass tool in place can be a good start it doesn't take much you can go with the open source sonar queue kind of a setup which will help you get started and that becomes the first entry point then second thing is having the right set of dash tool in place which
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Again, as I stated earlier, these things can produce false positives, but they can at least help you get started on your journey towards the better security posture. And as you mature, things become more complicated.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Now, instead of dealing with one API, which was running in your AWS account, like one EC2 instance, now we are dealing with thousands of APIs, a large Kubernetes cluster, maybe in multiple regions, and At a maturity stage, you want to get the inventory management in place where you know all of your APIs, what the problems are, how they are designed.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
You need controls on your design stage as well because you want to make sure that your API design adheres to some standard your organization has set. So that's different tools at different levels. But PI security testing plays a great role in the mature organizations for inventory management, for posture management, for security testing, for contextual security testing, for lack of better words.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
We are not just running things against the black box. But you're actually running the security testing with all the API context in place, all the understanding of an API in place. So that way you produce very pinpointed results, tell users what are the exact vulnerabilities, how to fix them, help them fix it.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And that way helps secure the organizations and at the end of the day helps secure the users of the organizations. Traceable does a pretty good job when it comes to securing things around your SDLC. When I say SDLC, specifically on API security, making sure you have the secure design in place, make sure you're running the API security testing continuously.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
At the same time, when things go into production, making sure we are blocking all the bots, frauds, the OAS, web top 10, API top 10 attacks, which are happening in live production deployment. But yeah, there are a bunch of great tools out there which can help you get started. When you're very early stage, go with something lightweight, open source like SonarQ, ZAP.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
But as you mature, keep looking for better tools. And that's something like Traceable can come handy, which can solve a lot of your concerns.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
that's one part other thing i also write poems in my mother tongue in english depending on the mood also published few books around it and so some technical ones i like to write as well i used to play guitar and piano but yeah reading writing poetry that's a jam for these days
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Josh, I appreciate you being on the show today. I feel like we were able to list the most common vulnerabilities and illustrate why it's critical that API security testing be done up front, how businesses, how organizations can create effective API testing and what sort of tools they can use.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And it's very obvious that Traceable is solving this problem for a large amount of companies and doing so well. So I really appreciate you being on the show today.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Thank you. I totally enjoyed being here and looking forward to doing it more oftenly.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And this concludes The Witch's Brew, Stirring Up OWASP Vulnerabilities in API Testing with Jayesh Ahire. Stay tuned for more episodes in our series, The Haunted House of APIs. And if you'd like to learn more about Traceable, go to traceable.ai. That's traceable.ai. And thanks again for listening.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
That gives a picture of a well-rounded individual, and I appreciate you sharing all that. Let's dive into it then. So we're talking about OWASP vulnerabilities and API testing. Diving into the witch's brew, we're calling it. What are some of the most common vulnerabilities in APIs that align with the OWASP top 10? And tell me why they're so dangerous.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
When we talk about APIs, right? One of the things which is prominent these days is every single thing we are building, like every single product, every single software, every single app is running on APIs. And that's where we talk about vulnerabilities. The impact also increases because everything is an API at the end of the day.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And that's why I categorize these vulnerabilities or even dangers into three broad categories. One is the access control. We are building these APIs, but sometimes you just left the door open. And that door can be exploited by attackers to get the information. In access control, there are vulnerabilities like BOLAs.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Nowadays, in the new OWASP API top 10, we have BOPLA, which is Broken Object Properties Authorization. Then there's always BAFLA, which is Broken Function Level Authorization. Not to just throw some terms, but essentially when the API was built, the authentication authorization was not configured properly. And that's where somebody else can get access to somebody else's information.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Which is, again, problematic when literally we are dealing with banks, dealing with health care, where all of the information is pretty sensitive and pretty critical. But access control part is the most prominent one and most exploited one we have seen in the last few years at the very least. It's first in OWASP API doctrine. The second part of that is data privacy.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Traceable AI is building one platform to secure every API so you can discover, protect, and test all your APIs with contextual security, enabling organizations to minimize risk and maximize the value APIs bring to their customers. Our episode for today is entitled The Witch's Brew, Stirring Up OWASP Vulnerabilities in API Testing.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
That's where the excessive data exposure comes into picture, where we are actually showing the information in plain text or in responses or in places in the UI where it shouldn't be there. We have seen a bunch of news articles coming around this part where the social security numbers of thousands of people leaked or millions of people leaked at bad points.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And all of that is due to that information already being exposed in place or in response where it shouldn't be. Because everything, as I said earlier, everything is driven around data and data is gold so it becomes critical for these applications for the services for the softwares to actually secure it properly and as everything is exposed via api it comes to the api layer again
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Third part, and I'll talk about this in the later sections more on, but the third part is inventory management. It's all building a lot of APIs just days, but sometimes we don't even know what we have built over the period. There are a lot of APIs which were retired, but still being used, still publicly accessible.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Payment gateways, you're using validation platforms and you're actually sending the sensitive information to those platforms and making sure like what you're sending, what you're what you should be sending, what you should not be sending, and having proper filters for that. That also becomes pretty critical when we are dealing with the huge number of APIs we are dealing with these days.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
So actually knowing what you have and making sure to act every single action or every single thing which is being performed with the APIs you have and the issues with those APIs is also a very critical thing. When I talk about all of these three categories, everything is part of OWASP API Doctrine.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Sure. All that makes sense. And I hear what you're saying. We're sitting in a world where everything is built on top of APIs, and that makes API testing in general critical. But why is API security testing crucial for detecting these types of vulnerabilities that you just mentioned early? And how does it differ from traditional security testing?
