CCT 174: Exploring Application Programming Interfaces (APIs) and Security for the CISSP (Domain 8.5)

Want to stay ahead in the rapidly evolving world of IT? Join Sean Gerber on the CISSP Cyber Training Podcast as he discusses the essential skills you need to thrive in this dynamic field. You'll get a personal peek into Sean's consulting career and his family business ventures before diving into the nuts and bolts of Domain 8.5 with a focus on Application Programming Interfaces (APIs). Learn how APIs serve as the backbone of modern software applications, facilitating seamless data exchange and communication, and discover why mastering this technology can be a game-changer for your career.

Explore the intricate world of APIs with real-world examples, such as how ride-sharing apps integrate with Google Maps for optimal functionality. Sean breaks down the three types of APIs—public, partner, and private—explaining their unique benefits and specific uses. With practical insights, you'll understand how APIs can enhance productivity and efficiency within organizations. But it’s not all about benefits; this episode also tackles the critical issue of API security. Sean delves into common security vulnerabilities like API abuse, key theft, and injection attacks, providing best practices to safeguard your systems against these threats.

Finally, the episode outlines effective strategies for API key management and security. Sean emphasizes the importance of treating API keys with the same level of caution as passwords, offering tips on key rotation, limiting permissions, and employing API gateways for added security. To wrap things up, discover how you can benefit from and contribute to the CISSP Cyber Training Donation Program, which supports children and financially challenged parents through flexible training packages. Tune in to not only advance your cybersecurity knowledge but also make a positive impact on society.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:28 

All right, let's get started. Hey y'all, it's Sean Gribber with CISSP Cyber Training, and hope you all are having a beautiful day today. Today is Monday, and on Mondays we start getting into the content for the week, and this week is over Domain 8. So it's going to be exciting. Yes, we're going to get into APIs or application programming interfaces. Yes, it's going to be pretty riveting I know it will. So I hope you all have had a great week this past week.

Speaker 2: 0:51 

For me and my family it has been an interesting one. Yeah, we just are in the process of winding down from my wife's Kona franchise and so that's slowing us down. But now her coffee business is picking up a little bit and my consulting business is just firing away like ever. It's staying positive and busy for right now my contract's up at the end of December, so this is the first year that I've experienced something in the consulting world. So we'll see what happens after December. Yeah, getting a little bit squirrely right now just because, okay, what's the plan? And I don't really have one. I have something sort of kind of, but at the end of it, yeah, we'll see how it all plays out. So consulting is fun. It actually it's very revolving revolving is the word. It's refreshing, it is, the pay is better and it is one of those that's positive. But on the flip side, yeah, there's always that looming end of your life moment where you're going okay, now what's the next thing to do? So, yeah, that's the only downside that really is the only downside is working through that. But, that being said, you're not here to hear about my consulting challenges. You are here to hear about the Domain 8.5, and we're going to be getting into APIs.

Speaker 2: 2:08 

But before we do, one of the things that we're going to talk about is the jobs available in technology for the United States. There's a couple articles I'm actually going to bring up. One is around jobs and another one is around removing four-year requirements. So this article is actually pretty in-depth and I don't want to take too much time going over it, but it's in Computer World and it goes over what is the job outlook for IT professionals Right now. They're saying that the job unemployment rate is about 4.3% and that the IT unemployment rate is going to be probably around 4.3%. So they're probably going to be close to they'll be about the same. That being said, now this is coming from them and this is CompTIA's report that they provided. They talk about some of the main areas where there's going to be some growth in the IT sector and that they recommend potentially moving towards. Obviously, software development, data scientists, network architects, tech support all of those pieces they see growing.

Speaker 2: 3:10 

Now I didn't mention in there, obviously, security. Security is a very niche field and we all know that it's growing. There's no way around it, but it is a very niche space and a lot of the roles that they're talking about here are a little bit more broad. In general, one of the pieces I saw that obviously I would highly recommend any of you getting some level of knowledge around is AI. Obviously, you know it's a very, very, very specific field and you would have had to spend a lot of time in that area prior to the big boom that it took off. But, that being said, because there's more and more companies that are globbing onto it, I would highly recommend that you diversify your portfolio with your resume basically saying what do you know about AI, can you talk to it, what are some different concepts and if you can take a course on it? I would recommend that. That's actually one of my goals that I want to do here in 25 is take a course on AI. I understand the concepts and the basics around it, but that's not enough to be a good security professional to help with understanding the overall risks. It's better if I had a little bit of education myself on AI, so I would highly recommend you do that.

