apidays New York 2023 - API First Paradigms That Help Secure Your APIs, Raj Umadas, ActBlue

Transcript

1. API First Paradigms That Help Secure Y our A PIs

   Take Solace in the Interface
2. None

3. Intro Agenda • Intro ◦ Agenda ◦ Who am I

   ◦ Who are you? (I think) • The Goods ◦ What I mean by “API-First” ◦ Where is the opportunity? ◦ What questions could we be asking? • Q&A

4. Intro Who Am I • Pentester with a heavy focused

   on mobile and embedded systems ◦ Intrepidus Group 4 Lyfe :) • Security Engineer with heavy focus on hyperscale DevSecOps orgs ◦ Etsy, Spotify, SquareSpace… • Security Architect in some pretty cool niche areas ◦ Canary (hardware security camera), Beyond Identity (Passwordless… the future(™)) • Security Leader at some ‘interesting places’ 🚀🚀 ◦ WeWork, Compass • Currently running the security team at Actblue and advising some awesome security startups!

5. Intro Who are you? (I think) • From the website

   CIOs, CTO, CDOs, SVPs, VPs, Heads of Innovation, Heads of API, API Architects, Developers, Software Engineers, Infrastructure & Cloud Managers, IT Managers, Product Managers, Consultants & Analysts • No security titles :( • Historically my stakeholders, not my typical conference audience/teams • ***I want to try to share with you ways that YOU can help your security team vs how your security team can help you***

6. The Good What I mean by “API-First” • A set

   of agreed upon approaches and technology to solidify the concept that APIs are the main building block for your backend… • Why these agreements? ◦ codify and standardize development and implementation decisions to, hopefully, ◦ Speed up development ◦ Allow strongly decoupled systems ◦ Improve maintainability • Help a security teams job be more efficient, more accurate? ◦ Possibly

7. The Good What I mean by “API-First” • Non-exhaustive but

   illustrative example… • API Specification layer ◦ Swagger ◦ Thrift, Proto • Restful resource naming conventions ◦ GET|PUT|DELETE http://www.example.com/products/66432 ◦ GET http://www.example.com/customers/33245/orders/8769/lineitems/1 • Data Encapsulation/Serialization Layer 7 ◦ Protobuf ◦ JSON • Golden Path Frameworks and Middleware ◦ Rails ◦ Devise

8. The Good Where is the Opportunity? • Non-exhaustive list but

   illustrative example… • API Specification layer ◦ Feed tooling with better base cases (fuzzer, scanning, IDS/IPS) ◦ Surface deltas kicking off async verification flows • Restful resource naming conventions ◦ Tuning edge protections using URI/URL ◦ Routers that can have some powerful middleware/decorators • Data Encapsulation/Serialization Layer 7 ◦ Deeper/efficient inspection (not just grep) of real time production traffic ◦ Input sanitization libraries • Frameworks and Middleware ◦ Integrate APMs for security specific investigations ◦ Unit and integration testing tailored for important middleware (ie auth)

9. The Good What questions could we be asking? • What

   are your orgs API first tactics? ◦ API Specification layer ◦ Restful resource naming conventions ◦ Data Encapsulation/Serialization Layer 7 ◦ Frameworks and Middleware • What are your orgs methods to encourage/enforce your tactics? ◦ Peer reviews ◦ Code Generation ◦ Design/Arch reviews ◦ Heavily supported Golden Paths • How does ANY of your existing security tooling take advantage of your orgs tactics or are guarded by your orgs methods of encouragement/adoption of API first tactics? ◦ How was the last vulnerability reported to you team discovered? ◦ How was the last comment in a PR programmatically generated? ◦ How did the last “security incident” rely on API conventions and configs to make triaging and investigations easier?

10. The Good What questions could we be asking? • How

    was the last vulnerability reported to you team discovered? ◦ A security scanner that consumes your routes definition to scan only route, verbs and params you know the API matches was used to find an unauth POST when the endpoint historically only had unauth GETs. • How was the last comment in a PR programmatically generated? ◦ Security code scanning tool has a number of detections written that are able to detect if an API based on its inheritance structure generates HTML vs JSON output and did not have the correct output encoding library calls before a return. • How did the last “security incident” rely on API conventions and configs to make triaging and investigations easier? ◦ The security team, in partnership with the search team, was able to add a number of traffic shaping rules to the edge api gateway to block highly likely malicious requests that triggered long running transactions in the backend that would cause a denial of service for all users.

11. The Good What questions could we be asking? • Does

    the existing security team have the capability to leverage the developer productivity tooling your API first tactics provide? • Does the existing security team know what they are? • Do your dev teams understand the philosophy used by your security team to protect your org, or APIs? • Has someone explicitly tried to ensure the two worlds are intermixing? • I really believe if you ask and explore these questions with API and security focused engineers, a lot of synergies will be identified for some fun and impactful collaborations.

12. QA Questions • ???