Untangling APIs: Addressing Sprawl and Securing Your Modern Digital Ecosystem

it's all yours excellent thanks very much uh thanks for coming by folks um I hope I'm as half as interesting as lunch was um I've been uh doing uh API talks are very relevant in the industry and I've been doing these um but I find they're much more interesting when when somebody has a beer in their hand so I really encourage these to happen at a at like a a brew pub or something like that so hopefully um I've got you early enough today um you haven't digested your food enough that you're going to fall asleep but uh we'll uh all we will endeavor to make it interesting and exciting um so as my um

very embarrassing I hate the bio like I don't anybody do these talks but someone always emails me for my bio and I'm like that I I hate those descriptions um they're they're make me very self-conscious um but my background is just that um I uh I consider myself a a a programmer um I'm a horrible programmer um and I just stumble through and U you know half the time use chat GPT or uh stack exchange or somebody else's code to to make I do what I want it to make happen um I recently uh released some code um to the company to F5 uh internally and I had to share my my private get repo um if has anybody

anybody written their own code and like had this baby that you've been working on for like six months or a year and then to show it to people um yes yeah sorry that is the scariest thing you could possibly do um I can stand in front of a thousand people and present and that's fine um but to actually have someone look at my code and go wow I thought you were a good programmer um is uh you know kind of rips my heart out um but uh so that's kind of the problem the world faces um the keynote this morning um Alisha I think Alysa was her name um I thought was phenomenal uh she had a

great talk um and uh very captivating but what she said was right where she hacked those uh those apis um and hacked it once and got 300 for free um happens all too often um I just describe what I did right I use chat GPT to write a bunch of stuff I use stack exchange to wrate a bunch of stuff um because you know why I I I have a self-image problem um and you know I I think everybody is better and smarter than I am and probably does a whole bunch of threat modeling and fixing stuff um before they release to the world right there's Chuckles because it's not right right um the the world has been

built on uh you know three lines of hello world that was probably written in 1954 in Cobalt um and just been ported and ported and ported and advaned since then um and all the problems that we've had had um continue to to to keep moving forward um and so I start this presentation with this slide um and I will say I've been using PowerPoint since 1991 or 92 I think it's the first time I did a PowerPoint presentation it was on three floppy discs um and I have no idea how to make this slide automatically restart It's Magic to me I don't know how so I constantly replay this so you see me every once in a while just come

up here and click it so it replays but this is a very interesting slide um and it shows the timeline of the world uh for the last little while um in how apis are becoming a problem and have been a problem um and I so I'm going to start the story with a little bit about myself um in in 200 uh the mid 2000s so 2008 2009 um I was working for a startup um that means you know the company what business that's what startup means right right um so I found myself um as an independent contractor my wife politely calls it self unemployed um and so I was hunting and hunting for some work to do and um

friend of mine put me onto a a project that was looked like a lot of fun and um in in the in the hopes of doing something interesting and fun um you know I I took the meeting and I met with the people and um they had this idea of a of of a game so this is 200 uh it's 2009 um a game a mobile game that you're going to play in a movie theater um so before the movies play the movie starts so um it's called the the pre-show um and so they were developing this to sort of get you in you know go to go to go to your movie and you'd play this and you

get some coupons and all kinds of stuff so I still haven't written a like a of one line of mobile code in my life I've written tons and tons of applications lots and lots of you know dozens of lines of code probably are attributed to me not just what I've stolen from other people um but I've never written anything uh as a mobile application but we were developing it for the three fantastic application Technologies of the time uh which were in 2009 which was number one Blackberry yes great hold our heads high as Canadians right um and uh we we needed it for uh Blackberry Android and this upstart from Apple this was taking was starting to to to move

into the market um and so we needed a an interface to have people engage with it right so I had been writing some Facebook applications at the time um some integration with uh some some consumer-based uh marketing and stuff and so they wanted to tie in Facebook and they want to be able to create your account and share this kind of stuff and then you get a coupon that you can go to the kios you know to The Confectionary and you know get a get a free chocolate bar or whatever it was going to be and so they had to build this and they had to build a mobile application well I said I don't I don't write mobile

