Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Australia 2023 - The Swiss Cheese Model...

apidays
December 18, 2023

apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem

apidays Australia 2023 - Platforms, Products, and People: The Power of APIs
October 11 & 12, 2023
https://www.apidays.global/australia/

The Swiss Cheese Model of Layered API Security
Leon Andrews, Principal, APIs & Platform Engineering at Terem

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

December 18, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. 1996 - MSc Information Systems & Technology + Perl 1997

    - NetChannel UK - WebTV startup 1998 - jobnet.com.au - Australia’s first commercial web services? 2001 - RecuitASP & HRX - Disruptive SaaS recruitment and HR 2012 onwards - Consulting in digital, mobility, integration, APIs, platform engineering… Currently heading up Terem's API and Platform Engineering business in ANZ About me
  2. Terem Terem is a product development and strategy firm that

    works for enterprises, tech companies and Government. We’re most valuable when we run strategy and product development iteratively, working towards a commercial outcome. We’re based across Australia and New Zealand.
  3. The model depicts a system as a stack of slices

    of Swiss cheese, with each slice representing a barrier or safeguard against failure. • Developed by James Reason, a British Psychologist in the 1990s, as a metaphor for how complex systems can fail. • Holes in the cheese represent weaknesses in the barriers. • The holes are randomly distributed, so that they don’t always align. • When the holes in the slices align, a hazard can pass through all of the barriers and cause a failure. The Swiss Cheese Model
  4. The Swiss Cheese Model Based on the idea that incidents

    are usually the result of a combination of factors • Human errors • Bad actors • System failures • Environmental conditions Can also be used to identify the different layers of protection in a system and to assess the effectiveness of those layers.
  5. Wikipedia has this diagram as their example Notice there are

    two types of cheese, and we’ll borrow that idea. Each layer has holes, and some layers are even slightly broken Multiple layers improve the chance of protection from the virus Wikipedia’s example
  6. Applying this to API Security Our layers of Swiss cheese

    have to cover a lot: • We’re protecting against a wide range threats: ◦ Mostly from “bad actors” with specific intent • But also dealing with: ◦ Human traits such as… ▪ Skill levels / intelligence ▪ Motivation / Energy ▪ Boredom / Interest / Laziness ▪ Appreciation / Appetite for risk ◦ Mistakes - poor execution ◦ Time - rushed execution ◦ Exploitable bugs in software platforms ◦ Unknown unknowns
  7. The OWASP 10 API risks… It’s tempting to think that

    because these are “API security risks”, the focus needs to be on “the APIs” The Swiss Cheese Model helps us think about this differently Many of these risks are not particularly API-specific, they apply more broadly.
  8. • Technology Swiss Cheese ◦ Hardware and software systems ◦

    Frameworks that operate on these systems Our two cheese types • Human Swiss Cheese ◦ Business drivers ◦ Mindset and motivation
  9. • DNS / IP configuration • Web Application Firewall (WAF)

    • Load Balancing • Cloud-specific environment configuration Network Layer
  10. • Authentication & Authorisation across every OSI Layer 1-7 •

    How well is this baked into your API request & response flow? • From basic HTTP authentication to Mutual TLS and everything in-between • Affects access to run APIs, but also for APIs to call other resources, internal and external developers to access platforms, and admins to run the platforms Auth Layer
  11. • The protocols in place to determine access to APIs,

    and how well they are used. • API Specifications and their contents • Ensuring APIs are succinctly described and precise in their scope • This may be where some obfuscation can be used • Acting as an initial barrier to entry Protocol Layer
  12. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer Technology Swiss Cheese
  13. • The actual server that’s processing the API requests •

    API proxy, appraising requests, triggering service calls, returning responses. • Following rules about how traffic can flow • Does a lot of the heavy lifting • Can also provide clues to an attacker Gateway Layer
  14. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer Technology Swiss Cheese
  15. • Monitoring and alerting when issues arise • Needs to

    be well focused - may need to cover 1000s of scenarios • Some platforms now feature AI tools to help detect issues • API platforms typically provide analytics engines to read the data Monitoring Layer
  16. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer Technology Swiss Cheese
  17. • Build and Test Automation • Ensuring APIs are well

    formed • Critical testing layer that implements policy and ensures adherence • Automated code generation • Automated resource provisioning CI/CD Layer
  18. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer ◦ API Platform layer Technology Swiss Cheese
  19. • Configuration Tools ◦ Rate Limiting / quotas / throttling

