hAPI hAPI Joy Joy: Understanding the risks in a world of API integrations

I started by accident right and I was just like I left a consulting firm I went to work at a new company my old company I said to them how much notice do you need and they're like whoa [ __ ] if you can do excuse me this talk is going to be about a PG-13 um I'll let you know if it gets to R but uh so they said you know if you can do stuff on the side you can leave in two weeks we'll finish some projects you'll do some stuff that'll be great so I went to my new boss I said hey man you know is it possible for me to do some stuff on the

side and he's like I don't know and he went and he negotiated with HR to get me an exception right which is crazy because I was working for Bank of America so the Monday I started at Bank of America that night I started as secure ideas and the plan was just to have a really great Christmas for my family like make a little bit of money stop not do it anymore like help the company transition that was 12 years ago and 26 staff members so I'm not exactly sure how that plan worked but sometime in like December I had a guy call me and he's like Hey Kevin do you know anybody who would be interested in sponsoring

this conference and I'm like me how much is it and he told me it was a conference out in DC I'm like oh yeah cool so I paid him the money signed the contract all that kind of stuff about two weeks later the dude calls me up and he's like Hey Kevin do you have a logo we need a logo for the website like that you're sponsoring and I'm like a logo [ __ ] you're right I need a logo like if I want to be a real business right like I'm gonna be a big boy when I'm older right whatever right I need a logo so I created our logo and I was so proud of this like let me be

very clear I am not artistic okay um I go to museums and go huh that's a snow shovel and they're like no it's art that's real art in New York it's a snow shovel hanging from the ceiling I don't understand it I think it came from Ace Hardware but so I build the logo then I go out to the conference and I'm really proud of myself right like I got a real business card I'm real and I go and I see a friend of mine he and I are going to speak together Tom Esten we're doing that guy is so smart and so we're going to do this presentation and he I said man hey

here's my card and I handed my business card right like I'm all excited and he looks at it and he says to me Hey Kevin why do you have the Key Bank logo on your business card and I went I don't have the Key Bank logo on my business card he's like yeah you do and he pulls out an ATM card and I'm like [ __ ] I have the KeyBank logo on my business card so we hired somebody at logo design Guru to create the lock with the light bulb uh so that's this is why me making fun of logos is really not important because so in case you guys aren't worried or wondering

um I'm going to speak on API security for the next hour now if you've ever seen me speak before or if you've ever met me you will know what that means is I'm going to tell random things that pop into my head for about an hour and I'm going to hope to keep them all related to API security but I've already failed at that because we have an entire conversation about logos right but I'm going to do my best I'm Kevin and for the people who don't know I am the founder of secure ideas right we are a I I found I found out recently we are referred to as a lifestyle business right it was just the weirdest name like

what do you mean a lifestyle business does that mean I'm a workaholic and uh we are a small boutique pen test company that's what we do we don't do IR we don't do forensics what we do is we break in we tell you your baby is ugly and we go home and let me be very clear all babies are ugly we lie to parents up until the point the kid is like three months old right oh your baby's beautiful no it's not it's a barely formed adult like a person their skull has holes in it they don't have kneecaps they Bend in weird ways and they fall over they're ugly I got two kids I'll tell you right now

when they were born they handed me I went oh my God she's beautiful and I was wrong I just the way it is right but about three months they start to become real people and you're like okay that one's cute that one not so good don't ask right it happens so I'm the founder of secure ideas I'm also an is faculty member I am an open source fanatic I run a whole bunch of Open Source projects I'm the vice chair of the projects committee for owasp which is really not an accomplishment I don't think anybody else wanted the job I speak all over the place which is nuts because I suck at it um and I do some Star Wars stuff

that's me in the costumes I build screen accurate Star Wars costumes and then visit kids in the hospital and raise money for charity right so my favorite pitcher up there is the Darth Vader that's me in the Darth Vader they brought 300 blind kids in and they had them watch the movie which I thought was interesting that they still referred to it I'm not I'm not trying to make a joke like that was interesting right like how language works like oh they watched the movie and in my head I'm thinking no but but right and then we stood there for three hours and the kids felt what the characters look like I will acknowledge that I am crying in