applications I said no no no it's okay we've got a company in Ottawa that's going to write the code um completely fine I said good but we need somebody to put the whole thing together we need somebody to to AR architect it and we want it done with a a restful apis and I said what did I say yes I said fantastic I know all about restful apis why because I could Google it when I got out of the meeting because it was 2009 I didn't have a I couldn't google it on my phone at the time right so um so I looked up what the what what a restful API was and we ended up writing

this application um so that you could have a mobile application but but we also built a you know a web front end so you could sign up and all kinds of stuff um and uh I'll tell you a little story um or a little hint um the first thing I can tell you about developers and hackers um is we're lazy we we don't want to do anything more than once um we want to make we want to do it as often as as as little as possible and make it as ubiquitous as possible right so um so they said with this restful API we should be able to create the applications and do all these things in

in you know without having to write one for the website one for a mobile application it's pretty Advanced right today this is just like no-brainer right you're like okay I'm going to consume this in 14 different things um so that was 2009 2010 U I joined 20 F5 in 2011 um and that's when this graph this this slide starts it's not a coincidence that I ran screaming from the application development Market um at that time but I'm very happy I did um because over time apis have become a real challenge for protecting um or protecting from people right from from bad from Bad actors um and this isn't something that's unique to just me right um I will say I

really hope no one hacked into into my environment and and and broke into it um and and stole C customer data but I really don't know right it's very hard to tell um there's but that doesn't just relate to just you know me being a a self- unemployed developer you know working in my basement um it relates to a whole bunch of organizations out there today too um so if I if I ask you one question how do you know summon a pellaton user yes we will it's the same as being a pilot and a and a crossfitter and I don't do CrossFit right um somehow we'll get into the conversation right we will tell

you what's even easier than that then you don't need to talk to a pelaton person right use the API exactly so you can just ask their API so so um back in 2020 um if anybody remembers 2020 um without shaking and crying bellaton um you know certainly enjoyed uh a boon at the time um and really took off in the in in the world they were less than a million users um the mobile app was kind of you know some people use the mobile app they had a they had a device you know they had a they had a they had a uh a tread at the time they had a bike at the time um and

then everybody got locked into their houses and wanted to you know use and work out and do all these crazy things and Paton took off so they were flush with cash if like me um you thought that their stock could never go down and you bought them at $100 okay you can take a lot of security tips from me do not take a stock tip from me okay it's one thing I will warn you I am not good at um and so they they really needed to figure out what they were going to do um and so they invested heavily in Dy um they had a lot of stuff on the go they were building like crazy they went

from less than a million people they're well over 5 million maybe maybe eight or 10 million people accessing their environment that's a scale that's impossible to Fathom think about your busiest application that you have now and somebody's going to say it's going to increase five times in a month how do you handle that without sweaty palms and screaming and crying right I I had that I had that I was I was number one on crackberry for one of my applications worst day of my life I got hacked like you would not believe I had people all over my SQL Server I had all people banging into my environment we went from about a th downloads a day to

when we went to number one in crack Bay we were we were 10,000 downloads a minute how do you like how do you scale that we couldn't we had we had a single pipe spinning stuff up in rack space didn't even know what rack space was at the time like this is crazy right this is what these guys went through so they were trying to figure out they're they're literally building the plane in the air like that old video from I don't know the consulting company where they're literally building the plane in the air this is what these guys are doing it's a tough job but they try to make the right decisions they try to use the good

technology so they use something called graphql so graphql is a uh is way of providing data without having to do at API level you can it it's much more optimized for mobile devices uh it's a much more streamlined uh Communications me mechanism so graphql is a great way to share data doesn't doesn't stop you using rest because rest you still need to use that to talk back in the application but sharing the data and getting the data was very different and so this is what they did they turned this stuff on and they put a bunch of Protections in place they protected that whole network they were worried about everything on the edge and they figured

out everything they could possibly do fantastic right fantastic story ends there does it end there no it doesn't end there the problem was um the way apis are built sometimes your business logic is exposed so they used a bunch of kubernetes PODS anybody here play with kubernetes right yeah I could I could stumble my way through a container uh um and when they put it together they exposed a bunch of stuff that they didn't expect that they were exposing so as a pellaton user I like to tell people I'm a pellaton user I think it's fantastic platform that's why I tell people about it but I don't want you to know what bike I have when the

