Skip to main content
SpringerLink
Log in

Designing Security for APIs

  • Chapter
  • First Online:
Advanced API Security

  • 2722 Accesses

Abstract

Just a few days after everyone celebrated Thanksgiving Day in 2013, someone who fooled the Target defense system installed a malware in its security and payment system. It was the peak time in business for any retailer in the United States. While the customers were busy in getting ready for Christmas, the malware which was sitting in the Target payment system silently captured all the credit card information from the cashier’s terminal and stored them in a server, which was under the control of the attacker. Forty million credit card numbers were stolen in this way from 1797 Target stores around the country. It was a huge breach of trust and credibility from the retailer, and in March 2015 a federal judge in St. Paul, Minnesota, approved a $10 million offer by Target to settle the lawsuit against the data breach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Target Credit Card Hack, http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/

  2. 2.

    Target Data Hack Settlement, http://money.cnn.com/2015/03/19/technology/security/target-data-hack-settlement/

  3. 3.

    GitHub Survived the Biggest DDoS Attack Ever Recorded, www.wired.com/story/github-ddos-memcached/

  4. 4.

    Identity Theft Resource Center, www.idtheftcenter.org/

  5. 5.

    The cost of immaturity, www.economist.com/news/business/21677639-business-protecting-against-computer-hacking-booming-cost-immaturity

  6. 6.

    Gary McGraw, Software Security: Building Security In, Addison-Wesley Publisher

  7. 7.

    What Went Wrong?, https://medium.facilelogin.com/what-went-wrong-d09b0dc24de4

  8. 8.

    How Apple and Amazon Security Flaws Led to My Epic Hacking, www.wired.com/2012/08/apple-amazon-mat-honan-hacking

  9. 9.

    Encapsulation and Optimal Module Size, www.catb.org/esr/writings/taoup/html/ch04s01.html

  10. 10.

    Google Is 2 Billion Lines of Code, www.catb.org/esr/writings/taoup/html/ch04s01.html

  11. 11.

    Nike’s Journey to Microservices, www.youtube.com/watch?v=h30ViSEZzW0

  12. 12.

    RFC 6156: The MD5 Message-Digest Algorithm, https://tools.ietf.org/html/rfc1321

  13. 13.

    Colliding X.509 Certificates, http://eprint.iacr.org/2005/067.pdf

  14. 14.

    “Vacuum Gang” Sucks Up $800,000 From Safeboxes, https://gizmodo.com/vacuum-gang-sucks-up-800-000-from-safeboxes-5647047

  15. 15.

    Teen says he hacked CIA director’s AOL account, http://nypost.com/2015/10/18/stoner-high-school-student-says-he-hacked-the-cia/

  16. 16.

    Gunman kills TSA screener at LAX airport, https://wapo.st/2QBfNoI

  17. 17.

    Defense in Depth, www.nsa.gov/ia/_files/support/defenseindepth.pdf

  18. 18.

    UBS insider attack, www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873

  19. 19.

    The Danger from Within, https://hbr.org/2014/09/the-danger-from-within

  20. 20.

    Surge in mobile network infections in 2013, http://phys.org/news/2014-01-surge-mobile-network-infections.html

  21. 21.

    Protecting Against Insider Attacks, www.sans.org/reading-room/whitepapers/incident/protecting-insider-attacks-33168

  22. 22.

    In 1883, Auguste Kerckhoffs published two journal articles on La Cryptographie Militaire in which he emphasized six design principles for military ciphers. This resulted in the well-known Kerckhoffs’ principle: A cryptosystem should be secured even if everything about the system, except the key, is public knowledge.

  23. 23.

    The Protection of Information in Computer Systems, http://web.mit.edu/Saltzer/www/publications/protection/, October 11, 1974.

  24. 24.

    Snowden Used Low-Cost Tool to Best NSA, www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html

  25. 25.

    Implementing Least Privilege at Your Enterprise, www.sans.org/reading-room/whitepapers/bestprac/implementing-privilege-enterprise-1188

  26. 26.

    Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

  27. 27.

    KISS principle, https://en.wikipedia.org/wiki/KISS_principle

  28. 28.

    Netcraft January 2015 Web Server Survey, http://news.netcraft.com/archives/2015/01/15/january-2015-web-server-survey.html

  29. 29.

    OpenSSL Usage Statistics, http://trends.builtwith.com/Server/OpenSSL

  30. 30.

    Security Concerns in Using Open Source Software for Enterprise Requirements, www.sans.org/reading-room/whitepapers/awareness/security-concerns-open-source-software-enterprise-requirements-1305

  31. 31.

    Middleware Technologies—Enabling Digital Business, www.gartner.com/doc/3163926/hightech-tuesday-webinar-middleware-technologies

  32. 32.

    AWS security white paper, https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

  33. 33.

    Segregating networks and functions, www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SegregatingNetworksAndFunctions_Web.pdf

  34. 34.

    Xen Security Advisories, http://xenbits.xen.org/xsa/

  35. 35.

    Google reCAPTCHA, www.google.com/recaptcha/intro/index.html

  36. 36.

    Ensuring Data Integrity in Storage: Techniques and Applications, www.fsl.cs.sunysb.edu/docs/integrity-storagess05/integrity.html

  37. 37.

    A New Approach towards DoS Penetration Testing on Web Services, www.nds.rub.de/media/nds/veroeffentlichungen/2013/07/19/ICWS_DoS.pdf

  38. 38.

    CVE-2013-0269, https://nvd.nist.gov/vuln/detail/CVE-2013-0269

  39. 39.

    The value of a name, https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ

  40. 40.

    The WordPress Brute Force Attack Timeline, http://blog.sucuri.net/2013/04/the-wordpress-brute-force-attack-timeline.html

  41. 41.

    FIDO Alliance, https://fidoalliance.org/specifications/overview/

  42. 42.

    Strengthening 2-Step Verification with Security Key, https://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

  43. 43.

    XACML 3.0 specification, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf

  44. 44.

    Non-Repudiation in Practice, www.researchgate.net/publication/240926842_Non-Repudiation_In_Practice

Author information

Authors and Affiliations

  1. San Jose, CA, USA

    Prabath Siriwardena

Authors
  1. Prabath Siriwardena
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Prabath Siriwardena

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Siriwardena, P. (2020). Designing Security for APIs. In: Advanced API Security. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-2050-4_2

Download citation

Publish with us

Policies and ethics

Search

Navigation