Enterprise security teams are dealing with a deluge of API deployments from internal SOA, B2B partner APIs, corporate BYOD initiatives, and open developer community API innovation. Applying consistent threat protection, authentication, rate limits, security standards, and general corporate visibility into API security vulnerabilities from device to the server side is a complex endeavor.
To illustrate the issues, we dive into an example of abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions.
Daniel Peck is a research scientist and data junkie at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript. Peck has a Bachelor's of Science in Computer Science from the Georgia Institute of Technology.
Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and is frequent speaker at API and PCI-DSS conferences. Blake co-authored the first book on XML security "SOA Demystified" from Intel press. Blake blogs at Intel's Application Security site.
Intel Expressway Software for API Management & Compliant Data Protection
Intel delivers a portfolio of enterprise-class data center software products designed to help expose app APIs and data across on-prem, cloud, hybrid, and mobile environments. Includes on-prem and SaaS API management portal solutions seamlessly integrated with an API Gateway for security. Visit intel.com for more.