Speaker 2: 4:19 

One thing that I did want to highlight in this article that I thought was good or was interesting, and I think it's important that you all that are listening to this I got a lot of folks that listen to this podcast are IT professionals that are maybe a little bit longer in their career and are trying to figure out what is the next step or being required to make changes due to the fact of regulatory aspects. One thing that he said that he shows in this article this is from a different group uh, that the actual it unemployment rate is probably going to exceed the national unemployment rate. So what they're saying and he's pointing to upwards of six percent this is from a bls and it's just another by a gentleman by the name of copy or janko and associates, and they feel that it's going to be higher for IT professionals than it is for the standard unemployment rate. So I would probably, as a conservative person, I would hedge my bets and go it's probably somewhere in the middle and probably think about if you're looking to make a change, you probably start getting some aspects and some training on how to make that change.

Speaker 2: 5:26 

If you're in a career that you feel is probably winding down, I will tell you that the whole AI ML piece of this is going to offset many things that occur within traditional IT. So I think getting ahead of that is an important factor. The sooner you can get ahead of that, because it's going to take just expect for your training, for you one to get some training around it and then two to get some experience. Whatever that might be pro bono work or just the fact that you're trying to learn as you go. It's going to take a year. So if you see that potentially your career might be at maybe short-circuited by the AI trends that are coming, I would start working on that now. It's not going to go away tomorrow, but within the next couple of years you're going to see a dramatic change in technology, positions that were legacy, if you would say, and the automation is going to take over a lot of it.

Speaker 2: 6:19 

Because, again, if employers can look at ways of reducing their overhead employees are one of them, and I know that may sound a little cold and callous, but coming from a professional that I mean I did that right. You don't mean it to be negative and you don't mean it to be callous and cold. And there are people out there that unfortunately, don't take people's feelings into account and offer up different training opportunities and offer up different training opportunities. But just you're big boys and girls. You understand the fact that you, the only person that cares more about your career than you is no one. It's you. You care more about your career than anybody else. So it's up to you to make the changes to help you get in life what you want. So I would highly recommend you read the article Again. They got 24 different IT skills that they recommend you learning, automation and obviously cybersecurity. Analytics are in there. But again, this is from Computer World. That's the one article.

Speaker 2: 7:12 

The second article I wanted to real quickly touch on, which I think is amazing and I think it's good and it's about bloody time is the fact that US government is removing four-year degree requirements for cyber jobs and this is off of Security Week. Removing four-year degree requirements for cyber jobs and this is off of Security Week Now. They removal of unnecessary degree requirements in favor of skills-based hiring as an aggressive push to fill a half million open cybersecurity jobs. So I think this is a great step. I've been calling this for years you don't need a four-year degree to get into the cybersecurity space. Honestly, I would recommend a little bit maybe a two-year degree, just because it gives you maybe a little bit better foundation and you're invested into the technology better, because you're forced to because of college. But if you've been dealing with some level of IT for quite some time and you have a good understanding of cybersecurity or you are building it like you're listening to this podcast you're building that capability there's no reason you should have a four-year degree and they should require that. It is just, unfortunately, the HR folks that don't know how to classify you all. So therefore, if I put a requirement for a four-year degree, it's an easy box to tick. So again, they're talking about this. I would highly recommend go checking it out. They're talking about how the fact that our nation needs cyber talent and that they are seeing shortages, working with both local governments, academia, private sector. It's a huge factor, so I would recommend it. It's a short read, not long at all. I'm actually looking with a company doing a startup that is around training. Hopefully that will be a big push here soon. I think there's a lot of great opportunities there in that training space, because there's just so many jobs available that there's just not enough people for them. Okay, so that is what I wanted to quickly go over.