that helmet that's why I don't do face characters right when you walk into a child's hospital room and they got tubes everywhere and they just light up because Chewbacca showed up it's worth the fake hair in my eyes the tap it in right there right like it is nuts I recommend it highly everybody should join should should go out and help even if you don't want to wear the costumes right we need help getting dressed that sounds wrong a little bit like hi could you help me dress I'm a little bit of a diva but um right so like and I'm on stilts do you know what sucks about those stilts I'm not coordinated I am amazed I

haven't fallen off of this stage and it's a flat floor right like I just suck at things like were you in Sports no I'm an avid endorsement so what we're going to talk about today is apis we're going to talk about some of the different things the benefits and the risks of how apis work and how we integrate with them and I want to be very clear I named this talk Happy Happy Joy Joy uh one because I thought it was funny uh two uh okay let's be clear one and two were because I thought it was funny three was because I want to be very clear that when we finish this talk when I'm finished telling you my dumb

stories when I tell you about how we broke into that bank we stole that data we did this oh by the way please add with permission to the end of every one of my stories right because you're like like you stand up and you say well you know what I was stealing money from this bank by the way getting into the Vault of a bank Scrooge McDuck lied to us vaults are not that interesting I was very very disappointed the first time I went into one right or broke into one I guess is the right way to say that um one of the things I want you to do is when you leave here I do not want you

walking out saying oh my God Kevin scared the [ __ ] out of me I never want to use apis because that is not my message my message here is apis are the way of the future right they are the way we are moving most of our applications in some level are using apis today and that is not changing the problem is most of the people that are rolling out apis don't understand the risks of what they're doing they don't understand the problems that can happen because of the way they roll out the API and let's be very clear we're humans we suck at risk assessments there's a real easy way to tell you this

I was out in Oklahoma right I was at a b-sides decent one of the guys who runs besides okay is over there and I keep saying it's b-sides okay like really not besides great besides best I'm just saying right besides decent mediocre but I'm out there and I say in the audience right I'm like hey how big of you are actively afraid of sharks like half the hands went up in the room I'm like no I want to be very clear here like you are actively like oh my God I could be attacked by a shark and like half the hands in the room stayed up and I said you all understand you are in

a landlocked state the only way a shark is attacking you is if they are transporting it from one aquarium to another aquarium and you run into that truck you guys know tornadoes you know yeah yeah sharks spinning around the earth right no what you should be afraid of is cows and soda machines why because cows and soda machines kill more people a year than sharks do cows will [ __ ] you up they're big they're mean and people think they're oh it's Betsy I'll Pat it I'll tip it no that cow will knock you over and the soda machines nobody has any sympathy for people dying from a soda machine right why did you die from

a certain like you get to the Pearly Gates or whatever the image is you've got in your head whatever okay I'm not judging right and the people in the afterlife say to you how'd you die and they're like I was trying to steal change from a soda machine I pulled it on top of myself that's what happens people like I really need a Mountain Dew and they die but Discovery Channel doesn't have soda machine week why because we suck at risk assessments and as we go through all of the different things with apis it's obvious that we look at the benefits right so let's talk about apis what is an API it's a programmatic interface isn't that

fancy right application programmatic interface I like polysyllabic words I do my favorite word is defenestration do you guys know what it means to defend or straight something right throw it out the window here's what I want to know what happened to the English language that it decided it needed a word specifically for throwing something out a window French Revolution is that really what it was you make it it sounds good we'll go with it right like hey what do we what do you call somebody getting thrown off a cliff being thrown off a cliff what do you call somebody being thrown through a window they were defenestrated right it just doesn't make sense to me my other

favorite word is onomatopoeia what I know exactly it doesn't matter what it means canonicalization is another good one what does it mean simplify to its most unique form but it's not right so application programmatic interfaces these are interfaces that you can interact with from your application from your client from your system from your device they are not necessarily designed for a person to interact with them right and that's important to understand but and I say it's important to understand is because many times when we test apis because that's what we do right our job is to break things and so we regularly test apis we are we have been told by many companies that we are