last time I worked out that's uh that's only something I share with certain people I don't want you to know my home address all that kind of information so you remember the Bola stuff that Alicia was talking about this morning this is this to the nth degree you can get everything the whole the whole network the whole data everything is available inside of here right you can go in here and make a query you could the beauty of of developing something with gra with graphql is just something called introspection and it'll tell you how to talk to it it'll say here are the functions that you can do to pull data out or push data in right

but you're not supposed to have that on in your environment so everybody can see it and they didn't on the edge but unfortunately when you made a call to inter internal environments you saw how those environments were were were were put together and lo and behold you're able to pull that data out and this is the kind of information that they were exposed so is this a breach anybody call this a breach no a misuse of information right data leakage Maybe right breach is iy no it's a breach call it a breach because companies out there are trying to say no this isn't a breach I don't need to report it it's a breach right it's a breach of confidence it's a

breach of of of the the the the confidence that you've put in those organizations right don't don't give them any leeway make sure they're protecting it right excuse me I got look what my next slide is all right I have another question for you or maybe this is an axium not a question um hackers lie right I'm not a hacker I hack code I've hacked websites okay I don't lie that often all right um so there's something called uh bug um um I tried to think hacker one there go I was say bug Crow but I knew it wasn't bug Crow uh hacker one um so anybody know what hacker one is right so hacker one um if you're bored

on a Sunday uh on a Saturday and you want to make some extra money uh you can go to hacker one and you can go hack somebody's website completely legally right if you are somebody who owns a website or manages a website check out hacker one or bug crowd or any one of these Services because they're phenomenal it's a way for you to have something called responsible disclosure and you define how people are allowed to hack you don't touch this you're allowed to poke in here you're allowed to pull this data out over here you're allowed to do this but you're not allowed to do that right they're very well- defined characteristics of how these things work

but the thing I like about this this hacker one report this is 2020 um in 2021 and 2022 they release it too but honestly it's not a fancy little graph that it was easy for me to put together so I just leave this slide in here for a few years but this is me telling you hackers lie because hackers say they spend 71% of their time on hacking we websites what did Alyssa say this morning I chuckled when she said this said this line when she was talking about about how she attacks right she watches the website she goes and uses the website she she starts figuring out what's going on and then she then she

throws the website away because the website has all that stupid business logic that they want us to adhere to right the fun part is when you start playing with that business logic why because developers are lazy but in a good way we want the systems to be used right so to me when I see 71% of the time people spend on websites and 7% of the time they spend on apis that is not me I might spend 7% of my time looking at your website and I'm going to show you a couple things later if we've got some time about how easy it is to pull all that stuff together using something like Postman and chrome right reduce that

from 7% down to 3% and grab all those all that traffic that's going on between your mobile application your web application and the backend servers right all that stuff is happening and there's fun things you can do when you start poking at it and that's what hackers do that's typically where we start to find those those vulnerabilities when I was developing that that uh that that pre-show application I had a a team that I you know I brought in to to help me with it and um my QA director mean one of my best friends let let's be honest um you know we there was a I had about eight or eight or 10 people at some point working in my in my

basement and so Paul would show up in the morning and we'd share share an office and we would write the contract of how the applications were going to work right so so we defined that here's a crate user API here's a crate address API and we would document it another ask him about developers we are not good documenters if I can get somebody to take the things that are mulling around and bouncing around on my brain and get somebody else to write it fantastic chat GPT I wish I could I could just have a brain dump that' be phenomenal uh but Paul and I spent many many many many hours weeks months really defining this stuff

before we wrote One Li one line of code because in order for me to go and create a user and for that to appear on somebody's iPhone I didn't have an iPhone in 2009 you know I wasn't a multi-millionaire or anything like that right to be able to see that that had to be that had to happen right in a way that we had we had established a contract so that contract was a bunch of pieces of paper that I wrote PDFs PDFs and PDFs and so when we wrote them was great and then I would sit and code and when does when does every developer code 3 o'clock in the morning right um when life gets in the way and all the