Speaker 2: 9:01 

As far as the articles I saw, again, a lot of great articles. Go to infosecindustrycom Great stuff there. Awesome place to go to get your daily update of articles. Also, go to CISSP Cyber Training yes, I got to put the plug in. Go to CISSP Cyber Training A lot of free content out there. These podcasts in video format are on my blog. Go check them out. Also, if you go and you purchase any of my CISSP Cyber Training paraphernalia, which is basically the training programs, if you purchase any of that, all of that money is going to our nonprofit for adoptive families. Again, I'm pushing that plug out there. We've been having some great feedback from people and some great people signing up, but again, all the proceeds from my courseware goes to our nonprofit every little bit of it. So we feel very confident in our nonprofit with helping adoptive families adopt kids, because that's what's important in life. Nothing is more important than kids with their families. So we think that is our goal.

Speaker 2: 10:03 

But enough of that, let's get into application programming interfaces. So what are we going to talk about today? Today is domain 8.5.2. If you got the ISC squared book, which I have open in front of me like my Bible, it's sitting here looking at me yeah, so this is what we're going to be getting into with APIs. Now some of you may be going yawn, I know everything there is to know about APIs. Okay, great, then you can move on to the next podcast. However, if you don't which I will say, even myself, as a crusty old security person, had some didn't understand everything there was to know about APIs. And I will tell you this is not everything there is to know about APIs. The one thing that it did help me If you're asking you questions on the CISSP, this will not give you all the answers, but it will give you a good context of what is an API and, as it relates to security, what should you be concerned with? So, apis, what does this mean? Well, when you're dealing with APIs, they are designed to kind of help interact or interconnect everything that's going on everything that's going on now. If you're old person like myself and you are have been in the IT industry they're.

Speaker 2: 11:15 

One of the biggest restrictions you had with with different technology was its ability to communicate with each other. They all talk different languages. One was talking shark, one was talking dolphin, one was talking manta ray. They didn't talk real well, so you had to create interfaces between the the different systems to help translate, like in Star Trek the translator. You got to have that in between. Well, apis came into place as a foundational piece that allows applications to talk to each other and they talk it as the building blocks of the modern software applications enabling seamless communication and data exchange between different systems, and they work really well. And the thing is they've worked so well that they have become almost intertwined as a fabric within these various different applications and the web. So it's rules and protocols that allow applications to communicate with each other and they do this to interact and data change between them.

Speaker 2: 12:11 

So now you have different types of APIs. There's basically three types of APIs. There's a public, a partner and a private. So you have your public APIs. These are exposed to external developers and so let's say, for example, I have an application and I want people to be able to communicate with it. I'll use QuickBooks for an example. So I have my booking information for all of our businesses. I have a set of books, like our accounting, that is done on QuickBooks, right? So QuickBooks is out there and QuickBooks has APIs, so they're designed so that, if you create some sort of software program that needs to dump financial data into another piece of financial data, it would be QuickBooks. It would dump it into that. It has an API to connect with that. So the point, though, is then those are those interactions and interconnections between the two. That's a public API.

Speaker 2: 13:05 

A partner API is one that's shared between collaborating organizations. So, say, you have two companies that collaborate, and in the past, we used to have VPN connections between these different companies, and one of my big things I used to do was I would get out my pitchfork and my torch and I would go and try to find the nearest VPN witch that I could go and put burning at the stake, because I hated VPNs, and so you want to get rid of your VPNs, especially interconnected VPNs from business to business. Bad idea, really bad idea. So it was probably a decent idea at some point, but we did that because we didn't have interconnectivity between these organizations. Well now, with a partner API, you can actually go and collaborate between organizations with these APIs and they can connect back and forth and you therefore share only the data you want to share. You're not sharing like a VPN. Well now I have to limit Bill from accounting company B access into my network because now, but I goofed up and Bill from company counting B now has access to all of my company A bad idea. So again, vpn's bad API's good Private APIs these are used internally within an organization.

