Code Story
The Haunted House of APIs - The Dark Corners of APIs with Katie Paxton-Fear
Wed, 23 Oct 2024
The Haunted House of API'sToday, we are releasing another episode for Cybersecurity Awareness month, in our series entitled the Haunted House of API’s, sponsored by our friends at Traceable AI. In this series, we are building awareness around API’s, their security risks – and what you can do about it. Traceable AI is building One Platform to secure every API, so you can discover, protect, and test all your API's with contextual API security, enabling organizations to minimize risk and maximize the value API's bring to their customers.The Dark Corners of APIs: Uncovering Unknown APIs Lurking in the ShadowsOur episode today is titled The Dark Corners of APIs: Uncovering Unknown API’s lurking in the shadows, where we speak with Katie Paxton-Fear. APIs are the gateway to your digital infrastructure, but hidden deep in the recesses of your system are unknown APIs – shadow, rogue, zombie, and undocumented API’s. Each of these present a unique threat to your organization and can be exploited by hackers. Katie is an API hacker and researcher, and today, she will take us on a journey through the API graveyards, where hidden APIs lurk, waiting to be exploited – sharing real life examples of how these API’s have been attacked, and best practices for ensuring they don’t become your companies next security nightmare.Discussion questions:Can you explain what we mean by "unknown APIs" and the different types, like shadow, rogue, zombie, and undocumented?Why do these APIs often go unnoticed, and how do they become security risks?What makes these APIs such an attractive target for attackers, and can you share an example of how one has been exploited?How can organizations begin to uncover these hidden APIs, and what tools or strategies are effective in doing so?In your experience, what are some common mistakes organizations make that lead to these unknown APIs being created or overlooked?SponsorsTraceableLinkshttps://www.traceable.ai/https://www.linkedin.com/in/katiepf/https://insiderphd.dev/Katie's YouTube ChannelOur Sponsors:* Check out Vanta and use my code CODESTORY for a great deal: https://www.vanta.comSupport this podcast at — https://redcircle.com/code-story/donationsAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy
Hello, listeners. Today, we are releasing another episode for Cybersecurity Awareness Month as part of our series, The Haunted House of APIs, sponsored by our friends, Traceable. In this series, we are building awareness around APIs, their security risks, and what you can do about it.
Traceable AI is building one platform to secure every API so you can discover, protect, and test all your APIs with contextual security, enabling organizations to minimize risk and maximize the value APIs bring to their customers. Our episode today is titled The Dark Corners of APIs, Uncovering Unknown APIs Lurking in the Shadows, where we speak with Katie Paxton-Fear.
APIs are the gateway to your digital infrastructure, but hidden deep in the recesses of your system are unknown APIs. Shadow, rogue, zombie, and undocumented, each of these present a unique threat to your organization and can be exploited by hackers.
Katie is an API hacker and researcher, and today she will take us on a journey through the API graveyard, sharing best practices for ensuring that they don't become your company's next security nightmare. Katie, thank you for being on the show today.
Thank you so much for having me. It's a pleasure to be here.
Before we jump into our topic today, which is the dark corners of APIs, uncovering unknown APIs lurking in the shadows. Super ominous. It gives me chills talking about it. Tell me a little bit about yourself. Tell me in my audience a little bit about you.
Hi, my name is Katie. I'm also known by my handle Insider PhD. I am a cybersecurity YouTuber, a lecturer and an API hacker. I find the vulnerabilities and APIs before the bad guys do. And then I go on YouTube and teach other people how to do the same thing.
I've found vulnerabilities in companies all over the world that you've definitely heard of that I can't talk about because I've got an NDA, but there are certainly companies there. I have been to like tons of live hacking events. So that's where companies fly out some of the best hackers in the world just to focus on their software.
And I work at a company called Traceable that sells an API security solution. And I work in technical marketing, which means I write technical content. I get to be a professional API security influencer, which doesn't sound like it's a real job title, but I promise.
Sounds like a really fun job title. And I may have just extracted this from what you said about your YouTube channel and things, but what do you do for fun?
Knit.
Okay, I didn't extract that. Tell me about that.
I'm a huge crafter. I spend so long on the computer. I work so much and I'm a very creative person. And I'm very creative. I love making stuff. I love being able to build something. I was a software engineer before I went into cybersecurity and became more of a breaker than a builder.
But I always felt with working so much on a computer that it's so digital, it's so intangible that I wasn't feeling that fulfilled by it. So when I was at university, I decided to get a hobby that had absolutely nothing to do with computers. So I learned how to knit. I knit, I crochet, I sew, I do embroidery because this is an audio podcast.