other things you got going on you you code at 3:00 in the morning and then Paul would show up at 8 o'clock in the morning the next the next morning and I said ah I got that crate user API ready to go and the uh you know the crate address is is good to go for you to test too and he would look at me go and then before he has a sip of his coffee or tea he doesn't drink coffee he'd say I broke it and I'd say what do you mean you broke it we spend like three weeks writing the writing the spec how can you break it he goes oh I threw an asteris

in the in in the phone number why would you throw an asterisk in the phone number because I knew you didn't expect it right because we're so in our own heads when we're defining these things and when we're coding them we don't necessarily think about what what the problems are and how somebody can misuse it right I'm so so driven to make make this available for somebody to use it that the challenge becomes how do I how do I protect it right I those are hard problems those are hard things to figure out and so I'm going to skip a couple slides here I got the wave in the back that I'm I'm rambling if I can find my mouse here we

go so when we start thinking about what's important um this is from uh Postman again anybody heard of Postman anybody use Postman it's free downloaded it's fantastic great tool um but this is their state of state of the API report these are the things that people worry about it's kind of intangible isn't it like if I tell you that you know Bola o or ID like are you know those are problems broken object level uh uh validation and and and access are broken you don't necessarily know what that means threat modeling isn't easy right so it is a it's an art form it's it's a science all allinone so to translate these to what you have to worry about is

a challenge that's why we have smart people putting together lists like this so the open web application security project who I got called out last week because it's no longer the it's no longer the open web application security project one of the it's either the W or the a changed like in the last month one of them has changed so I'm going to call it OHP because I forget which it was um they put these things together they tell you the things that people are attacking um but the second week of August now um sisa which is the US um uh you know uh Federal civilian uh Information Security Agency um so I do a

lot of work with sisa I do a lot of work with daa um the defense their defense counterpart um they uh announced as part of the five eyes thing we're part of five eyes as well um with the Australian um counterpart that Bola or the the the the the ability to access data that you shouldn't be able to access right so being able to tweak that I love that example that Alysa gave this morning I'm going to use that for the rest of my life of be of of of being able to have have a car and say I want I want the Ferrari in front of me me it would be like a like a

like a Mercedes you know AMG or something like that a big Ferrari fan myself but I'll I'll give up my Hyundai for for for anything right being able to say okay I'm I'm gonna I'm gonna take my ticket change that 17 to an 18 um and then pretend I'm that other person that's what happens today that's what happens in apis right that's number one broken Access Control broken object level authorization those are number one whether you got a web application or or a mobile or or or an API people play with that I do whenever I see a cart and I see a cart ID that's predictable what do I do I start throwing numbers at it see what happens

scared myself when I bought something at somebody's website and I played with that and I got somebody else's cart and saw all the things that they bought in their home address luckily I didn't see their credit card and I wasn't even logged in which is even worse than being logged in and being able to get those IDs it's crazy right right it happens and this wasn't something that was written by some you know second second rate person this was an off-the-shelf cart application I talk to the people that's responsible disclosure unfortunately responsible disclosure requires them to do something about it which they didn't but we won't go there um so these so looking at these

kind of things are very important we got to figure out what how how we can protect them and understand what the scale of our problem is that's where we are are today right that's where that's where we got to figure out how we're going to go and and and and understand what we need to protect so who here has API applications today API based applications in your environment anybody few of you yeah if you got a web application I guarantee there's an API in there somwhere it might be a microservice that something else is calling right microservice means that you're calling somebody else's problem right and they've done all the threat modeling they're completely safe

right yeah no I will tell you in that pre-show application I use struts because I wrote All My apis in Java that was 2009 I woke up 2016 to a nightmare thankfully I was no longer responsible for that but I was responsible for 10,000 websites around the world that had struts in them don't rely on anybody else to threat model your stuff threat model your own stuff and so how we can how can we do that we can start inventorying what we've got so look at the application stack that you've got look at what's how it's running look at the traffic that's flowing through it right so if I if I if I were going to