Speaker 2: 14:18 

So maybe you have application between application communications and you want to have those APIs communicate. That would be a private API. So then there's different types of keys and we're going to get into keys here in a minute. But just think of the key as the more or less like the key right that unlocks the door, but think of it as the password to get into your organization to those various communications. Now, these keys and a public. You have public, private and OAuth tokens. Your public keys these are keys that are available to anyone that can be used to access your public APIs. There's good and there's bad with that Depends on your public API. How much activity, what does it allow you to do that? Again, you got to decide what are you allowing access to. The other one is a private API key. These are used specific applications or users and attended for internal or partner use only. And again, those are the private, specific keys. Now we'll get into keys and some of the challenges with them here in a little bit. But bottom line, you have public, private and then you have tokens, right.

Speaker 2: 15:17 

So, as you talk about OAuth, oauth is your typical authorization protocol. If you use these tokens instead of API keys, which is basically authentication. So now you have, then authentication is tied to Sean, or authentication is tied to some service. It doesn't have to be a user, it could be a specific service account, a service in and of itself. These tokens then are generated dynamically. And then what happens? Well, your public and private keys are typically hard-coded into the application or you may have a key management system that they're used with, but they typically don't change frequently. I say that because there's really good people out there that would email me back saying, well, we change ours all the time and that's good, that's great. Some people do that and they have an automatic key rotation capability. Awesome, good on you. But most times in API keys they don't change that frequently and because when you do change them, what happens? Things break. Oauth tokens allows that interaction between the two to give you that communication back and forth, but it also allows a token to expire, which then makes it a much more secure engagement. So those are the types of API keys.

Speaker 2: 16:25 

So what are the importance of APIs? Why do we do it? We've kind of already mapped to this a bit, but just think of it as an example. Apis they integrate different features from different systems. So one example that's out there is a ride sharing app, right. So if you got Uber, any of these other ones that aren't there, it can integrate with the mapping API from your Google Maps to provide a real-time directions and location and tracking. So it takes the map part of this of Google Maps and superimposes the car on top of it. So you can see that interaction is cool, works great, tells you what's going on. Looks like magic, right, fm flipping magic Looks like it, and it is actually and realistically, you think about how this all works and how everything works almost seamlessly. Yeah, it's crazy.

Speaker 2: 17:11 

Improved efficiency. It does allow streamlined workflows and reduces manual tasks. That's the goal. We just talked about that briefly a little bit earlier. If your role is a manual task role, especially in IT and potentially in security, you want to be looking at a job pivot change. Because if it is manual and what you're doing is lift up the box, put the box over there, if you do that from an IT standpoint, your job will go away, I guarantee so. It just depends upon when. It might be a year, two years, maybe five years, but within five years if you have that kind of job, you're probably going to be out of a job.

Speaker 2: 17:45 

Faster deployment, reusable components they accelerate the application creation, they allow a lot of different things to happen and they can leverage existing APIs for common tasks like authentication and data storage. So again, faster deployment, improved efficiency and then innovation. It does allow to have some level of, or a lot of innovation. So good platforms such as Facebook and Twitter. They are largely attributed to their open APIs, which have enabled vast changes within the third-party applications that communicate with them. So, if you think about it, you've got the touchstone of Facebook, but all the companies that interact with Facebook, whether you like them or not? That's a moot point. The point of it is, though, is these third-party applications that have stood up and started up out of nowhere that now utilize the APIs with Facebook, have created businesses in of themselves, so it's a great opportunity.

Speaker 2: 18:38 

The utilization of APIs. Now, what are some typical uses of APIs? Well, we've got web services right, so you have your standard web service. Your weather API provides real-time weather updates. You get those pushed to you, sometimes as well. All of that stuff through the app. All of that is done through API connections, so that's web services. Mobile app development that's kind of what I talked about. Pushes on your phone. Same concept. They use web access for data content, interact with users.

Speaker 2: 19:07 

I've been looking at potentially investing in an Airbnb. I get updates from the company that subscribed to to give me updates on how would you do with pricing, how would you do with this? How would you do with that? All that stuff gets pushed to you. So this is something that's near and dear to my heart is security around IoT, iot devices, connecting and controlling devices through APIs Again, smart home thermostats using APIs that connect All of those pieces are just being done behind the scenes, and therefore it's a really great way for activities to occur within your organization, within your house, within your business, whatever it might be.

