How Ethical Hacking Tricks Can Protect Your APIs and Apps
Developers have a mandate to build fast. But that can sometimes come at the cost of creating applications and APIs that are more vulnerable to malicious hackers than they should be, according to Ron Masas, lead vulnerability researcher at Imperva.
“This is a very common thing: teams can run off trying to build things as fast as possible. But they forget to actually build the proper contract between the API request and response, and to validate it using things like the OpenAPI standard.”
At Imperva, Masas’s job is basically to make the attacker’s job harder by continuously finding and reporting vulnerabilities in widely used software and services. He calls himself an “ethical hacker,” one who uses his hacking skills to defend against attacks.
Weak authorization is another common vulnerability he sees. “It’s amazing how many times I found bugs where like, there is an invoice endpoint with your invoice ID, you just change the ID to something else, you add one to it. And suddenly you see the invoice of some other user. This is a real thing that happens quite often.”
Kill Your Zombies
“Zombie” APIs or applications, things that were built and had a purpose at one time but have fallen into disuse, can be prime targets for hackers. Tracking down those forgotten APIs and apps is one of the tricks Masas employs to find vulnerabilities.
It’s important to keep an eye on default configurations — sometimes keeping default settings can introduce vulnerabilities, he said. Also, “having robust logging is very important. So you want to be able to log anything that is unexpected. This will help you recover from a vulnerability or detect that there was an exploit sooner.”
But guarding against hackers also requires both developers and the security team to embrace their responsibilities, Masas said.
For developers, it means understanding “who is going to consume your API or microservice,” the podcast guest said.
“Security champions” embedded in dev teams can also help, he added. “Have someone that is really curious about [security] and incorporate this into the development life cycle, and code reviews,” he advised. “I think code reviews are also very important, and can also be used to educate the developers as they submit code.”
On the other side of the equation, security teams must be more nuanced in how they communicate vulnerabilities. Not everything is an emergency
“Security teams can often seem to make a big deal of something that is not really a big deal,” Masas said. An unpatched dependency should be patched, he noted. But “there is a difference between a dependency that is not patched and one that’s exploitable.