Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Guide to API Security

42crunch
February 06, 2018

Practical Guide to API Security

If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS.
But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue.

42crunch

February 06, 2018
Tweet

More Decks by 42crunch

Other Decks in Technology

Transcript

  1. 8 Authentication Integrity (transport & message) Audit Confidentiality (transport &

    message) Availability (Rate Limiting) Authorization Non Repudiation Data Validity (attacks protection)
  2. 9 YES. You need to consider all of this… …

    AND you need to configure all aspects in the right way
  3. 13 Internal External 80 55 57 69 Now Expect in

    the next 18 months Source: @The State of Cybersecurity and Digital Trust 2016” Accenture and HIS Research - Sample: 208 Enterprise Security Professionals Have you experienced the theft or corruption of internal corporate or user/consumer information by Internal or External threat actors?
  4. 14

  5. “I think that a lot of people think that because

    there is no GUI on an API that no one can find it and it is invisible. But we can find them in about five seconds with a proxy… …Almost every threat that applies to a web app, can happen to an API, but a lot of people for some reason are not protecting them as much as their web applications.” Tanya Janca Application Security Evangelist - AppSec Podcast 15 “
  6. 16 WHAT SHOULD YOU DO ? Proceed to a full

    inventory of APIs within the enterprise Implement APIs governance Evaluate your API Security coverage
  7. “Security is a risk control measure…In the security sphere, one

    size does not fit all. We have to take ‘appropriate measures’. Nat Sakimura Fixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/ 18 “
  8. 19 Financial APIS Security Auth Grant Types OpenID Connect Flows

    TLS Settings Message Confidentiality Non-Repudiation Message Integrity Financial APIs Working Group: http:/ /openid.net/wg/fapi/
  9. 20 WHAT SHOULD YOU DO ? Establish a threat model

    for all APIs Establish corporate security policies based on that threat model, managed by the security teams.
  10. VULNERABILITY SCANS 23 Infrastructure Scans TLS + Security Setup ✓

    APIs Server, CDN, HTTP Server ✓ Security headers Code analysis (Static, Dynamic, Interactive) Third-party libs / frameworks Apps / APIs (e.g. OWASP ZAP) Authentication Authorization DevOps Scripts! Choose platforms/tools where 
 functionality is exposed as APIs/CLI. 2
  11. 24 WHAT ELSE SHOULD YOU DO ? Apply security policies

    as early as possible in the API lifecycle Choose a platform where security policies can be applied automatically, with minimum involvement of developers Test APIs with “security ON” from Day 1!
  12. 26 REQUEST RESPONSE 1 2 Request Validation Message Validation 3

    Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing
  13. IT ALL STARTS WITH TRANSPORT TLS covers Confidentiality and Integrity

    at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 27
  14. REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply

    positive and negative security models (a.k.a whitelisting and blacklisting) Leverage Open API to apply positive security model! 29
  15. TOKEN VALIDATION Which token format is accepted ? Where (query

    param ? header ?) Is it of the right format ? Has it expired ? Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) 30
  16. CRYPTO VALIDATION Can I decrypt ? Can I verify the

    signature ? Decrypt before payload validation ! 32
  17. INTEGRITY What I received is what was sent and I

    know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 33
  18. CONFIDENTIALITY I don’t want anybody to see the messages exchanged.

    Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 34
  19. USEFUL ACRONYMS JOSE: Javascript Object Signing and Encryption ✓ IETF

    Standard for JWS and JWE JWE ✓ JSON Web Encryption JWS ✓ JSON Web Signature JWT ✓ JSON Web Token JWK ✓ JSON Web Key 35
  20. USEFUL LINKS Signing/Validating JWT ✓ jwt.io (sponsored by Auth0) Building

    JWK ✓ https://mkjwk.org Learning about the topic! ✓ https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3 36
  21. DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data

    in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid Response.post ( exception.printStackTrace) ! 37
  22. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose Grant Types wisely ✓ Know the

    deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800) ✓ Token Binding ( new RFC, still in Draft 05) Use proven libs and products ! Learn Learn and Learn … ✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce ✓ https://alexbilbie.com/guide-to-oauth-2-grants/ ✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows- ec6a5c00d864 38
  23. RESOURCES Chaos Engineering ✓ http:/ /principlesofchaos.org ✓ https:/ /github.com/dastergon/awesome-chaos-engineering OWASP

    ZAP ✓ https:/ /www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https:/ /www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https:/ /www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https:/ /www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 41
  24. RESOURCES SSL Setup Scan ✓ https:/ /hardenize.com ✓ https:/ /securityheaders.io

    ✓ https:/ /www.ssllabs.com/ssltest/ Threat Modelling ✓ https:/ /www.owasp.org/index.php/Application_Threat_Modeling 42