Practical Guide to API Security

Transcript

1. GUIDELINES TO PROPER API SECURITY ISABELLE MAUNY - CTO [email protected]

   The API Security Platform for the Enterprise

2. TITLE TEXT Complex deployments 2 FROM ESTABLISHED PERIMETER…

3. 3 …TO BLURRY PERIMETER

4. TITLE TEXT 4 App icon made by https://www.flaticon.com/authors/pixel-buddha Internal Partner

   Public VIRTUAL APPLICATION NETWORKS

5. TITLE TEXT FAST APP DELIVERY 5 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY

6. API SECURITY NEEDS TO 6 EVOLVE

7. 7 DEFINING API SECURITY

8. 8 Authentication Integrity (transport & message) Audit Confidentiality (transport &

   message) Availability (Rate Limiting) Authorization Non Repudiation Data Validity (attacks protection)

9. 9 YES. You need to consider all of this… …

   AND you need to configure all aspects in the right way

10. 10 AND you need the right infrastructure!

11. 11 ALL APIS SHOULD BE TREATED AS PUBLIC 1

12. 12 EXPOSING ENTERPRISE DATA AND PROCESSES. WHAT ARE APIS FOR

    ?

13. 13 Internal External 80 55 57 69 Now Expect in

    the next 18 months Source: @The State of Cybersecurity and Digital Trust 2016” Accenture and HIS Research - Sample: 208 Enterprise Security Professionals Have you experienced the theft or corruption of internal corporate or user/consumer information by Internal or External threat actors?

14. 14

15. “I think that a lot of people think that because

    there is no GUI on an API that no one can find it and it is invisible. But we can find them in about five seconds with a proxy… …Almost every threat that applies to a web app, can happen to an API, but a lot of people for some reason are not protecting them as much as their web applications.” Tanya Janca Application Security Evangelist - AppSec Podcast 15 “

16. 16 WHAT SHOULD YOU DO ? Proceed to a full

    inventory of APIs within the enterprise Implement APIs governance Evaluate your API Security coverage

17. 17 SECURITY NEEDS TO BE RISKED-BASED 2

18. “Security is a risk control measure…In the security sphere, one

    size does not fit all. We have to take ‘appropriate measures’. Nat Sakimura Fixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/ 18 “

19. 19 Financial APIS Security Auth Grant Types OpenID Connect Flows

    TLS Settings Message Confidentiality Non-Repudiation Message Integrity Financial APIs Working Group: http:/ /openid.net/wg/fapi/

20. 20 WHAT SHOULD YOU DO ? Establish a threat model

    for all APIs Establish corporate security policies based on that threat model, managed by the security teams.

21. 21 SECURITY MUST BE AUTOMATED 3

22. LET’S SHIFT LEFT! 22 Deployment Testing Development Design

23. VULNERABILITY SCANS 23 Infrastructure Scans TLS + Security Setup ✓

    APIs Server, CDN, HTTP Server ✓ Security headers Code analysis (Static, Dynamic, Interactive) Third-party libs / frameworks Apps / APIs (e.g. OWASP ZAP) Authentication Authorization DevOps Scripts! Choose platforms/tools where 
 functionality is exposed as APIs/CLI. 2

24. 24 WHAT ELSE SHOULD YOU DO ? Apply security policies

    as early as possible in the API lifecycle Choose a platform where security policies can be applied automatically, with minimum involvement of developers Test APIs with “security ON” from Day 1!

25. 25 SECURITY BLUEPRINT

26. 26 REQUEST RESPONSE 1 2 Request Validation Message Validation 3

    Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing

27. IT ALL STARTS WITH TRANSPORT TLS covers Confidentiality and Integrity

    at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 27

28. VERIFYING SSL/TLS SETUP www.ssllabs.com report.io securityheaders.io New! hardenize.com 28

29. REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply

    positive and negative security models (a.k.a whitelisting and blacklisting) Leverage Open API to apply positive security model! 29

30. TOKEN VALIDATION Which token format is accepted ? Where (query

    param ? header ?) Is it of the right format ? Has it expired ? Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) 30

31. CRYPTOGRAPHY 31

32. CRYPTO VALIDATION Can I decrypt ? Can I verify the

    signature ? Decrypt before payload validation ! 32

33. INTEGRITY What I received is what was sent and I

    know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 33

34. CONFIDENTIALITY I don’t want anybody to see the messages exchanged.

    Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 34

35. USEFUL ACRONYMS JOSE: Javascript Object Signing and Encryption ✓ IETF

    Standard for JWS and JWE JWE ✓ JSON Web Encryption JWS ✓ JSON Web Signature JWT ✓ JSON Web Token JWK ✓ JSON Web Key 35

36. USEFUL LINKS Signing/Validating JWT ✓ jwt.io (sponsored by Auth0) Building

    JWK ✓ https://mkjwk.org Learning about the topic! ✓ https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3 36

37. DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data

    in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid Response.post ( exception.printStackTrace) ! 37

38. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose Grant Types wisely ✓ Know the

    deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800) ✓ Token Binding ( new RFC, still in Draft 05) Use proven libs and products ! Learn Learn and Learn … ✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce ✓ https://alexbilbie.com/guide-to-oauth-2-grants/ ✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows- ec6a5c00d864 38

39. 39 www.42crunch.com/whitepaper

40. CONTACT: [email protected] WWW.42CRUNCH.COM The API Security Platform for the Enterprise

41. RESOURCES Chaos Engineering ✓ http:/ /principlesofchaos.org ✓ https:/ /github.com/dastergon/awesome-chaos-engineering OWASP

    ZAP ✓ https:/ /www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https:/ /www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https:/ /www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https:/ /www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 41

42. RESOURCES SSL Setup Scan ✓ https:/ /hardenize.com ✓ https:/ /securityheaders.io

    ✓ https:/ /www.ssllabs.com/ssltest/ Threat Modelling ✓ https:/ /www.owasp.org/index.php/Application_Threat_Modeling 42