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
I could probably extract a couple of things from a few things you pointed out, but I'm curious to hear what you have to say holistically.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
When we talk about security testing, traditionally, we talk about SaaS, DAS, IaaS to some extent, right? SAS being the static application security testing, DAS being dynamic application security testing. First thing, SAS, when we talk about SAS, it's purely looking at your code and trying to find what is wrong. And when you look at just a code, it doesn't have any context.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
It's just lines and lines of code. You're going through it. You're going through some function and seeing... Maybe this is too wide open. Maybe this library is old. Maybe there's some problem with this specific. There's no dynamicity in it. And that's where the DAST comes into picture. But traditionally, DAST has always been more of a black box.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
It's somebody sitting outside your system and trying to make an attack.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
when that somebody is sitting outside your system they definitely don't understand your application well and that's where the false positives in the dash comes into picture but looking at the api specifically all of these tools like all of the traditional security testing tools operate at the application level the api interactions are pretty different when we talk about api specifically there's a lot to digest which is let's say you have thousand apis and most of these apis are
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
each other most of these apis are talking to third parties and when all of these interactions are going on the attack surface you have becomes very large and at the same time the amount of knowledge somebody might need to go and exploit the application is not something which you can replicate with it needs way more context it needs way more insight into the business logic of the application
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
We'll be talking with Jayesh Ahire, an expert in API testing and OWASP, who will guide us through the brew of common vulnerabilities that haunt API ecosystems. He'll share how organizations can use API security testing to spot and neutralize these vulnerabilities before they become major exploits.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And that's where the API security testing part comes into picture because with API security testing specifically, you're dealing with the APIs first of all. And you're making sure that all of these different interactions you're talking about, all of these dependencies, you're talking about the third parties. So we are replicating the business logic abuse at its truest sense.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Let's say, talking about something around payment gateways. So if you're sending the sensitive information about your user to the payment gateway, and that's excessive data exposure, that can only be caused at the APLF and DAS tools picking up on it or SaaS tools picking is pretty hard by definition.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Then another part is everything is evolving with all the things in place now with LLMs, with chat GPT, with even traditionally the cloud native development practices. Your applications are evolving so quickly that for traditional security testing tools to keep up with the
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
whole pace is pretty hard learning the context is pretty hard so that's where the contextual security testing on apis comes into picture and that's where i feel the api security testing becomes a better alternative to traditional tools when it comes to dealing with complexity which api brings into the whole conversation at the same time the continuous evolution we are seeing around the development cycles
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Certainly. OK, that clarifies that for me. And, you know, how important, right, the testing portion of it is. And I imagine that, you know, when you don't get the testing right, finding a vulnerability after the fact can can lead to a significant problem. Can you share an example of how maybe one of these overlooked vulnerabilities led to a significant security breach?