You can't see it, but behind me, I have a giant Cthulhu that I crocheted in my office that I use as office decor.
That's amazing. I have to say kudos on your pursuit of analog activities. They are so important to have a balanced approach there. You spend most of your day in the digital world. So kudos on that.
Yeah, I think it's very easy to, you know, you don't get the same reward when you deploy code as you do when you physically can see something that's taken 30 hours of your life to produce and you can touch it and you can interact with it. It's why I think security people love lockpicking. Like everybody's hobby is lockpicking because we crave the material.
No doubt. No doubt. Couldn't agree with that more. Well, let's dive into it then. So let's start uncovering some unknown APIs. Before we even go further, can you explain, you know, as we say that, what do we mean when we say unknown APIs? And, you know, there's obviously some different types there, right? Like some words you use like shadow, rogue, zombie, and undocumented APIs.
for people unaware an api is just a piece of software that isn't designed for humans to consume it's actually designed for other pieces of software to consume the results of so it means that apis are mainly used in integrated things so you want to connect your facebook up to your i don't know smart home That's an API.
If you have a mobile app that you want to share the same code base as a desktop app, you're going to use an API. APIs are so ubiquitous and they're such like an everyday thing. We could probably name one that you've used today. If you have a smart home, you use APIs.
if you have an app on your phone it's api everything is apis now because everything is apis and everything is interconnected they just get forgotten eventually all knowledge dies out as especially in technology when we've got the next big thing happening what happens to the old next big thing Everybody has jumped on AI and replacing everything with chat GPT.
But what is going to happen to everything else? The answer is the last developer who worked on it leaves the company and the company has no idea this API exists. The only record of this API ever existing was in the developer's head. Now that they're gone, they have no idea. And this creates such a massive security hole because maybe that API is written really well.
Maybe they were on the ball and that API is going to work for years More likely, though, it's going to be insecure and it's going to be the way that a bad guy gets in and actually manages to exploit the API. A lot of the time we hear things like shadow APIs, rogue APIs. We've even got threat actors publishing their own APIs now. So we've got evil APIs and just APIs that are undocumented.
There's very much a... While developers are trying to solve their regular technical debt, we've just added an extra layer on here for something else entirely.
That all makes sense. So why do these APIs often go unnoticed? And I'm just curious, why do they often go unnoticed and how do they become a security risk?
first of all, is just how common they are. And the second thing is usually the amount of autonomy developers have. Developers can often produce whatever they need to get their job done. They don't have any guidelines. They don't necessarily have really strict ways of doing things. They work fairly autonomously. So if they need a new API, they'll just make it and put it up. So it's convenient.
Or potentially they make an API that they use for one project or they think they might use in the future. And then it never actually ends up being used as part of the main production hardware. There's a lot of different ways that these APIs get created. My favorite is one that I did when I was a developer. I installed a piece of software onto our server. And we never ended up using the software.
We never ended up buying it. The API is still out there to this day. I checked like last year and I left the company four years ago, more than six years ago. Six years ago, I left that company and the API is still up. It just gets forgotten.
A company has so many assets to worry about and developers have so much autonomy that they don't need to document everything they produce during their workday because that would be
crazy amount of work that would be and so you have this situation where you've got these apis that just created for the sake of convenience that they might be useful later they just end up never really getting decommissioned deleted or even disconnected from like a database
So a lot of autonomy for a developer. You put an API out there, you check it four years later, it's still there, right? To your example. So they're lurking in the shadows because they're sort of done and then maybe kind of forgotten. But what makes these APIs such an attractive target for attackers? And maybe even can you share an example of how one of these APIs has been exploited?
So these APIs get exploited all the time. And honestly, it's because it's quite easy. If you don't even know something exists, how on earth are you supposed to secure it? You can talk about things like secure coding, secure software development life cycles, security vulnerabilities in general. But if you don't even know an API exists, how on earth are you supposed to protect it at all?
You don't know what you don't know. And when it comes to security, that is what will get you breached. Certainly, if we think about today as we're recording it, people have done an investigation into the Internet Archive attack from a few weeks ago and found there were just credentials on GitHub that were just valid that nobody had deleted. The problem is that they were up for decades as well.
I think it was up for like 10 years before anybody even noticed. So certainly, if we think about the kind of trend of people leaving companies, most people leave the company after maybe two to three years. Eventually, there'll be nobody left that knows that API exists. And the bad guys are highly motivated to find out it does exist because for them, that is a payday.