Speaker 2: 19:46 

Erp systems, you know, you have your enterprise resource planning systems, all of that stuff, integration with your billing and your credit card systems, machine learning, ai systems, chat, gpt all of that stuff is done through. I said all all is a very inclusive word. Most of that majority of that processing that is being done is being done through API connections. So we got the API. So now what are some common attacks that you do run into? So we're going to get into about seven different attacks. Now there might be more out there, but I just these are the seven that I kind of globbed onto.

Speaker 2: 20:23 

One is API abuse. What does that mean? Well, it's when you overload the API with excessive requests and then, like we talk about in the old days, of your web, as I say it's old, it's not old, but you have your web requests. And then, like we talk about in the old days of your web, I say it's old, it's not old, but you have your web requests, you have your posts and your push that are done for web requests. It's the same concept with APIs If you have excessive requests, it can lead to a denial of service attack on a specific API, which can then lead to resource exhaustion. Now, basically, overloading these APIs can cause allow attackers to manipulate data, steal sensitive data information or gain control over these systems. If your APIs are being used in an unencrypted format, it makes it even easier.

Speaker 1: 21:07 

So again the API.

Speaker 2: 21:09 

if somebody knows that there's an API that's being used a lot and then if there's no way to rate limit, what's actually going into that API. If somebody knows that there's an API that's being used a lot and then if there's no way to rate limit what's actually going into that API, they can create a DDoS attack on a very specific area. So think of it this way In the past, you have a big tube of a fire hose that's going in and out of your organization. They would have to create a lot of data to go in there and create a DDoS against your organization, because the amount of volumetric attack that would be there would be huge. But now, if you have an API that's a very tiny little firehose that's going into your API or you don't have a way to monitor how that's happening, you really quickly could overwhelm it and there end up creating a denial of service attack.

Speaker 2: 22:00 

Api key theft. Okay, so we talked about key theft or keys a little bit ago and the ability of them being hard-coded into many applications. If your API key is potentially stolen for that API, it could allow individuals access to databases or systems storing your data, and this is why it's really important that you don't have API credentials hard-coded into the application unless you are not expecting any sort of further interaction with that API into your environment, and I still don't recommend hard-coding them if you can avoid it. The hard part is when you have citizen developers or people that are developing this content. Sometimes they don't know that maybe maybe have a key management system and then how?

Speaker 2: 22:46 

that integration would work. So you, as a security professional, are going to have to come forward with all your developers and walk them through. How are they supposed to store their keys? How are they supposed to interact their keys within their application? It's important for you to do that, and so just think about the fact is that maintaining that those keys are just like any other password in your organization. They may not look like the typical password that a user will use, because they're like gazillions of lines long they seem to be but they're just as vulnerable as a password and somebody else's credentials. So you want to think about that.

Speaker 2: 23:20 

Phishing attackers may use phishing tactics to trick users into revealing their API keys. That's assuming that the individual knows what an API key is. Again, they would potentially attack your developers. Api injection attacks this is where you would inject malicious code into an API request with the goal that it could compromise the databases on the back end. Same concepts that you would do with a web form your SQL injection, cross-site scripting injections those same kind of concepts, but you're, instead of doing it on a web form, you're just doing it in an API, which is the same concept. It just truly is. It just doesn't have a front end, that you're actually going and dumping the information in and then hitting mash the button that dumps it into the database. You're just sending it through an API call which is accomplishing the same task. It's just there's no pretty front end that it's having to deal with in most cases. Api fuzzing this is where you're doing automated testing around the APIs to be various inputs to see if you can identify vulnerabilities. Same concept with a web page You're putting different types of inputs into the input form, seeing what comes back. The fuzzing can uncover vulnerabilities like buffer overflows, memory leaks and unhandled exceptions. So again the same concepts. You deal with everything else.

Speaker 2: 24:37 

Api reverse engineering this is analyzing the API's behavior and then how to understand its inner workings. One thing that we would do in the past is if I had a server, a web server, I would throw junk at it and see if it would throw up all over itself and just roll over and go. I can't do this and then give me back an error code, and then that error code would tell me a little bit about what's behind the curtain. So I use a Land Wizard of Oz kind of analogy. That's, the man behind the curtain Tells me a little bit about what is going on.

