bsidesaustin2019

When security teams think of securing API calls they commonly focus solely on the consumer facing APIs used by mobile apps and client applications to make calls into their environment. This challenge is hard enough, but there's another large attack surface sitting around waiting to be abused, and that's the API services that corporations use for the automation and orchestration of their own cloud environments. Most are commonly protected by simple API keys or static firewall rules that offer little protection to a well resourced attacker. I'll be talking about the discovery and exploitation of these API environments as well as some useful ways to protect yourself from these risks.