That is a way in, not even a backdoor, right? It is just a nice entryway, inviting one in to come and attack you.
That's very well described. You have illustrated, you know, the issue, these APIs, you know, to our title, lurking in the shadows that are unknown, but are just tantalizing to hackers. How can organizations begin to uncover these, you know, hidden APIs, these lurking APIs? And, you know, do you have any tools or strategies that you feel are effective in doing this?
I always feel bad for the defenders when I have this conversation with them, because as an attacker, my job is quite easy compared to that, because that is not an easy thing to do. Obviously, you can buy API security solutions like Traceable that have this as part of it, and that can be a great option.
But if you don't have the budget, you don't have the maturity to deal with it, that is where it is really hard. Some advice I've given some of Some of the companies I've worked with has been run an inventory.
If you can try and get as much information as you can, like whether or not that is digging through GitHub commit history, digging through what files are on servers, what cloud environments are running and what they're all running and what you have available, what pods are up, or by just asking a developer, hey, do you know what APIs we have? That is a huge first step taming this beast.
But it's not easy. You can use, there are some really great word lists that you can use like with fuzzing tools. There's the only API word list you will ever need that uses like a lot of historical data from different APIs that they've audited and sharing their knowledge.
Some of the other things you can do is have something like, if you have API management tools, things like Kong or MuleSoft, they can be really great ways of finding APIs. But honestly, if we had a bulletproof solution to that, you would be a millionaire.
Companies like Traceable do a lot there in trying to, again, bring in that intelligence side of things, have continuous monitoring, look for APIs in weird places. But you are simply not going to get them all. And what you need when that happens is a plan on how you're going to react when that inevitably happens.
I totally hear what you're saying there. These are great starting points. But if something's lurking in the shadows, it's going to be hard to find them all. And you need a plan of how to respond to that. And maybe that's part of what your answer will be in this next question. But I'm curious, in your experience, you're the guru, right? You know this world. You live this world every day.
What are some of the common mistakes that companies, organizations make to, you know, lead to these unknown APIs being created or overlooked? Like, how do they how do they get there in the first place? And maybe it's a little little bit of what, you know, you described in your four years ago example. But I'm curious, what are the common ones?
So some of the most common kind of mistakes that I see are essentially not having a process for decommissioning things. If your process for decommissioning things is switch off, like you are not going to catch everything. You need a way to track what developers have deployed over time, where it's deployed, how it's deployed, and then you can properly decommission it when developers leave.
The other common mistake I see people make is having a really terrible relationship between development teams and security teams. A lot of people will have a weird adversarial relationship with their security team. And the security team is seen as an annoying, really frustrating team to have to deal with rather than it being a partnership.
And when you have that kind of relationship, it's really hard to bring it back. Some of the other common things is simply having no API security tools at all. I'm not even talking just you have free tools, you have nothing. You maybe don't even prioritize API security. That's another common one I see. There's no API incident response plan. There's no API management tools in place.
There's no process for deploying APIs. There's no API inventory in place. That is a really common thing that organizations will fall on. It's really easy to buy a tool that can scan your code and find every vulnerability. That's really tempting. Of course it's tempting. That sounds really easy. In reality, though, security is never quite that easy.
Though there are tools out there that can make it easier and highlighting what you actually need help with, what will make things easier, and then actually implementing that process and certainly having an API incident response plan. Because at the end of the day, these shadow APIs, unknown APIs, undocumented APIs, all of them, they're going to get attacked eventually.
If you start panicking like a headless chicken when something goes wrong, and you don't you can't go into that like focused instant response mode you're just panicking and just what's happening like you will lose control of the situation very quickly
Okay, this has been a great conversation. I really appreciate you being on the show. It's very clear that these unknown APIs lurking in the shadows are a problem and are a tantalizing target for hackers. And you've illustrated some great ways to start to be proactive, but also to understand that if there's some lurking in the shadows, you're going to also have to have a reactive incident plan.
And tools like Traceable are out there solving this problem for those proactive solutions. I really appreciate you being on the show today.
No, I'm really happy to spread the good word about not getting breached by your APIs.
And this concludes the Dark Corners of APIs, uncovering unknown APIs lurking in the shadows with Katie Paxton-Fear. Stay tuned for more episodes in our series, The Haunted House of APIs. And if you'd like to learn more about Traceable, go to traceable.ai. That's traceable.ai. And thanks again for listening.