put a F5 sales hat on these are things that we can do we can we can look at your inbound traffic we can look at the traffic as it flows through and build a taxonomy of what is going on inside of your application stack and then we can start to look at where do you have problems what URLs are you sending data through that aren't authenticated do you have a cart where I can just go grab that cart and I don't need a jot token or even worse you're using basic authentication and sending passwords back and forth across every API call that's horrible right nobody would ever do that we do we find these kind of things

and and so we can help you start to figure out what what you need to worry about this this is a elephant eating problem right got got a huge security problem in front of you you got 20 20 applications or 2,000 applications I don't care how big your organization is your security problem is always going to be big but if you can start to categorize it understand what you can see then you can start making some Pro some decisions of how we're going to how we're going to address it right then we're going to look at things like the OAS top 10 model can we overlay our top 10 model and say say these ones are protected these ones

aren't protected how are we going to protect them so all those things can can can can be brought in um and you could start making some some some decisions on how you want to protect it how am I on time somebody was flashing me a card back there I have another 10 minutes maybe okay I go I go till 22 that's what we got okay I'm G to go to 22 how's that so what I want to do now is share my screen I promised you I was going to do a little bit actually now I'm going to use Mic Stand going to feel trapped but I

will so what I thought maybe I I could do is um fill a little bit of time here at the end and show you some of the things that I do when I'm when I'm doing can you is is the mic okay here you here okay good um and when I'm looking at our application um and uh trying to figure out what kind of traffic um a customer is seeing or somebody's seeing um could be on a this the one yep that's the one um say okay so uh I mentioned uh oasp the letters that used to mean um open web application security project um so they they've put out a bunch of web applications that you can use to to

Tinker around um those are you know a lot of them are just available as a container which is nice you can just spin them up so this is uh something called Juice Shop if you want to buy some juice you can you can uh you can you can go ahead and you know use this as a as as a u as an example application um but it this one the je shop is interesting because it's API based and I can prove that it's API based because if I go in here and let's let me who has ever used the dev tools inside of chrome cool all right so if you didn't see what I did there um I am um in in

Chrome and all I do is I right click on the page and say inspect and you get a whole bunch of things you can do you can change the web page and interactively you can do a whole bunch of fun stuff you have a console you could execute JavaScript a whole bunch of cool things you can do inside of there um but what I'm doing here is I'm in the network Tab and so what we'll actually see is all the traffic that flows through my browser when I refresh the page so you can see here all these all these calls are happen in the page so to take it down just to the bare level what happens is my page goes my my

browser goes to a page might be just a straight HTML page could be a JavaScript page or whatever it's going to be but that page just gets pulled down and inside of that page are a bunch of references to some scripts and stuff and those can those get executed in real time in in like interactively so if I go to my cart so so let me see my if I go here and I go to a cart so if we scroll up here right we can see that there's been a bunch of there's a bunch of gets these are you know pull a bunch of stuff there's some images that get pulled down but if I go to my home page

here just the the site page and I add something to the cart um you can see here that it's made a call to something called basket items and something called seven anybody know what seven is in this case it's an object that I'm referencing should I be referencing it as a seven what I've been talking about right we don't necessarily want people to always know what seven is right we don't want to guess that we probably should have some sort of better identifier something that's long and guess unguessable right but I also have my own cart right so I Define my own cart and that again is probably an integer value in some of these unsecure applications so if I

guess your card ID I could go have a look at your cart potentially right so those are things where we have the that that that those B baa you know those those uh object level references I can get those and be able to pull those out that's me going back to my cart where I was buying the flight suit told you I was going to tell you I was a pilot right and and I was referencing that identifier for the Cart mine was like I don't know 64 325 or something like that right I tried 64 322 nothing one oop nothing you know and then I turned on uh burp suite and said go but generate a bunch of IDs and it

randomly grabbed a bunch of carts and sure enough I got address information for you know a dozen people in a couple seconds right doesn't sound like much but that's a breach right again we shouldn't be letting people off that's a breach right so this is this is what happens inside the browser so I can just go and look at the browser and figure what's what's going on there's a whole bunch of things it's hard to necessarily know when I click on this what's going to happen but if I open this the these tools I can get this information the other cool thing is if I want to replay this I can do things like this I can go

