Katie Paxton-Fear
Appearances
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
I've found vulnerabilities in companies all over the world that you've definitely heard of that I can't talk about because I've got an NDA, but there are certainly companies there. I have been to like tons of live hacking events. So that's where companies fly out some of the best hackers in the world just to focus on their software.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
And I work at a company called Traceable that sells an API security solution. And I work in technical marketing, which means I write technical content. I get to be a professional API security influencer, which doesn't sound like it's a real job title, but I promise.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
I'm a huge crafter. I spend so long on the computer. I work so much and I'm a very creative person. And I'm very creative. I love making stuff. I love being able to build something. I was a software engineer before I went into cybersecurity and became more of a breaker than a builder.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
But I always felt with working so much on a computer that it's so digital, it's so intangible that I wasn't feeling that fulfilled by it. So when I was at university, I decided to get a hobby that had absolutely nothing to do with computers. So I learned how to knit. I knit, I crochet, I sew, I do embroidery because this is an audio podcast.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
You can't see it, but behind me, I have a giant Cthulhu that I crocheted in my office that I use as office decor.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Yeah, I think it's very easy to, you know, you don't get the same reward when you deploy code as you do when you physically can see something that's taken 30 hours of your life to produce and you can touch it and you can interact with it. It's why I think security people love lockpicking. Like everybody's hobby is lockpicking because we crave the material.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
for people unaware an api is just a piece of software that isn't designed for humans to consume it's actually designed for other pieces of software to consume the results of so it means that apis are mainly used in integrated things so you want to connect your facebook up to your i don't know smart home That's an API.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
If you have a mobile app that you want to share the same code base as a desktop app, you're going to use an API. APIs are so ubiquitous and they're such like an everyday thing. We could probably name one that you've used today. If you have a smart home, you use APIs.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
if you have an app on your phone it's api everything is apis now because everything is apis and everything is interconnected they just get forgotten eventually all knowledge dies out as especially in technology when we've got the next big thing happening what happens to the old next big thing Everybody has jumped on AI and replacing everything with chat GPT.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
But what is going to happen to everything else? The answer is the last developer who worked on it leaves the company and the company has no idea this API exists. The only record of this API ever existing was in the developer's head. Now that they're gone, they have no idea. And this creates such a massive security hole because maybe that API is written really well.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Maybe they were on the ball and that API is going to work for years More likely, though, it's going to be insecure and it's going to be the way that a bad guy gets in and actually manages to exploit the API. A lot of the time we hear things like shadow APIs, rogue APIs. We've even got threat actors publishing their own APIs now. So we've got evil APIs and just APIs that are undocumented.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
There's very much a... While developers are trying to solve their regular technical debt, we've just added an extra layer on here for something else entirely.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
first of all, is just how common they are. And the second thing is usually the amount of autonomy developers have. Developers can often produce whatever they need to get their job done. They don't have any guidelines. They don't necessarily have really strict ways of doing things. They work fairly autonomously. So if they need a new API, they'll just make it and put it up. So it's convenient.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Or potentially they make an API that they use for one project or they think they might use in the future. And then it never actually ends up being used as part of the main production hardware. There's a lot of different ways that these APIs get created. My favorite is one that I did when I was a developer. I installed a piece of software onto our server. And we never ended up using the software.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
We never ended up buying it. The API is still out there to this day. I checked like last year and I left the company four years ago, more than six years ago. Six years ago, I left that company and the API is still up. It just gets forgotten.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
A company has so many assets to worry about and developers have so much autonomy that they don't need to document everything they produce during their workday because that would be
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
crazy amount of work that would be and so you have this situation where you've got these apis that just created for the sake of convenience that they might be useful later they just end up never really getting decommissioned deleted or even disconnected from like a database
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
So these APIs get exploited all the time. And honestly, it's because it's quite easy. If you don't even know something exists, how on earth are you supposed to secure it? You can talk about things like secure coding, secure software development life cycles, security vulnerabilities in general. But if you don't even know an API exists, how on earth are you supposed to protect it at all?
