In September 2018, 50 million Facebook accounts were compromised when a hacker worked to steal OAuth bearer tokens that granted access to user profiles. The hacker exposed bugs in Facebook’s authentication infrastructure in its API system that dated back to 2017.
But Facebook is far from alone when it comes to being vulnerable to API attacks.
By 2022, API exploits are predicted to become the most frequent attacks on enterprise web applications, according to Gartner. As this trend continues to grow, it will become increasingly vital that companies do everything they can to protect their API security for the sake of keeping internal and customer data safe, maintaining user trust and avoiding the potentially multi-million legal settlements that often result from these hacks.
That trust is particularly important when a company is in charge of a user’s digital financial assets like Gemini, or when it manages a user’s passwords like Dashlane. For them, vulnerabilities in their public and private APIs could be particularly attractive targets to hackers.
But finding those flaws before hackers do is a vital part of how these two New York companies keep their infrastructure safe. Gemini has an internal security team that repeatedly checks the strength of the company’s keyed-hash message authentication codes and OAuth 2.0 access framework through simulated attacks. Dashlane contracts hackers and security experts to assess how fortified the platform is via bug bounties, and its legal team works closely with privacy specialists to keep the platform in line with changing regulations.
Not only do these stress tests work to keep these platforms continuously secure in the face ever-evolving threats, but they keep the skills and knowledge of their security team sharp in the process.
What best practices do you follow to ensure Gemini’s APIs are developed with security top of mind?
Gemini has two types of APIs: public and private. Public APIs provide access to public information like the latest bitcoin price and, therefore, do not require authentication. Private APIs provide access to potentially sensitive information and require a security authentication layer. This API includes an HMAC protocol — a type of message authentication code involving a cryptographic hash function and a secret key — to verify the content of the request.
Gemini provides a secret key to every customer. They use that key to sign messages and requests, and Gemini uses the cryptographic hashing function on that key signature to verify the integrity of those communications. We implement controls to protect our users in case of unusual activity. For example, if the same request is submitted twice, it will be rejected to help protect users in case of an account takeover. We also allow OAuth 2.0 access, which allows permissions to be granted to the private API via tokens without sharing passwords or secrets and keys.
And to validate our security standards, we leverage our security team to perform internal penetration tests on our APIs periodically.
We leverage our security team to perform internal penetration tests.”
What tools does your team use to manage your APIs?
Most of our monitoring relies on Graphite and Grafana. API calls are time-stamped and logged at the authentication and API layers. These tools are integrated into our code and display analytics in dashboards that we use to monitor API functionality across all touchpoints. We chose Graphite and Grafana because they are easy to implement and widely used and understood. They provide all the data points our team needs to successfully manage and monitor our APIs.
How does your team stay up to date with the evolving state of cybersecurity?
The security team remains current on cybersecurity developments through a number of ways: research, continuing education, consistent improvement activities such as stress testing and security threat simulations, and maintaining strong relationships with our regulatory and internal stakeholders.
Threats to Gemini and our users are researched and tracked by our threat intelligence and fraud teams. To test our threat readiness and continuously improve our defenses, our product security team identifies potential vulnerabilities and works closely with our threat detection and response team to simulate attacks against our systems.
And the entire team continues to build their skills through their work, a training stipend and voluntary participation in security-strengthening exercises like capture the flag challenges.
What best practices do you follow to ensure Dashlane’s APIs are developed with security top of mind?
When building new APIs, our engineers work closely with our security team to confirm the proposed API complies with Dashlane’s zero-knowledge architecture. That non-sensitive user data is exposed outside of Dashlane’s application while running on users’ local devices.
Our legal team works closely with industry groups that monitor privacy regulations.”
What tools does your team use to manage your APIs?
We use a mix of open-source, paid and custom-built tools to monitor our APIs. We use Pingdom to monitor our critical APIs and office infrastructure, ElastAlert to monitor business metrics from our Elasticsearch instance and Amazon CloudWatch to monitor our AWS infrastructure. We also have an in-house server monitoring service that was built to allow our developers to easily implement monitoring for anything not covered by our existing services.
How does your team stay up to date with the evolving state of cybersecurity?
Our security team follows infosec industry leaders as well as established infosec news outlets. We also use bug bounty services, such as HackerOne, to encourage white hat hackers and security researchers to help discover potential vulnerabilities.
For data privacy and security regulations such as the General Data Protection Regulation, our legal team works closely with industry groups that monitor privacy regulations and security-minded coalitions to keep up to date.