one of the few pen test companies that actually test apis right I don't know that's true I'd have talked to other pen testers like how did you test that API I ran nessus against it man you suck but when we sorry man didn't mean

right exactly that's the way it should be right that should be a shirt right but here's the problem when people develop them when they build them they assume that the other side is another program and so it can be trusted not to be malicious because those people have obviously never run malware right like oh people won't interact with this I did right so we have to think about this and this has become a major portion of what we do on the internet today and mainly because of Integrations right these apis there they are either data sources or functionality I can send a request the API and it will do magic and then give me a response of what the

results of that magic was like for example I want to do Payment Processing what do I do I take the cardholder data I shove it across to an API the API processes it talks to the bank determines whether they can pay for that does all that kind of cool stuff and then I get a yep you can accept the payment or you can't right that's an API that's functionality that I don't want to build my I shouldn't tap the microphone sorry to whoever was just listening to that I am so sorry um uh but I don't want to build my own payment processor right my name is Kevin not MasterCard thank you and they don't even really do whatever

you know what I mean okay but so I use the functionality or there's data sources right I want to build a system that interacts with bank customers I'm not part of the bank right and I want to give them this other functionality and so I'm going to call the banks API to get access to customer record data things like that we just saw it what last week Optus the second biggest cell phone provider in Australia had an API of every customer's sign up data including pictures of their ID right on an API that did not require authentication exposed to the internet an attacker stole a ton of data so you get data from these things and then of

course you have the third parties right we [Music] have a client portal our client portal is where we deliver reports we get the data from our customer for the pen test things like that and then when we generate the report we will actually interact with the customers ticketing systems API to deliver findings to them they'll get our normal report but we'll also issue tickets into their jira system via API so we have this third-party integration right that is kind of nice so this is good so what are the benefits here well they're like bees I like bees as a matter of fact my daughter and I are going to be buying a hive next march when they start selling

again putting bees in our yard which is way more information than you need but bees and apis in my mind are very similar right one nobody believes a bee should be able to fly most API code I've looked at shouldn't be able to run if you've ever written code you know I'm right right and they go everywhere and they spread pollen right it's true what do apis do they go everywhere and they spread data and everything and that can be good and can be bad just like bees if you've ever been stung by a bee are you allergic to it that sucks right it doesn't make the B bad data being stolen from an API doesn't

necessarily make the API bad right it's just part of the systems it's part of the platform okay so that's great and all but let's start talking about some of the problems because let's be blunt the problems are what I break this is my focus I've been involved in I.T for way too damn long I started professionally in 1991. I got my first job right out of high school and I wrote code to help manage the control systems for the power grid right this should scare the crap out of you because that code is still running at some utilities today in 2022 yes and let me be very clear I'm not that good of a programmer now I sucked in

1991. right but when I started doing I.T when I started doing uh Building Systems I built the system Hey Kevin we need a bulletin board system some of you are old enough to remember that right okay you have a BBs set up a landtastic network from artisoft run coax cables with BNC connectors I'm old right and you managed it did I think about security no I didn't when I started writing code for other companies when I started deploying systems for other companies I wasn't focused on security why because bluntly I didn't care and this is sad because when I was 14 I got involved in freaking red boxes blue boxes right I played around with all that stuff of

course I never did anything illegal I think I was doing 95 yesterday as I went past that cop but that's not true my car was doing 95. it drives I don't but we look at these systems and then as we start to roll out we have to understand the risks and I said that right I talked about sharks cows soda machines if we don't understand the risks that we're dealing with and I've got a few here and I want to be very clear I said some example risks I want to point that out this is not a comprehensive list and all of these risks depend on what your system does if your API is an API that

sends smiley emoji of the day you probably don't have massive risks if every single time I call your API it returns a cool Snapple fact from the can cap right do they still do that please you top it off there's a little fact on the top of the cam or bottle or whatever the hell it's called right yes I got a yes so you could build an API that gave snapple facts right not a lot of risk but if you're building an API for the open banking infrastructure to help the unbanked in the 12th world countries I made that number up right and your interface is dealing with people's livelihoods your level of risk is higher and we talk about uh privacy