    ◦ Input parsing & transformation ◦ Authorisation ◦ Flows ◦ Policies ◦ Products ◦ Payments ◦ Versioning • Developer Tools / IDE • Developer Portal API Platform Layer
  20. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer ◦ API Platform layer ◦ Service Layer Technology Swiss Cheese
  21. • Applications • Databases • Microservices • Integrated SOA Services

    • SaaS Componentry • Third Party systems Service Layer
  22. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer ◦ API Platform layer ◦ Service Layer Technology Swiss Cheese
  23. • Technology Swiss Cheese Network layer, Auth layer, Protocol layer,

    Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation layer
  24. • API development guidelines • How-tos, FAQs and knowledge bases

    • Well-written API specs Developer Documentation Layer
  25. Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation

    layer ◦ Operating Model layer • Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer
  26. • How the business manages its API Program • How

    it facilitates the API lifecycle from ideation through to implementation and operations • APIs as Products • How the business empowers and manages its engineers • How the business uses API analytics to inform its decision-making Operating Model Layer
  27. Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation

    layer ◦ Operating Model layer ◦ Business Mindset layer • Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer
  28. • How the business promotes API security internally • How

    it demonstrates its understanding of security • How the culture of IT security is embedded from the top down Business Mindset Layer
  29. Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation

    layer ◦ Operating Model layer ◦ Business Mindset layer ◦ Bonus layer - Community • Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer
  30. • The API community! • White hats • Bug bounties

    • Bloggers • Researchers • Evangelists Bonus Layer - Community
  31. Building up the layers • Technology Swiss Cheese Network layer,

    Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer • Human Swiss Cheese Developer Documentation layer, Operating Model layer, Business Mindset Layer, Bonus layer - Community
  32. Just another API-based system Assumptions: 1. The APIs are meant

    to be called by an app that’s running on a device, but are easy enough to discover 2. Traffic is load balanced and passes a firewall 3. Requests are authenticated and authorisation is sought for data access 4. There may be a few versions of the API in production, to support legacy apps 5. The API endpoint is hosted in the public cloud. 6. Its proxy has been deployed using a SaaS API gateway that resides inside any number of virtualized groups.
  33. Swiss Cheese In Action Let’s focus on three examples that

    are covered in OWASP 10, and how the Swiss Cheese Model gives us a different way to think about them… 1. An attacker trying to gain unauthorised access to run APIs 2. An Attacker trying to exploit obvious patterns in IDs and codes through an enumeration attack 3. Attacker trying to insert SQL into your API to trick a database to perform an action: SQL injection attack
  34. Attack 1: Gaining unauthorized access • An attacker is attempting

    to gain access to information that their identity should not allow them to see • The request might look legitimate enough, they may already have an account • Or the attacker may be trying to brute-force IDs or passwords to log in to different accounts
  35. Attack 1: Gaining unauthorized access • Technology Swiss Cheese ◦

    Network layer - WAF does nothing - the request looks normal ◦ Auth layer - Detects unauthorized access attempt ◦ Protocol layer - Defines the tightness of the auth requirements ◦ Gateway layer - Blocks unauthorized access attempt ◦ Monitoring layer - Detects unusual params, traffic patterns, auth attempts ◦ CI/CD layer - Prevents code without necessary auth being deployed ◦ API Platform layer - Provides tools to implement the auth model ◦ Service Layer - Provides deeper auth checks on apps and services • Human Swiss Cheese ◦ Developer Documentation layer - Educates developers on auth policy ◦ Operating Model layer - Ensures auth best practices are in place ◦ Business Mindset layer - Inspires adoption of auth best practices ◦ Community layer - Educates and innovates API auth
  36. Attack 2: Enumeration • An attacker already has access to

    the system • They’re trying to manipulate API calls by guessing identifiers in the request • Or they may be trying to harvest data to look for patterns in identifiers
  37. Attack 2: Enumeration • Technology Swiss Cheese ◦ Network layer