Speaker 2: 25:08 

So, same concept when you're doing the reverse engineering with APIs, and then, in turn, you can exploit the vulnerabilities that you may discover, because maybe they're running an Apache 1.0 server on the back end of this API, which would be a bad thing, right? So kind of, keep that in the back of your mind, api man in the back of your mind, api man-in-the-middle attacks. This is where you can same concept as you are now have an individual that is acting as the intermediary, allowing them to intercept and manipulate requests from API responses, and they're just able to glean the data between those two pieces. They can steal sensitive data. They can do all of those pieces. And then the last one is an API bot attack. This is used to automate interactions with the API and then again, malicious purposes through an automated process or potentially even a denial of service attack. Okay, so then when you're talking security best practices, what are some security best practices around APIs? Well, you want to.

Speaker 2: 26:07 

There's various different pieces and we're just going to go through a few of them, just to kind of wet your whistle, as they would say, as an old person like me would say, but to get you to understand what's kind of happening and, as you hear these, you're going to go well, a lot of these are very similar to web apps. Yeah, you're right, very, very similar because, like I said, other than the pretty front end, they're about the same thing. So, input validation you validate and sanitize the data going in to prevent, obviously, sql attacks and cross-site scripting type attacks. That's an important one. Output output encoding this is where you avoid cross-site scripting attacks by basically you encode the html content to prevent cross-site scripting that could inject the malicious scripts into your web pages. Again, same concept Authentication authorization this is where you're utilizing OAuth and OpenID Connect to then authenticate that API connection.

Speaker 2: 26:58 

I highly recommend, wherever you possibly can do authenticated APIs, where you can. You can't always do it, I get it, but if you can authenticate, it's important and we'll get into some of the hardware, the equipment that goes into this, such as a gateway. The more that you can have visibility into your APIs, the better. I will tell you point blank APIs scare me. It's like that hammer man. It's a great tool for putting in a nail, but, man, it can be used as a weapon and it can hurt a lot of people, and so the part of it comes into is APIs unregulated, uncontrolled, can lead to disaster within an organization if the bad guys and girls figure out how to get in. In many cases not most many they are not being adequately watched by organizations, especially in medium-sized organizations. They just don't have the manpower or the budgets to be able to afford some of the technology to watch these APIs. So it's important that you do the best practices as best as you can.

Speaker 2: 28:01 

Error handling Again, error handling. Grace to how to prevent information disclosure. You know you don't want thing to barf up some information about your business and what's going on. You want it to be able to be hey, there's an error, ah, sorry, out of luck. Have a nice day. Call service desk.

Speaker 2: 28:17 

Security testing Again, you need to conduct regular security assessments to identify vulnerabilities, and one of those security testing would be even just discovery to understand what APIs do you have in your environment. I come back to that as one that I actually, as I'm talking here, I left off. But discovery, I would work really hard to determine where are all the API connections, who has the ability to make them, and then discovering where they're at, just really important part. One thing is security, security, best practices. You're looking at different security appliances, right? So vpns those are appliances that you can use to help with this overall traffic of apis. Now, I say that in the fact that they allow you to communicate in and out of the organization, but when it comes right down to it, those are different aspects around apis that if you need to use a v VPN, there might be a reason why you don't use an API and you would want to use a VPN. If you do use a VPN for allowing traffic to go in and out of your organization, I would highly recommend that you have a good level of understanding of what is communicating into your environment.

Speaker 2: 29:21 

Web application firewalls this is another one that you can utilize to help with this overall, from cross-site scripting injections as well as SQL injections. The reason I say that is because a lot of times, they have inner ability to inspect the traffic as they're coming in and out of the system. So it's important that you to have used that to maybe give you an idea of what's going on. If your API is not encrypted, they can do packet level inspection and potentially could look to see if there's any sort of malicious packets that might be incorporated within these API connections. Same thing with IDS and IPS systems Anything going through them. You got to look at the right one to see if it will do sort of API scanning. But something to consider.