availability yes availability it's one of the Triad and for some reason security always forgets it right but privacy is the first one privacy is dead but so are mainframes and many companies still have them right you know what's Dead next passwords oh yeah passwords are out by this time next year nobody's going to have a password [ __ ] I your password's still going to be winter 2023 but with a capital w privacy is crazy and a lot of people don't care about it right I actually don't I'm not a very private person what do you want to know about me right I was diagnosed with OCD I probably have Tourette's I'm just not going to go to the doctor

to find out because there's no treatment for it you want my medical records I get migraines I've got bad lungs this is all being recorded my social security numbers on the internet it is you can Google it luckily though when I turned 18 I changed my name to Kevin Johnson and that's common so people can't find me I'm not as cool as John strand who's also named after an underwear model insurrectionist but by the way today is John strand's birthday so if you could tweet him happy birthday I'd appreciate it um but privacy is important and we say that right but we share everything we want on Facebook you know what privacy is right it's the cookie pop-up that says we use

cookies please click here that is the main effect of gdpr pop-ups something we fought for years not to have on websites gdpr now mandates it oh I feel safer but even though I'm a very open person right I talk about whatever you want to know ask me a question I'll tell you right I also recognize that privacy is important I don't care if you know where I Bank VyStar by the way right but I do care if you're actively tracking everything I purchase you don't need to know that I bought that beehive you don't need to know that I bought bees it's weird to be able to say that you bought bees you don't pet them

right but privacy is important and here's the issue and the reason I bring this up is when we start talking about apis is we start to expose these data points these functionalities these transactions what we end up doing is we end up not understanding what should be private I mean it's really easy for some people go well I'm under a HIPAA but that person who says I'm under HIPAA probably spells it with two P's because they're an idiot right or the other side right we have no HIPAA data really you have no HIPAA data none none whatsoever nope do you offer Insurance to your employees yes of course we do you have HIPAA data because when I filled out my insurance

forms I gave them pre-existing conditions which meant my company has access to records of my pre-existing conditions well my company is not a hip HIPAA those hiva covered entities well my company is not a HIPAA covered entity I have HIPAA data I may have to worry about the privacy of that data plus what is private let me talk about pen testing I go break into a company four years ago I break into a company I go wild I took over all the machines you actually have to make that face when you're doing it what you do is that bypasses Windows Defender and crowdstrike and um it's just how you do it right if you want to get past Sentinel one you lift

your left leg and hop it's really weird I don't know why that works must be a back door so I got in trouble on Twitter from like people because I found a back door and to log me in I did and I took a picture of it and shared it on Twitter because I was near their Boston office and they have a back door that says log me in please use front door so I shared it I actually had people say Kevin sharing zero days is wrong and I'm like you're a [ __ ] like look at the picture oh we thought that was a joke yes it was that was the back door but

when we start to look at this data we start to evaluate it right if you get access to my systems now not only do I have vulnerability data for my customers but because most of their staff work from home I have vulnerability data about their home network because it is hard for me at the testing process to differentiate if you set up your VPN that everything on that that employees Network at home is on your corporate Network I'm going to see it now I'm smart enough well that's not true Aaron is smart enough that he knows not to hack that home infrastructure but we still have the data if we compromise your system and you

have we want it's in one place and they had a Wiki I don't know why but it was a Wiki that every employee had their own section and they were encouraged to share their personal information on that Wiki put your bank account information there put your medical records there use this for your own record and they were encouraged not because the company with some evil capitalist bastard no they were just trying to help their staff right and they thought this was a good idea they were wrong and we got that data and I'm like oh you're subscribing to oh and I write like these are the things these are privacy concerns and apis make them harder

because you don't know what data is coming back from that we've tested some apis you hit it like we just tested this one oh my God it was so fun we just did this test right and we're testing the system and we hit this API and you're just like hi my name is Kevin and they're like oh you must be Kevin blah blah blah here's your social security number here's all of your records here's all it is could you please authenticate now I'm not making that one up that was an API built in 2022 right we should know we'll talk about that in a second the other thing is availability right we always forget that the a in CIA

