Chuck Herrin, Wib: “broken object level authorization is the #1 issue with APIs today, and it is almost everywhere”

Implementing new digital technologies is critical to achieving modern business goals, however, when you fundamentally change your architecture, you change your attack surface, informs the Wib team.

Now, nearly every small or large organization works under the digital technologies ecosystem. Dozens of devices force their users to act responsibly around data. Essentialities, like enabling a Virtual Private Network connection are already included in the list of our daily tasks. However, how should we act around API?

To discuss this matter, we have interviewed Chuck Herrin, the Chief Technology Officer at Wib, a company that works on delivering the most efficient full-lifecycle API security.

How did the idea of Wib originate? What has your journey been like so far?

Wib originated when a group of cybersecurity veterans Gil Don, Ran Ohayon, and Dr. Tal Steinherz came together to bring the second generation of API security to the market. They pooled some seed funding together and expanded what had been known as Syber.ai into a new and broader entity focused purely on API security. The journey so far has been amazing – working with pioneers who created the API security field as well as offensive cybersecurity veterans who leveraged logic-based attacks in their nation-state capacity, and pairing that with decades of private sector experience has created a team that’s unparalleled in the space. All of this in less than a year, and already with a growing group of well-known paying customers. It’s been extraordinary.

Can you tell us a little bit about what you do? What methods do you use to secure API software?

APIs are expected to be the #1 attack vector in 2022, as the explosion of APIs and microservices supporting digital transformations continues, and criminals and state actors move from avenues like phishing to exposed services like APIs where they can reduce the chance of detection and increase their dwell time. Unfortunately, most organizations do not have a strategy or visibility for managing this new and expanded attack surface, and many (if not most) APIs are completely unmanaged today. To help manage these risks, we are bringing a cohesive platform with 4 modules to market to protect APIs from source code through production, with tight integrations to supporting technologies already in use in enterprise and government technology stacks. At this stage, we don’t think you should have to scrap your current tech stack to protect against this new attack vector, and so we strive to complement and integrate with current solutions wherever we can.

The methods we’ve developed at Wib take a comprehensive approach to API security, beginning with source code repositories and going all the way to production traffic to illuminate as many API blind spots as possible, while our novel and innovative Attack Simulator automates security testing against APIs and endpoints. While the first generation of API security tools provided a spotlight view into this blind spot, our approach is designed to provide full ‘sunlight’ visibility into a customer’s API ecosystem. You can’t secure what you can’t see, and APIs are unfortunately a huge blind spot today for many organizations, so the more visibility, the better.

How do cybercriminals take advantage of unprotected IT operations? What is the worst that can happen?

While the predominant result in the news today is ransomware, I think it’s important to distinguish between the result of an attack and the attack vector or how they got in. We are focused on the latter – an exposed attack surface that many, many companies aren’t watching. What an attacker chooses to do with a foothold once they’re in is up to them. Ransomware is one of the most popular outcomes as it’s so profitable, but only a minority of bad actors are ransomware operators. Data theft is one outcome, either financially motivated or for state interests stealing intellectual property, and another is either tactical or strategic destructive goals for projection of power right away or in the future. Some attackers simply expand their access and sell it to others. What we’re finding in the wild is that APIs dramatically change the attack surface, and defenders don’t have the line of sight they need – or the tooling – to protect this attack surface, regardless of what end goal the attackers have in mind. Once the attacker is in, it’s their ballgame – they get to decide how they want to exploit it.

Do you think the recent global events altered the ways in which threat actors operate?

To some degree, yes. We’ve moved from a ‘warm’ cyberwar to a ‘hot’ war, but many of the same trends continue, just with less discretion or fear of attribution. But we’ve been actively fighting in the cyber theater for a long time, and that isn’t going away. At some point soon, I predict we’ll quit calling it ‘cyberwarfare’ the same way we don’t call electronic crime ‘e-crime’ or fraud involving computers ‘e-fraud’ anymore. It’s just warfare now.

What security tools and practices should average individuals adopt to combat these new threats?

For individuals, use a password manager and multi-factor authentication everywhere you possibly can. Put a security freeze on your credit reports if you live in a jurisdiction where you can, and monitor your credit files. Make yourself a hard target, and make sure your kids know how to use a password manager as well. Hopefully, kids will learn that privacy is important before it’s too late for them.