Speaker 2: 30:09 

One thing that can put into point is the API gateways. Well, real quick data loss prevention. Obviously, if you have DLP in your environment, that's a great thing, especially if you have data that is maybe that's more of a structured data your Word documents, pdfs, all those kind of pieces. If you have it more structured, dlp will come in very handy so that even if the data does leave which I've told leaders within many organizations that I've been in, that the data is going to leave you cannot stop it from leaving. Therefore, let's do what we can to protect it so that when it does leave, when they try to open it, they get nothing, they get bupkis, they don't get anything at all and that's the ultimate goal. So DLP is a big factor and a big, important part of any sort of overall security strategy around APIs.

Speaker 2: 30:58 

The last one I want to talk to is an API gateway. There's various API gateways out there. I would highly recommend Knock, knock, knock, stress, stomp foot. Okay, I highly recommend this is an API gateway within your organization. Again, centralize your API management. If you don't do this, you now do not have a good way to look at your APIs coming in. You could potentially turn them on, turn them off, depending upon their capabilities you can build. They're building more automation and capabilities built into the overall gateway itself so that it can inspect the traffic coming in and leaving your organization.

Speaker 2: 31:34 

Highly stress have a gateway. Focus on tuning it well, get it right and put all of your APIs through there. Force them through there. Your developers teach them how to use gateways, how to understand the use of a gateway and why. Force them through there. Your developers teach them how to use gateways, how to understand the use of a gateway and why they need to use it. So best practices for key management.

Speaker 2: 31:53 

So now we talked about earlier about how do you deal with keys. So there's key management. There's tools out there to help you with this, and the best part about a key management is you have a key management tool. Amazon will have it. You have a key management is. You have a key management tool. They have like. Amazon will have it. You have a key management system.

Speaker 2: 32:10 

The KMS is what they typically they call them, but they could be named a little bit different, and the goal is to keep your different keys secret, and this is to help with the API keys as well. It's because you need to treat them as a password. So when you're looking at API keys, you need to generate strong API keys that are difficult to guess or even brute force. Again, like I mentioned, they are a password. Typical API keys if you go to Amazon, they're like 32 characters long. They're huge. They're not something that you can remember, except unless you're somebody that has a photographic memory and that would just fill up your brain, but they're not typically something that you can remember and so, therefore, the reason they aren't people hard-code them into the application because they can't remember them and they don't put them into a key management system.

Speaker 2: 32:56 

So if you're looking at a key management system, you have a couple different options. One you have something that's automated, that's built into your system, that it will then do the negotiation of the keys for you. So, like if you have a communication from point A to point B, it reaches out to the key management system. The key management system will then take the key, utilize the key for the interaction and then, when the interaction is over, the key is stored back in the key management system. A nice, sweet, clean system, great, highly recommend it. However, the downside is that it's expensive and it takes someone who's got the smarts to understand how to use it and how to integrate it within your organization, and then it takes leadership to promote it. So it's not an easy task. The other one is that your folks put their keys in like a vault or a safe of some kind. Keeper's a good example of that. But that being said, it's a key that probably doesn't change. They copy paste and then it's in the application, in many cases already kind of put pseudo hard-coded into it.

Speaker 2: 33:55 

So APIs you need to store them in a secure manner. Password manager or key management system is really the key thing to do, but I would focus on key management system over a password manager, if you can. But if you can't, password manager is the place to go. Rotate your API keys regularly. Again, if you don't rotate them regularly, they are static passwords just like anything else, and once they get compromised at some point from some data dump, they're now available to somebody to use. So you need to rotate them, just like you would a password. However, when you rotate these. Many of the times, these APIs are used to communicate services 24 by 7, all kinds of different ways, up till Sunday. And what do they do? They break. So you need to have a good plan on how you're going to rotate your API keys.

Speaker 2: 34:41 

Limit your API key permissions, such as so are they allowed to read, are they allowed to write, are they allowed to modify databases? What can they do? So again, just think of the API connection as a user who is a unknown, unnamed, faceless user who has access to your data. So you want them to read it? Do you want them to write to it? Do you want them to have other kind of entitlements that'll give them access to bigger things? You can do whatever you want.