doesn't stand for agency it well it does in some cases but it stands for availability right the CIA Triad for security confidentiality integrity and availability availability so that API you call that you make how does it do load balancing what happens if you get back a response from it you weren't expecting what do you do what happens if you call it it doesn't answer do you stop processing do you handle stuff right how do you deal with that and then security many of us don't think about that right but for some organizations availability is actually the most important of the three remember I said depending on the organization you're what you care about matters for a manufacturing company

there's manufacturing millions of dollars of equipment a second I'm exaggerating or it's expensive availability is probably the most important aspect of the system and we have seen manufacturing companies networks their OT Network brought to its knees because an API that was designed for kpis yes I used those two acronyms together I worked hard to get them to fit right key performance indicators I know I'm a manager now I know what kpi stands for and this is a Manufacturing Company their system is calling an API to give metrics of how much they're producing how effective they are and everything else like that and that metric system that sounded stupid because we use inches here but um I know

that's not the same um but that metric system nobody thought was important because it had no sensitive data right all it said was we produced 10 of those we produced 10 of those we produced another 10. oh we did 11 right that's it that API went down it went down due to somebody Port scanning the server it was on if your system Falls over from a port scan you suck and many of you do sorry right the API went down because of a port scan the manufacturing equipment stopped making [ __ ] they couldn't do it why because they would call the API and it would fail look at the colonial pipeline oh they got hit with rent somewhere now

I want to be very clear I don't do IR anymore I didn't work this incident I am basing this off of stuff I read publicly they got hit with ransomware on their corporate network not their OT Network the pipeline wasn't ransomware nobody encrypted the Natural Gas you base 64 in code natural gas it's just the way you do that's not right their corporate Network got hit with eight uh with with apis they got apis everywhere they got hit with ransomware and they shut the pipeline down not because it was encrypted but because it couldn't reach the apis that they did for accounting they shut down the pipeline because they didn't know how to get paid

I have a simple answer here gas is free for a week oh no we've got a business [ __ ] your profit margins like four thousand percent I know I'm exaggerating no I'm not I maybe not I don't know right but they shut it down because they couldn't reach stuff not because the pipeline was damaged we're not talking Norway here that's not a joke there's a hole in the damn thing there that's a good reason to shut one down not because you're a counting API is offline [ __ ] I believe that we should be allowed to use [ __ ] in way more emails I really do you know how much more effective security would be is if we could throat

punch just one random person per report right be great did you fix it no work you'll fix it next time won't ya I'm a violent person I live in Florida it's expected so God that's awful Florida man I wrestled an alligator when I was a kid I saw an alligator wrestling thing where the alligator won it was awesome it really was and I'm not talking like oh it was gory I'm not I'm not Aaron but um he likes horror movies the guys like wrestling the alligator and his hand slipped and the alligator went whack and got him now with an alligator have you ever been bitten by an alligator it's only happened once and um I've been shot at more times than

I've been bitten that's weird but if you're ever like the alligator snaps and then they let go and they grab again and then they try to do the death roll right so this dude it was amazing this and I want to talk about like like State of Mind the alligator jumped onto his arm and the dude immediately flattened himself well he flattened himself and oh he flattened himself on top of the alligator so he couldn't bite a second time who thinks of that like me so I don't get it grabs my arm I'll be like that's what's gonna happen that dude understood risk see I made it relevant so other security concerns we got lots of problems here with party

breaches we got data Integrity Access Control right these are three things that are pretty important so Access Control we put up a lot of little Badges and things like that I think that's good you guys see the IBM office where they had a badge printed for a cat that hung out in the parking lot I'm dead serious had the cat's face on it everything else like that I told that story now you know as well as I do that that badge had default access to that building right you know it so wild damn cat I don't know if that's really a feral feral is probably the right word right a feral cat they put an