For companies, one of the biggest priorities has to be to understand what firms are doing when they publish API and business logic directly to the outside world and partners. Digital transformations are great, but when you fundamentally change your architecture, you change your attack surface. Traditional and even modern defenses like Web Application Firewalls (WAFs) and API Gateways simply do not have the context or ability to defend against logic-based attacks targeting exposed business logic surfaced by APIs. It’s a huge blind spot, and in my two decades as a CISO, it’s always the blind spots that get you. You can’t secure what you can’t see, and you also can’t secure what you don’t understand. Many development teams don’t understand security, and many security teams simply lack the knowledge of this space to be able to effectively govern and manage risks in the API and microservice space, and it’s rapidly getting away from them.

What vulnerabilities surrounding APIs do you find the most concerning nowadays?

Broken Object Level Authorization (also called BOLA) is the #1 issue with APIs today, and it is almost everywhere. When we do proof of value assessments with potential customers, we almost always find BOLA. Outside of the specific gaps like BOLA, Mass Assignment, and Broken Function Level Authorization, there is a massive and pervasive lack of visibility into these attack vectors and API security overall. We recently performed an engagement with a customer and in a very short period found almost 3 dozen APIs they didn’t know we were running, then found a rate-limiting flaw in the logic, then saw a live attack on that same API. We went from ‘didn’t know we had this API’ to ‘we’re under an active attack’ very quickly. We performed another on a very large bank that was fully hardened to the outside, but our attack simulation allowed us to exploit logic flaws to essentially print money. Overall, what I worry about the most is that the attack surface that’s already gotten ahead of security teams – APIs and microservices – is accelerating much faster than the defenders have been able to keep up. That’s the problem we’re solving – giving the defenders what they need to catch up and keep up.

In your opinion, which industries should be especially attentive when it comes to application security?

Finance, healthcare, critical infrastructure, and suppliers to these spaces. Anyone who surfaces an API needs to understand how they’re changing their attack surface, but from a macro level there are real and present national security and critical infrastructure concerns about both public and private sector entities surfacing APIs that are poorly understood and unprotected.

What are the best practices companies should follow when developing, and, when launching software?

Three things outside of the normal ‘follow best practices and train developers on secure coding’ response. Those are table stakes.

1. To get this right, a CISO has to silence your ego; be pragmatic and reality-based when it comes to application security. I’m a huge fan of shifting left, but if you DEPEND on shifting left to get security issues handled, you’re going to have a bad time. You have to shift left while shielding right, and fundamentally it doesn’t matter what business you’re in, you’re in the people business. Good application security, without exception, is a highly automated team sport, with teams that value each other’s input working together and leveraging each other’s strengths. If your security team isn’t at the table for application development, ask ‘why’? There’s a good chance they don’t understand application security, and you can not secure that which you do not understand.
2. Another critical piece I call out a lot is a simple truth that People Follow Incentives, and you can tell a lot about what kind of software will be produced by examining the incentives senior leadership creates for development teams.
3. The last one is process design – one of the things I say over and over again is to design your processes to ‘Make the Right Way the Easy Way’. Outside of a malicious insider edge case, nobody goes out of their way to introduce bugs or weaknesses into a piece of software.

What does the future hold for Wib?

Wib’s vision is a game-changer in the API security space, and our approach has defined the full life cycle of API Security. We’re going to continue focusing on this area, with continued messaging and public speaking to multiple stakeholders such as CEOs, regulators, Board Members, CISOs, and developers, as we’re at an inflection point between CISOs and stakeholders who don’t know they have a problem combined with those who suddenly know and understand they have an overwhelming one.

As headlines continue to expose API weaknesses and institutions become better informed, I think our experienced team will continue to execute and set the standard for API security as APIs and microservices continue their rapid adoption and target attack surfaces continually evolve. Using the principle that “Your Defense Should be Informed By The Offense”, Wib will continue to innovate and evolve our unique platform to help our customers anticipate the next avenue of attacks on their business logic and sustainably close their blind spots, so once they get caught up, they can stay caught up and focus on delivering new functionality safely and at the speed of their business.