Speaker 2: 35:08 

A lot with APIs, there's a lot of things you can do. So you need to limit the API key permissions and what they're allowed to be able to accomplish within your organization. And then the last one, obviously, is use API gateways. Use them, don't abuse them, but use them All right. So other security considerations you need to consider about. That's saying considerations twice in one sentence. That's really bad English, yeah, really bad English. So, yeah, but you know, if you're listening to this podcast. You have already probably come to the conclusion that, yes, sean does not have a good command of the English language and you are correct. Other security considerations API versioning again changing the different API versions to avoid compatibility issues. Again, you need to have a strategy around this, especially if you have a lot of integrations with utilization of APIs, logging and monitoring. All of this stuff should be tracked and put into a SIM of some kind and then threshold set based on your API connections. And what I mean by thresholds is how much data is in, allowed out and allowed in.

Speaker 2: 36:10 

So, as an attacker being as a red team, what did I do? I would pilfer data out of the organization as much as I possibly could. Apis perfect place to do it right. I would love to have stuff just coming out of the APIs. We didn't have APIs back then, but same concept. I would do it Now. What would I do? Well, I would do it at a really small level. I would actually analyze how much data is typically coming from this API and I would stay below that threshold.

Speaker 2: 36:37 

That being said, you would never be able to find me. I would be like never is not the right word, but highly unlikely that you would find me in your network because I would operate low and slow and wouldn't do things to make you stand out. But again, understand, I'm trying to understand your network from halfway around the globe, which is very challenging. So what does that mean? That means that if, when it comes to security and logging and monitoring, if somebody, let's say an attacker, isn't quite as adroit to that and they just want to get in and get as much data as they can, as fast as they can, because they're worried that they're going to lose access If you're not watching this, they can suck down all kinds of data and you wouldn't even know it. So, with logging and monitoring is great for all attackers, but it's really good for probably 98% of the people out there that are trying to steal data from your organization the 2%, the professional hackers. You can find them with, obviously, with security monitoring and tools, but they're a lot harder to find. They hide in plain sight. So, but I highly recommend security, logging and monitoring. Okay, I kind of went off on a rabbit trail on that one, sorry.

Speaker 2: 37:44 

Last thing about other security considerations API key management. We talked about that Rate limiting Again, limit the number of requests that an API can handle to prevent abuse and DDoS attacks. You want to set the rate of how much information can come and go, therefore you don't get DOSed, and it also would limit the amount of exposure of data leaving your organization potentially. And it also would limit the amount of exposure of data leaving your organization potentially if somebody got in and started stealing stuff Using OAuth and OpenID to again authenticate the various APIs. I can't stress it enough If you can authenticate APIs, do it and then run them through a gateway. Those are the two big things to take away from all of this. Use a gateway and authenticate as much as you possibly can. Ohpt, if you can too, but there's pros and cons with encrypting. So some key things to consider when you're dealing with apis.

Speaker 2: 38:34 

Okay, that is all I've got for you around apis. I hope this has been beneficial. I feel it has. I mean, yeah, it's giving you some good information and it's APIs. So, yeah, at least I've learned some more things beyond what I already knew, which was a lot. Which, because I'm very brilliant. I'm laughing because, yeah, no, everything changes way, way too fast.

Speaker 2: 38:58 

All right, go ahead and go to CISSPcybertrainingcom. Go to CISSPcybertrainingcom. Check out what I've got for you available. Like I said, I can't stress it enough. I've got my training out there. It's priced very fairly. You can actually put whatever price you want on my bronze package, because I want to give you a good product but I want you to be able to afford it, and my bronze package is basically the minimum is $50 at the time of this recording, but you can donate up to more if you wish. It's totally up to you.

Speaker 2: 39:31 

But all I want to tell you is just the fact that all the proceeds, all the profit, goes to our nonprofit. It's not going to me. I'm not going out there sitting on the beach thinking about how am I going to spend my thousands of dollars. I'm not doing that, not at all. It is all goes to our nonprofit because in my mind, that is more important than anything else that we do. Security stuff is great. It's awesome. Our Kona businesses are awesome yeah, but none of that stuff matters. What's most important is kids that need parents and parents that want kids and helping parents that don't financially can't necessarily get there, or just need a little extra leg up to be able to get in what they need.

Speaker 2: 40:09 

So, again, go to CISSPcybertrainingcom, check it out and see if there's anything else that I can do for you. Just reach out to me, have a wonderful day and we will catch you on the flip side, see ya.