IBM badge on it this is all over the internet right I tell this story about this badge somebody comes to me he's like Kevin I found the picture of the cat it was a different cat which means there are two badges at IBM that allow cats in this is nuts your apis are the same way all cats all the time most apis that we test have no concept of authentication or authorization they assume and you know what happens when you assume right it makes an ass out of you and you because I spell it different they assume that was a bad one I don't laugh at that one that one sucked and um that one's almost as bad as do you know

why Walmart wasn't hacked they're not a Target but they assume that when you call the API you are authorized to call that API right so it's like oh hey you knew how to call me you must be the right person this is like my dating life if you called me up it was awesome that's why I'm never divorcing my wife I tricked one person to want to be with me periodically I'm never risking that one again but apis most of them don't have any form of authentication authorization or worse in my opinion they have an idea of authentication authorization but the application that calls them has a static set of credentials that the app calls with so

no matter who the user is of the app if I'm using it or if he's using it or if she's using it the app is calling the API with the same set of credentials and in my head that's worse than an unauthora unauthorized an unauthorized BET unauthenticated right system and people like but Kevin the other one's unauthenticated I'm like right but if you go to the developers and say hey is there authentication on this thing they'll be like [ __ ] no right they understand that they might be wrong they might not understand the risk but they at least will document the fact they will answer the question on the other one you say the numbers do you do authentication and

authorization yes we absolutely do really yes is it one set of credentials for every app yes oh right like then they realize but you know that check box how many people here have been on part of the procurement process where they give you that spreadsheet of questions that are all [ __ ] stupid right do you do authentication yes let me ask you a question how was I authenticated this morning first name last name right how many of you know that I'm Kevin Johnson how do you know I'm a Kevin Johnson right I say that in class every once in a while the people like oh I saw a picture of you online I have an

identical twin brother I do sadly I'm the evil twin nobody authenticated me I walked up I said hi I'm Kevin Johnson they hand me a badge and they know me some of them right but I could be my brother would you know Mark yeah that exactly he's got a beard mustache it's really weird which you would think would be the evil twin but it's not so access control is one of the places we fail quite often for apis we also see the problem with data integrity right one of the main reasons we spent spin outs spew out apis all over the place is to handle data at some level whether it's a transaction processing data or

storing data whatever it is so what format is the data that you sent I just had a customer we're doing a scoping call we're doing we got the sow to them they like the sow they think they're going to sign but they got one important question this happened yesterday like okay what's your one important question it's weird to me that there's only one but that's okay and they're like your output can you put it in the format that Archer will input like great do you know what format Archer does as an input and the guy's like no I'm like we can put in that format like I don't know how to answer that question at that point right like

yes we can generate our output in a format that you can use but you have to give us that format you have to document it right when I worked at Alamo I was one of the developers building the quick rent system yes that means if you rented a car from Alamo there's a good chance your information went through my code I'll apologize now and when we talk to the Mainframe we sent a string it was a fixed width string the first four bytes was some ID the next 12 bytes was the first name the next 15 bytes was the last making this up right like the the numbers but this is how we did it and if you needed to do

a change in that data format like when we started offering uh I almost said high chairs um car seats thank you how could I not think of that word right it's in a car and you sit on it right but we'll go with that so in the car seat we started over it so we had to add a field and it was a binary field so that should be easy right but here's how we did it I stood up and I went Alan and like three Cube over Allen stood up he was the Mainframe developer he was older you knew that I need to add damn it I did it I car seat and he went

okay and he sat down and I kept standing because I knew it would be about a minute and then he popped up he goes how about 37 bytes in we'll expand it by one byte and you put a zero or one there okay great one means they want it zero means they don't want it yeah that works okay cool when can you get it into uat I could probably get that into uat Monday great cool I'll have my stuff in the uat by Monday as well and then we sat down and we started working on it that was our ticket tracking system Alan and me yelling over cue balls as groundhogs or Gophers what is that right

we're not talking about the Gopher protocol that thing was awesome I'm old that's data integrity because if he put his code into production before I did mine right here's the problem with apis that are exposed to the internet how do you yell at Alan you find Swagger documentation or a postman collection or you email them or chat with somebody and you tend to get somebody who's customer service and they don't know what the hell you're talking about and they've got to transfer you over right we pass data back and forth so the format is important how do you deal with the format how do you know what's the right format how do you go and make sure that the that you're