copy so I can go copy is curl so told you I didn't want to stand still so if you can see here I I I I've right clicked on on the seven and I've said copy copy is curl anybody know what curl is command line URL uh tool um if I wanted to go send this on the command line um I can I can send that command in right and it's it's exactly as the browser does it it doesn't know that it's curl there's no way for it to know that is there any possible way that I could ever know that somebody's using curl and not using my browser I could challenge it I could

send a response back saying hey what's one plus one right Carl won't be able to respond that maybe the browser can do that right so we can start to we start to we start to figure these things out but if I grab this and I say copy is curl I'll tell you show you a really cool thing I can go in here and let's just say I'm G to go here and I'm GNA say new request anybody see new request there we go why am I not seeing new request there there we go add request of course my filter was too tight there we go so if I if I if I paste this

that's now taken my curl request and put it into into uh Postman as a full request it's grabbed all my headers right so if I go look here there's 21 headers that just pulled in right all kinds of things it's got the refer it's got all the things in here right it's just mimic that whole request so now I can just go start playing with this right I can look at the at at at the body this happens to be you know just a get request but if this was a post and there was a bunch of things I could start playing with that but what happens if I tried to go six and sent

that look at that success what did I just prove basic object level uh uh requests right I I'm pulling this information out now there happens to be nothing in that cart what happens if I try five right oh look at that there's cart cart information now is this my cart probably not go do this in your web application um these are things where you can just you can easily start to find how it how easy it is to to start poking around and finding finding access to to your to your different applications um I'm G to I'm going to finish up here with a very scary story which has a Canadian uh Twist on it so I'm a member

of um something called the FDX so it's the financial data exchange um so it's a it's something called open banking um and so Canada we're actually Define we are we are following um open Banking and we are implementing open banking um which means that um if you happen to use something like uh mint from into it or something like that um it's a way for you to use one system and and sort of scrape a whole bunch of data and be able to you know go to one place and and pay your bills maybe from maybe you got a Scotia bank account and an RBC account and a credit card from AMX or something like that you want to see everything in

one spot what what they used to do was they actually used to log in as you and scrape that page so they would log in have the page and pull it up and everything like that there was no tracking that it was meant they would look at the credit card the IP address and they would the you know AMX would say wait stop that you know you're scraping my page you're doing it 100,000 times a day right really not a great way of of doing business so FDX is something called is is is an API standard that we're defining to how we're going to share data between these different banks right so the US very dis their their their

disaggregated environment um it doesn't lend itself well to this but the banks themselves are all in this so I go to the the conference next week every major Bank in Americas is is is there in the in in uh um in Europe there's actually the open banking standard which is very similar to FDX but it's it's just a different format but now we're sharing how we're going to communicate and send data back and forth so at last year's conference one of the pentesters got up and talked about a pentest he did and and so they um they had a bank um and this is real I'm not making this up and I'm not I'm trying not to paraphrase

anything that that uh that Cliff said um but the bank had an application from years ago when they had mobile banking or web based banking you know 20 years ago they had a uh foreign transaction uh uh thing on their website and they said you can only use it five times a day and every time you type in a value it had to have two decimal places and so that you know that you could go there and you could go and say I want to transfer you know US dollars to Canadian dollars or whatever right um but then like pellaton they went through a digital transformation wasn't one those great words I hated I'm glad we don't use

digital transformation anymore that's so 2020 um but they went through this and they said okay we're going to we're going to develop all this and we're going to use apis and it's going to be great because we're going to now put it in our mobile application and we're going to make everything fantastic and everyone's going to be able to use this so this pentester took the application and said huh cool started looking at it what's the first thing I did right clicked in Chrome and said what's going on behind the scenes they realized that the transaction um was just making a bunch of calls and the web application the JavaScript the web application was saying oh you've done this five times

please stop and it also said oh only two decimal places so the the the value checking was actually in the control to find out how many decimal places you're were doing so what they did is they looked at what is the biggest difference in the transactions and it turned out it was British pounds to Canon dollars told you was Canadian Tian and he told me it wasn't a Canadian bank I I I I hope so um and then they ran it three lines of python code with 17 decimal places so we get rounding errors and not five times a day not five times a second but about a 100 maybe a thousand times a second completely fine

