TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
API Management / Observability / Operations / Security / Software Development

How Ethical Hacking Tricks Can Protect Your APIs and Apps

Many security breaches aren't inevitable. Ron Masas of Imperva tells how to guard what matters in this episode of The New Stack Makers.
Jan 10th, 2024 7:38am by
Featued image for: How Ethical Hacking Tricks Can Protect Your APIs and Apps

Developers have a mandate to build fast. But that can sometimes come at the cost of creating applications and APIs that are more vulnerable to malicious hackers than they should be, according to Ron Masas, lead vulnerability researcher at Imperva.

A common theme he sees in his work at the data and application security company is “not investing enough in documentation and validation,” Masas said in this episode of The New Stack Makers podcast.

“This is a very common thing: teams can run off trying to build things as fast as possible. But they forget to actually build the proper contract between the API request and response, and to validate it using things like the OpenAPI standard.”

At Imperva, Masas’s job is basically to make the attacker’s job harder by continuously finding and reporting vulnerabilities in widely used software and services. He calls himself an “ethical hacker,” one who uses his hacking skills to defend against attacks.

Weak authorization is another common vulnerability he sees. “It’s amazing how many times I found bugs where like, there is an invoice endpoint with your invoice ID, you just change the ID to something else, you add one to it. And suddenly you see the invoice of some other user. This is a real thing that happens quite often.”

Kill Your Zombies

“Zombie” APIs or applications, things that were built and had a purpose at one time but have fallen into disuse, can be prime targets for hackers. Tracking down those forgotten APIs and apps is one of the tricks Masas employs to find vulnerabilities.

“If it’s using a framework, or like the JavaScript framework, I’m basically looking into the decoder and minifying it and trying to get all the endpoints that it uses,” he said. He also tries connecting with different endpoints. “Let’s say if there is [an] endpoint to, like, slash users slash ID. I could try to post to or delete those kinds of things.”

It’s important to keep an eye on default configurations — sometimes keeping default settings can introduce vulnerabilities, he said. Also, “having robust logging is very important. So you want to be able to log anything that is unexpected. This will help you recover from a vulnerability or detect that there was an exploit sooner.”

But guarding against hackers also requires both developers and the security team to embrace their responsibilities, Masas said.

For developers, it means understanding “who is going to consume your API or microservice,” the podcast guest said.

“Security champions” embedded in dev teams can also help, he added. “Have someone that is really curious about [security] and incorporate this into the development life cycle, and code reviews,” he advised. “I think code reviews are also very important, and can also be used to educate the developers as they submit code.”

On the other side of the equation, security teams must be more nuanced in how they communicate vulnerabilities. Not everything is an emergency

“Security teams can often seem to make a big deal of something that is not really a big deal,” Masas said. An unpatched dependency should be patched, he noted. But “there is a difference between a dependency that is not patched and one that’s exploitable.

Check out the full episode to learn about case studies from TikTok and DigitalOcean, what Masas thinks about AI and development, and what security challenges may arise.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.