    - Does nothing - request looks normal ◦ Auth layer - Does nothing - request looks normal ◦ Protocol layer - Helps define sensible API taxonomy ◦ Gateway layer - Does nothing - request looks normal ◦ Monitoring layer - Detects unusual request parameters or traffic patterns ◦ CI/CD layer - Prevents code with sequential IDs being deployed ◦ API Platform layer - Provides tools to translate vulnerable IDs ◦ Service Layer - Provides tools to translate or use alternative ID schemes • Human Swiss Cheese ◦ Developer Documentation layer - Educates developers on ID policy ◦ Operating Model layer - Ensures ID best practices are in place ◦ Business Mindset layer - Inspires adoption of ID best practices ◦ Community layer - Educates and innovates API security
  38. Attack 3: SQL Injection • An attacker already has access

    to the system • They know that down the line, services are interacting with legacy RDBMS • They know of 100s of ways to try and exploit vulnerabilities
  39. Attack 3: SQL Injection • Technology Swiss Cheese ◦ Network

    layer - Does nothing - request looks normal ◦ Auth layer - Does nothing - request looks normal ◦ Protocol layer - Helps define sensible API taxonomy ◦ Gateway layer - Filters out SQL in request parameters ◦ Monitoring layer - Alerted to SQL injection attempt ◦ CI/CD layer - Prevents code with SQL vulnerability being deployed ◦ API Platform layer - Provides tools to parse for SQL injection ◦ Service Layer - Provides tools to prevent execution of dynamic SQL • Human Swiss Cheese ◦ Developer Documentation layer - Educates devs on use of dynamic SQL ◦ Operating Model layer - Ensures dynamic SQL best practices are in place ◦ Business Mindset layer - Inspires adoption of SQL best practices ◦ Community layer - Educates and innovates API security
  40. What we see happening… Without thinking about layers • Security

    is often done at the wrong point • Assumptions are made about who’s job this is • The technical and human pieces don’t line up • There’s no holistic API operating model • Human behaviour is vastly under-considered “Block everything with the WAF!” CEO has taken the finest security course available “Another team owns these legacy services” “People and Culture have provided you with a training budget” “Just get it done quickly on this under-configured API gateway” “The docs are in Confluence!”
  41. What we see happening… • Technology Swiss Cheese ◦ Network

    layer - Trying to detect everything at the WAF ◦ Auth layer - Basic auth, shared accounts, broad permissions ◦ Protocol layer - API taxonomy not tightly defined ◦ Gateway layer - Configured for throughput, not security ◦ Monitoring layer - Focused on system warnings not security events ◦ CI/CD layer - Basic Linting / warnings but nothing enforced ◦ API Platform layer - Capabilities applied sparsely and inconsistently ◦ Service Layer - Legacy / third party services executed without question • Human Swiss Cheese ◦ Developer Documentation layer - Scant guidelines, inconsistent style ◦ Operating Model layer - No genuine end-to-end view of API Program ◦ Business Mindset layer - Security is a technical IT problem ◦ Community layer - Reactive search over active participation
  42. What should be happening… Thinking about layers Accepting you can’t

    detect every attack with one tool Allowing each layer to do its job Spending the time to unite your teams to instill security at every layer Making use of everything that your API platform and other tools provide Making sure engineers and the business have the time to focus on each layer
  43. What a good stack of cheese looks like • Technology

    Swiss Cheese - constantly iterating and evolving ◦ Network layer - WAF detecting unusual traffic patterns and alerting you ◦ Auth layer - A modern framework with real-time control ◦ Protocol layer - Taxonomy specifying APIs succinctly and giving nothing away ◦ Gateway layer - Configured to use every provided security tool ◦ Monitoring layer - Extensive coverage across every layer, proactive alerting ◦ CI/CD layer - Rigid, extensive test automation against mandatory criteria ◦ API Platform layer - Security framework applied universally from top down ◦ Service Layer - Services executed with extreme caution • Human Swiss Cheese - staying in front of the curve ◦ Developer Documentation layer - Full API dev guidelines, made easy to follow ◦ Operating Model layer - Governance across the whole API lifecycle ◦ Business Mindset layer - Instilling a security-first mindset ◦ Community layer - Active participation in the community!