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Without naming the companies, I was in Australia back in 2022 and met CISOs of one of the major telecoms there. One thing, they went to the breach pretty recently at that time, and the breach was more leaking sensitive information, including passport details, phone numbers, addresses, a bunch of other things for millions of their users.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
When we went through how it happened, the reason was they had one of these APIs which were publicly available. But that API was supposed to be retired way back. So they developed a newer version which had better security gates in place, which had better standards in place, which had weight limiting in place. They released it. It was still, again, it was accessible to everybody.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
But at the same time, the older version, which they were supposed to retire, they didn't. And attacker exploited the exact old version to get all of the information for millions of their users. That was painful to watch.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And that's where the third category, which I mentioned, which is inventory management, comes into picture, where somebody actually exploited an older API, older version of the API, which was accessible even after it was supposed to be retired a long time back. There's also a telecom provider in the US, which also had a very similar incident.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
By focusing on proactive security measures, Jayesh will offer insights into creating a strong API testing framework that keeps malicious actors at bay. Jayesh, thank you for being on the show today.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
And that was more around the web interfaces, which were in the play. And the APIs, the older APIs, again, which had weak authentication in place, were still publicly accessible, publicly available. Then Facebook went to something pretty similar back in 2018, where access tokens for 50 million user accounts are leaked purely because of the flaw in the business logic workflow.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
and the authentication they had on those APIs was weak. Somebody found the vulnerability, exploited, and that resulted into the leak of 50 million user, 50 million access tokens for 50 million user accounts. When we talk about all of these things, you'll see that most of the issues or most of the exploits which happen because of very small issues.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
When you look at these things afterwards, you feel like this was a silly mistake. But those small mistakes can result into a huge impact. like reputational impact, monitoring on organizations. Some of these things could have been easily avoided by having the right set of standards in place, having the right set of security testing in place.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
But as the processes go, we always learn our lessons when we get impacted and then we start putting right things in place.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
That's millions and millions of users. It's easy to see how important this testing is and how important it is to catch these vulnerabilities ahead of time. Now, I'm curious, from your perspective, how can organizations create an effective API testing framework that addresses these types of vulnerabilities?
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
One of the things which is very prominent and very important when it comes to this is having everything part of your development lifecycle. So if testing is part of your development lifecycle, it saves a lot of pain, it saves a lot of money because...
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
There's a study which says that a defect which is fixed before things go into production can save you 100 times the cost of fixing that in production. To save that money is just one part of it, but to save yourself and your organization from the impact of
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
some of these things, having everything native to your development lifecycle and making sure that you catch these things very early in the development lifecycle improves reliability, improves the security by a large extent. But when we talk about framework or the pipeline, how can we get there? A few things I'll point out are
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Glad to be here. Really excited to jump into OWASP vulnerabilities and API testing, the witch's brew. Before we jump into that, though, tell me a little bit, and my audience, tell me and my audience a little bit about you.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Make sure you have the whole SAST, DAST tooling in place along with your container scanning, ISEs. When we talk about APIs broadly or development life cycles broadly, there are three stages before it goes to distribution. Design, develop, deploy, and then last phase is distribution, which is running it in production, making sure it's publicly accessible.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
When we talk about design, develop, deploy, and distribute, first three things, design, develop, and deploy has a lot of nuances in it. I will say very first thing is security is always an afterthought. And to address that problem, make sure that when you design your APIs, you consider all of the security practices into that design.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Let's say you're building an API, make sure it has the strongest authentication in place. Make sure it is not susceptible to
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
the bolas and baflas of the world make sure it is not exposing any sensitive information to public so having all of these considerations while you design the apis saves a lot of pain then as you go forward there's a development phase and then development phase while you are building the apis enabling your development teams think security first definitely helps and that's where having the right queues in place when they are pushing things when they are creating the builds
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Testing those builds with various tools, having the SaaS tools in place gives them a path towards a better and secure development. Then when you deploy and create the containers, you actually create this infrastructure as code pipelines, the Terraform server.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
having the security layer there as well helps you with another gate so all of these gates coming together relatively help you create a secure system overall and the security testing plays a great role when it comes to level between develop and deploy
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
So before you go and distribute it to production, you actually should run automated security testing, which will catch things like OWASP API top 10s, any of the PCI DSS vulnerabilities, anything that can help you or your organization to meet the compliance standards, as well as make sure you have a better security posture overall.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Yeah, I'm Jaish. I run product management here at Traceable. Been here for almost five years now, playing to the API security world. Before this, I was running my own venture in machine learning, cloud ops, DevOps. I read a lot. Since last few years, I have been doing 100 books a year. It's been interesting going through the list and reading around a lot of different things.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
All of those vulnerabilities should be continuously and automatically running on your staging environment If any of those vulnerabilities are found, we should be able to mitigate them before things go into production. That framework helps us to visualize and propagate it to our customers as well.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
I think that lays out a great foundation of how organizations can approach that, especially the mindset point that you called out, where people are taking cues and really thinking differently about how they're going about doing their testing and making sure the APIs don't have those vulnerabilities. I'm curious about what sort of tools and methods that you would recommend.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
Obviously, you know this space quite a bit. So what tools or methods would you recommend for continuously testing APIs and ensuring they remain secure as they evolve? And I think you may have touched on a couple there in your last answer, but I'm curious of what you would say.
Code Story
The Haunted House of APIs - The Witch’s Brew with Jayesh Ahire
It categorizes organizations into two types. One is organizations which are very early, just got started trying to get things out of the door and at least start building something. And the second, the series B, series C, post that enterprises which are mature, which are trying to build rigid pipelines, making sure everything goes as expected and as smoothly as possible.