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
You don't know what you don't know. And when it comes to security, that is what will get you breached. Certainly, if we think about today as we're recording it, people have done an investigation into the Internet Archive attack from a few weeks ago and found there were just credentials on GitHub that were just valid that nobody had deleted. The problem is that they were up for decades as well.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
I think it was up for like 10 years before anybody even noticed. So certainly, if we think about the kind of trend of people leaving companies, most people leave the company after maybe two to three years. Eventually, there'll be nobody left that knows that API exists. And the bad guys are highly motivated to find out it does exist because for them, that is a payday.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
That is a way in, not even a backdoor, right? It is just a nice entryway, inviting one in to come and attack you.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
I always feel bad for the defenders when I have this conversation with them, because as an attacker, my job is quite easy compared to that, because that is not an easy thing to do. Obviously, you can buy API security solutions like Traceable that have this as part of it, and that can be a great option.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
But if you don't have the budget, you don't have the maturity to deal with it, that is where it is really hard. Some advice I've given some of Some of the companies I've worked with has been run an inventory.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
If you can try and get as much information as you can, like whether or not that is digging through GitHub commit history, digging through what files are on servers, what cloud environments are running and what they're all running and what you have available, what pods are up, or by just asking a developer, hey, do you know what APIs we have? That is a huge first step taming this beast.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
But it's not easy. You can use, there are some really great word lists that you can use like with fuzzing tools. There's the only API word list you will ever need that uses like a lot of historical data from different APIs that they've audited and sharing their knowledge.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Some of the other things you can do is have something like, if you have API management tools, things like Kong or MuleSoft, they can be really great ways of finding APIs. But honestly, if we had a bulletproof solution to that, you would be a millionaire.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Companies like Traceable do a lot there in trying to, again, bring in that intelligence side of things, have continuous monitoring, look for APIs in weird places. But you are simply not going to get them all. And what you need when that happens is a plan on how you're going to react when that inevitably happens.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Thank you so much for having me. It's a pleasure to be here.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
So some of the most common kind of mistakes that I see are essentially not having a process for decommissioning things. If your process for decommissioning things is switch off, like you are not going to catch everything. You need a way to track what developers have deployed over time, where it's deployed, how it's deployed, and then you can properly decommission it when developers leave.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
The other common mistake I see people make is having a really terrible relationship between development teams and security teams. A lot of people will have a weird adversarial relationship with their security team. And the security team is seen as an annoying, really frustrating team to have to deal with rather than it being a partnership.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
And when you have that kind of relationship, it's really hard to bring it back. Some of the other common things is simply having no API security tools at all. I'm not even talking just you have free tools, you have nothing. You maybe don't even prioritize API security. That's another common one I see. There's no API incident response plan. There's no API management tools in place.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
There's no process for deploying APIs. There's no API inventory in place. That is a really common thing that organizations will fall on. It's really easy to buy a tool that can scan your code and find every vulnerability. That's really tempting. Of course it's tempting. That sounds really easy. In reality, though, security is never quite that easy.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Though there are tools out there that can make it easier and highlighting what you actually need help with, what will make things easier, and then actually implementing that process and certainly having an API incident response plan. Because at the end of the day, these shadow APIs, unknown APIs, undocumented APIs, all of them, they're going to get attacked eventually.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
If you start panicking like a headless chicken when something goes wrong, and you don't you can't go into that like focused instant response mode you're just panicking and just what's happening like you will lose control of the situation very quickly
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Hi, my name is Katie. I'm also known by my handle Insider PhD. I am a cybersecurity YouTuber, a lecturer and an API hacker. I find the vulnerabilities and APIs before the bad guys do. And then I go on YouTube and teach other people how to do the same thing.
Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
No, I'm really happy to spread the good word about not getting breached by your APIs.