they transferred $10,000 Canon dollars into British pounds um then looked at that and that was actually it wasn't a lot more you know maybe maybe a few more dollars maybe he never actually told me the the the number but maybe it was an extra 10 or $20 and kept doing that like 50 60 70,000 times just like hammering the site and then it stopped and he's like oh the bank caught me all the business logic was in their was in their application not in the not in the API there was no checks in the back end but they thought oh they must have seen that somebody was hitting my the back end and that's why they stopped

me so he called the bank up and said responsible disclosure I found a vulnerability in your in your uh in your FTX application um and they said oh thanks he said um you didn't know they said no but thanks for telling us they said well we just transferred the equivalent of about £50,000 into Canadian dollars and back and they're like oh thanks then we need to go put another 50,000 pounds in that bank account that was their their compensating control that they that they Lo would lose 50,000 you know or whatever the equivalent of that money was in the transfer and that's the only thing that stopped them so when you start refactoring and go through digital

transformation and adopt apis adopt apis they are phenomenal they're going to make your life so much easier but control your business logic and understand what's supposed to be going through anybody can think of an idea some of the things that might have been able to protect that maybe stopping them from doing it 10,000 times a second or a minute whatever it was right rate limiting right so being able to rate limit by by user an IP is perfect right nobody ever shares IPS and everybody's IP is exactly what they really are right no that was an Ottawa last week that is not what's going on in Ottawa right now IPS aren't what you want you want to be

able to look at the person who's logged in so only Force only allow people to who are logged in and properly authorized and authenticated and then let them do it 50 times a day because you know who they are and track them right and what about that 17 decimal place thing well had they done an API Discovery and looked at the API traffic they would have realized that most of the traffic only has two decimal places so they K have built a rule to say hey if this is more than three decimal places let's raise our hand let's have a look at this so by being able to put just a couple little controls in there

that could have easily protected themselves so but if you don't know what you don't know how you going to protect yourself you're going to have to figure things out look at your application stack pick up the phone and talk to a developer we're nice we lie but we we try to do it all for good right so I think I'm way over my time and I really I really appreciate your time um any questions I'll be around but yes yes right yeah go ahead oh um yeah so you mentioned the API call there and you said the validation logic was in the app so you advocating you put it in the API as well like double um so

you could you could put in the API or you could put it at a at a place where there's there's a tra there's a place where you can control it right so if there's a in in the example like if if I'm going to put my F5 hat on it's going to be at the proxy level being able to understand what that kind of traffic looks like authenticating that jot against an understanding the jot token sorry if I haven't explained it is is oo's way of identifying a user it's a it's a base 64 encoded ID right so I'm going to know that you're you um and I'm going to know that at at a point where I

can control it so if I give you Downstream control to make a change someone's going to make that change right so wherever you can control it put your hands around it that's the safe place to do it okay y thanks any other questions

yep so the question was um websites that are developed with like uh common Frameworks uh WordPress and uh mentioned another one but yeah so there could be like react and stuff like that so a lot of those are are user interface Frameworks right so react is a user interface framework that gives you a lot of capabilities to to do input validation but again you're doing input validation um at a point where somebody else can control the behind the scenes right so you still want to have it at your uh At Your Service level or your microservice level or in front of in front of it again where you can control it that's the place to have it it

doesn't stop you from ever sto you that that's the perfect Point why I have the API top 10 and the application top 10 equally on the same slide because you have to worry about the a the application and the apis equally important but the the requirements are a little different right so you still want to do input validation on your application because that's still going to make sure that things are coming in properly but if I only do that at the application layer and let somebody else just say do a call with the with the uh with the API they're going to misuse it like this person did with this with this attack on on on the FTX transactions

does that help answer question

yeah um again standing on the shoulders of greatness is is a myth um like I said I I used uh the uh the uh the Jakarta uh Apache tom cat um and and the strutz library and everything like that because I didn't want it to build a file upload process but that's why CRA was down for a week because the file upload thing was was found eight years years later to be vulnerable right so you have to understand that just because your application passes pen test today doesn't mean it's going to pass a pen test or a validation in six months or a year or five years right you have to that's a continuous check always

validating right great points thank you good awesome thanks very much folks