September 21, 2022

How APIs Expose Business Logic Flaws with Chuck Herrin

by Cyber Ranch

Listen Now


Show Notes

Chuck Herrin, CTO at Wib, came down to the Ranch to explain the risks and threats currently facing APIs, or application programming interfaces. Simply put, APIs facilitate people and applications in communicating with other applications, but Chuck sees the lack of protocols, regulations, and security plans laid out for these APIs as a massive security threat. Breaking down the process using an API hack he performed as an example, Chuck talks about what the state of API security is and where it needs to be headed.


Timecoded Guide:

[00:00] Bringing a background in finance into the cybersecurity API world

[05:25] "Hacking" a bank’s API using business logic instead of hacking

[12:17] Implementing standard API protocols and processes

[14:27] Flipping the API language and preparing injection threats

[19:03] Evolving defenses overtime to meet both new needs and new risks


Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at


What does your current role look like and how does it relate to API security?

Chuck began his career in tech and security in the banking industry, and felt particularly concerned over time with the lack of security around APIs and related technology. Now, with his CTO position at Wib, Chuck works with Wib to focus on providing continuous visibility into API attack surfaces. Outside of just the newness and the tech of APId, Chuck explains that there are critical infrastructure and national security ramifications for API security. 

“The basic premise is: If you could do it differently, knowing what you know now, what would you build in an API security platform? What I'm bringing to the table is 20 years as a defender in US financial services, where I know what we need from a governance perspective.”


Akamai recently ran a study of internet traffic. What were their findings about APIs?

As someone well researched in his work with APIs, Chuck pays close attention to recent studies, like one from Akamai, that recently claims 91% of their global internet traffic is API traffic. Chuck explains that this is a huge development in the popularity and impact of APIs on global security, especially when relating it to a separate study that estimates 50% of APIs are actually unmanaged. Although this stat seems shocking, many in the industry believe even that estimate is low, and the issue might be even worse than studies are showing. 

“91% of the traffic that Akamai handles is API traffic. So, 91% of global internet traffic is API traffic. Another stat which is a little harder to prove estimates that roughly 50% of API's are completely unmanaged.”


You actually performed a hack live on an API, but it wasn't even a hack at all. Can you tell me that story? 

At the most recent Black Hat, Chuck dissected and presented a few case studies, one of which was a bank’s API, hacked using a logic-based attack. Using the errors in business logic present within the banking API, Chuck’s team was able to bypass the front-end system and transfer fees, managing to convert money into more valuable currency over and over again. The wildest part, to both Chuck and to presentation attendees, was that this didn’t require tech hacking, it only required exploiting business logic. 

“We didn't tear apart the mobile app and find the stored credentials, the API keys, which are probably in there. We didn't crack any passwords. We just abused the logic, and it responded in the way it was designed and here we are.”


If we can’t anticipate every possible business logic flaw or abuse case, how can we reduce the impact and blast radius of API threats?

Reducing the impact of API security threats feels daunting, but Chuck explains that security has to go back to the basics in order to identify and acknowledge what has to change over time. You can't protect what you can't see and our teams have to evolve over time to defend against the changing attackers we might end up facing with APIs. When push comes to shove, Chuck firmly believes in having a defense strongly informed by the offenses and threats around you.

“This was cloud security 10 years ago, and it's API security today, right? History doesn't repeat, but it rhymes. It's the same basics and same fundamentals. Now, you need to change tooling. The attackers evolve over time, and your defenses have to evolve over time.”



Learn more about Chuck Herrin on LinkedIn and the Wib website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Read more

Recent Episodes

February 1, 2023
by Cyber Ranch

Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations.  Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory b...

January 25, 2023
by Cyber Ranch

This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...

January 18, 2023
by Cyber Ranch

This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc.  Another one of Allan's illustrious guests with 25 years in cyber.  (  The topic started as all that th...

January 11, 2023
by Cyber Ranch

This episode is jam-packed with wisdom that is delivered at a rapid pace.  Some folks will find themselves rewinding and taking notes.  Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to ta...

January 4, 2023
by Cyber Ranch

To celebrate the 100th episode, Allan decided to let the audience participate in the show.  21 people called in and answered a wide variety of questions about cybersecurity.  It is a fantastic show and it is very fun to hear all the different perspec...

December 14, 2022
by Cyber Ranch

This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'?  Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventu...

December 7, 2022
by Cyber Ranch

In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk toleranc...

November 30, 2022
by Cyber Ranch

Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incr...

November 16, 2022
by Cyber Ranch

Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture.  Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-c...

November 9, 2022
by Cyber Ranch

This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: ...