sending it to somewhere you trust how do you know where they're hosting it I've always enjoyed people that use the bitly links I shortened my link by putting it on bitly really you know bitly is a Libyan domain name now I'm not saying it's untrustworthy I'm just saying do you know when you send that stuff out there right how do you handle that and then the final thing we want to talk about I think I'm good on time okay I don't know which of these clocks is right that one's flashing like crazy right and my watch is like oh you're walking a lot that's good because my watch says I'm fat you know you're fat when you get out of

the car and your watch celebrates that you became active that happened yesterday I got out of the car I drove up from Jacksonville I park at the hotel I get out of the car and then watch you like you fat ass you're moving it didn't phrase it that way but it really was it was what it meant right the biggest problem that we see that people are unprepared for right his third party breach let's talk about Target I I like to talk about Target because of their name like you named yourself something people shoot at and then you got really popular because let's be blunt right you can't go to Target and not buy more than you

meant to buy I don't know how it happens you walk in you get a cart that's your first mistake and you push it around I have issues so I have a pattern I have to go around drives my wife crazy my wife's the only semi-normal person in the house both of my daughters have Tourette's I told them both this is great you get to just rent me out [ __ ] and nobody can judge you I'm a very supportive father I have twitches and things like that right we go to dinner and the waiter or waitress comes by and Brenna Sarah and I are all twitching away and Denise just sitting there calm and they look at her

and go I'm so sorry she gets lots of sympathy that way it works but when we go to Target right how many people here know about Target getting breached right how many people can tell me the HVAC company that was actually breached because you know Target wasn't right yeah it was a vendor it was a vendor that managed their hvacs and again didn't work the incident I'm talking about public information it was a vendor that managed their HVAC systems that vendor got popped that vendor had access to an accounting API that allowed them to submit invoices and expenses and things like that do you know what else the accounting systems had access to the point of sale Network now I don't

mean to pick on anybody but of course the accounting systems have access at some level to the point of sale Network why because point of sale systems are accounting because they count no no you know what I mean and that's how they got pop but nobody knows about that what about Delta how many people got notified from Delta that your information got stolen a few years ago okay thank you very much for making me not feel like I'm the only dude that got hit right right do you know how Delta got had oh wait they didn't their chat provider got hacked they had an API that enabled them to deploy a chat system to their website to make it

easier for customers to get information and as somebody who uses Delta all the time and I want to be very clear I don't care what airline unless you do like Southwest or Allegiant or something like that but all yeah I was picking on you and um all Airlines suck until you get status and all status means is that when you get bumped from a flight they'll help you better right that's it it also means you flew around way too damn much okay people like oh man you have status on an airline you must be so cool no I'm nerdy and in a tube way too often with people I don't know and by the way if you're ever on a

flight and I'm on it get off there's going to be a problem I was just on a fight they pulled the guy off on in handcuffs right I'm never the cause of the problem but I was in two fist fights on planes and I want to be very clear when I say I was in a fist fight I mean I was physically located between the two people that were punching each other one guy was in the row ahead of me the other guy was in the row behind me I don't know how the [ __ ] those two guys started talking it was a red eye I woke up and they were fighting in the space between the top of

the chairs and the suitcases I didn't know what was going on I'm like oh crazy I just have bad trips on flights like the one I got on a plane once and I got up and there was a dude I swear to you the story is true I get on the plane guys in the window I'll see I'm in the window what do you say hi sir I'm in the window if I if you were the dude in the aisle and I said hey I'm in the window what would you do you get up right right the guy says you have a room so put them back in the overhead I say to the guy sir I've got the window seat

and the guy goes you have room so I said sir I don't mean to be rude because you could be stuck in this tube with this dude for six hours right you got to be polite so Isaiah sir I'm very sorry but is it possible that you could get up so I can get in and I swear to you this is a true story the guy looked me in the face and said I don't have any legs you can move me if you want and I looked down and he didn't so I didn't know what to say so I heard come out of my mouth a lot of times things come out of my mouth and

