Apiture Security Hackathon 2021: Improving API Security

March 31, 2021 by Libby Kane

Share this post:

Share
Apiture Security Hackathon

Security is Apiture’s priority. Major security breaches across digital services have put millions of Americans at risk of identity theft and shattered the reputations of affected companies. At Apiture, we protect our clients and their end-users from security threats and infrastructure weaknesses. Ensuring the security of our products comes with an obligation to consistently test and optimize our infrastructure. Further, Apiture is committed to designing for and building security into our software development lifecycle (SDLC) and processes. Our team developed a way to find potential threats in our products and educate employees on security issues with an internal security hackathon.

Under the leadership of Apiture’s VP of API (Application Programming Interface) Platforms & Lead API Architect, David Biesack and Chief Information Security Officer, Sean Darragh, Apiture held its first of many quarterly internal security hackathons in February 2021. The hackathons will include both of Apiture’s key product lines: Apiture Open and Apiture Xpress. “With our Security Hackathon project, we are even more proactive about software security. It is an investment with tremendous benefit for our customers who depend on us,” said Biesack.


Hackathon Goals

The goals of Apiture’s Security Hackathon Program are to identify and remove all security vulnerabilities in our products:

  1. 1. Improve the security posture of Apiture products by complementing our other software and information security and compliance efforts, such as static and dynamic code scanning, penetration testing, etc.
  2. 2. Achieve continuous improvement of security related aspects of our products and processes.
  3. 3. Train engineering, architecture, and QA staff on designing and delivering secure software.

Hackathon Rationale

Apiture employs a vast arsenal of security products and staff to create the safest environment possible for our clients.

“Existing security tools and mechanisms, while necessary, cannot identify all vulnerabilities in software because they are generic and do not account for the architecture of Apiture software. While cybersecurity is part of our required periodic training, it does not directly address software design and software security vulnerabilities,” said Biesack. “The security hackathon program fills the gap in effective training and strives to stay ahead of the ever-changing methods used by fraudsters.”


Hackathon Structure

The hackathon structure serves to be proactive with respect to software security and reactive with respect to new and continually emerging threats. Apiture uses both internal and external vendor-led training. David Biesack was the instructor for an Apiture University seminar (Apiture’s internal learning series) focusing on the OWASP API Security Top Ten and how hackers may look for Top Ten vulnerabilities when attacking Apiture products.

A partnership with an external software security training vendor ensures objective and outside perspectives as a catch-all for security threats during each hackathon.

 The Apiture team treats security exercises with the highest priority. “The training by the external vendor and also the Apiture University training sessions are vital, so all these training sessions are mandatory for all participants” said Jan Kruger, EVP and General Manager, Apiture Open.

While each hackathon has a focus, and all participants, or “hunters” are educated on the various focus areas, they are not constrained to just the focus area of software security during the hackathon (just as they are free to hunt outside the hackathon). Hunters organized themselves into teams of members from different internal teams and planned how to hack the system.


Q1 2020 Security Hackathon

The inaugural hackathon held in Q1 2020 was focused on validating that the Apiture Open Banking APIs properly enforce entitled access to all resources available in our APIs.

A week before the hackathon, all staff was trained on the hackathon’s specific focus: the types of security vulnerabilities that may exist and how to simulate attacks using the techniques of hackers who try to exploit those vulnerabilities.

“For some hunters this was their very first hackathon; for others, it was an opportunity to dive deep hunting for exploits, lead by example, and share their approach to testing with security in mind,” said Jason McLeod, Senior Software Developer and the show runner for the Hackathon.

In one continuous, 24-hour session (noon on Thursday through noon on Friday), teams competed against one another to find security vulnerabilities.

When a hunter found and confirmed a security vulnerability, everyone on the floor was notified. At the end of the 24-hour period, the top teams and specific categories are rewarded with a “bug bounty” in the form of Apiture swag, bragging rights, and other rewards. The competitive atmosphere did not take away from the significance of the hackathon’s purpose.

Three dedicated Hackathon test environments were seeded with sufficient test data, (test customer identities and credentials and account data). Apiture’s hunters spent the 24-hour period trying to exploit software and find vulnerabilities. Any security defects found were remediated immediately to identify and repair such defects before they existed in production systems.

Apiture’s teams concluded the Q1 2020 hackathon with a clear value to educating employees, ensuring security is at the forefront of new developments, and optimizing existing infrastructure with new security tools. “Future hackathons will leverage skills and act as a multiplier for the quality of our products and the expertise of everyone involved in building them,” said McLeod.

The success of the inaugural hackathon will guide the quarterly hackathons that follow throughout each year.