then I realize all I heard coming my mouth was you're right I have room I didn't know what else to say like I it was the awful it was awful right but one of the things we have to be prepared for right nobody knows the chat provider see it's relevant Nobody Knows the chat provider that got hit you bite but you don't you know Delta got hit why because Delta's the name let me ask you a question how many apis does your company call you don't know right yeah lots how prepared are you for when that company gets popped is it your name or their name that's going to be on the site let me very

clear John strand told me years ago it's actually why I switched to use Google as our email solution for the company because John said this Kevin everybody gets hacked it's true right the NSA got hacked their entire job is to hack other people they got popped if the NSA can't keep stuff secret what the [ __ ] am I gonna do I'm a nerd that barely made it out of high school where'd you get your degree achs what's that Atlantic Community High School I'm sorry diploma but I suppose make jokes like that at a college I don't know and um he said when security is his mail server gets popped do you want the article to say security

as his mail server got popped or do you want the article to say Google's mail servers got popped and security has happened to be on there second one right and I don't mean that's not really why we switched it right but the reality is if there's two parties in a system one of those parties his name is going to be on that article is it yours or theirs on top of that even if it's their name it's your customers it's your people it's your data how do you handle that because I'll tell you right now if you're working with an API let's I don't know you're using the HubSpot apis right and HubSpot gets popped

do you think HubSpot is going to let you talk to their IR people to find out what happened no so are you prepared for that third party breach that gets access to your data are you prepared for the third party breach that then pushes malicious code into your system because your system is taking data from that API and displaying it and the reality here though is all of this stuff sucks all of this stuff is bad apis will kill us all you know your life expectancy is two minutes it is but Every Breath You Take resets the counter apis suck but they actually make our systems better in many cases we are able to leverage

organizations that have better experience at the thing they do so that we can focus on the thing that we do right I'll put secure ideas HubSpot was a purposeful example we use HubSpot for our systems we use HubSpot as our CRM I'm not revealing Secret Sauce here by the way the secret sauce is just thousand island dressing okay I worked at McDonald's a long time it's a little bit more ketchup we use HubSpot you can find that out by going to our website you can look at the HTML that comes down and know that was generated by HubSpot okay and I like that because it means unlike five years ago when we built our site using Gatsby and

react and we deployed it through GitHub using AWS to push it out we don't have to worry about whether the website's running right we push that off to somebody who does it better than we do and then we focused on security we focused on our clients we focused on the advisory Services we focus on the pen testing right apis are going to make us better we just have to understand the risks we expose by using them we have to understand the risks we exhibit within them test your [ __ ] please note I did not say higher secure ideas to test your [ __ ] you can don't get me wrong I'm a greedy capitalist I've got 26 people that

demand a paycheck every two weeks it's ridiculous and they want benefits health insurance whatever right but the reality is you can do what we do and we'll help you just ask we're not lawyers we don't bill you for questions we don't bill you when we think of you you want to test your own apis call us up talk to us hell we're doing a class through anti-siphon especially on API testing go take it and that's not a sales pitch I believe it's one of the pay what you can of course is because we want all of our courses to pay pay what you can which means free if that's all you can pay and by the way you don't have to tell us

why you need it for free but ask Hey Kevin what do I do here oh this is what you do okay thank you very much any questions I think that clock is right right I got nine minutes am I right about that three minutes damn it that clock's not right questions yes sir

okay so what can you do with your devis head-up teams to proactively help the security of your apis first off stop working with devsecop teams start working with developers nothing wrong with devsecops I'm not saying that's wrong but we focus too much on security right what we need to do is have developers understand what they're doing right what I would recommend doing is ensuring that whoever is developing this code whether it's a third party or you that they have unit tests focused on security make sure that as they build these apis they understand the architecture of what they're doing and who's calling what's there those are the two things I'd start with make sense okay

keep pointed somewhere over here oh I've got goodies to give out I forgot damn it I forgot the goodies sorry what do I do with this again yeah okay so because you asked the first question who just asked thank you here