Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Security: When Failure looks like Success

API Security: When Failure looks like Success

In the last decade, APIs have become fundamental to our teams, partners, and customers. While we’d like to believe it all happened as a carefully executed plan, let’s be honest… there’s as much luck as foresight in the mix. Luckily, success drives success so we’ve seen things explode in great ways. Unfortunately, that very success has cost us too.

APIs are becoming a consistent and devastating attack vector for applications that store everything from financial records to passport information to what you’re looking for in a date. In this session, we’ll reconsider some our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.

Keith Casey

August 06, 2019
Tweet

More Decks by Keith Casey

Other Decks in Technology

Transcript

  1. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    9 API Journey: A Maturity Model 9 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1
  2. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    10 API Journey: A Maturity Model 10 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. The security issue was always there Phase 1
  3. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    Three Groups – Always at Odds Front End Developers Back End Developers Security Architects
  4. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Read the news, look at competitors • Talk to your legal/compliance teams • Talk to your developers about their horror stories • Write a Black Mirror episode How do I think like a Bad Guy?
  5. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  6. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    Be Smarter about Data • Don’t collect it if you don’t have to • Secure it in flight (SSL/TLS) • Encrypt it at rest 25 Ref: https://www.bbc.com/news/technology-46401890
  7. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  8. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    28 Authentication vs Authorization API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 Developer or User 1. Developer makes request to API 2. API returns a 401 Not Authorized 3. Developer authenticates with Okta 4. Okta returns an Access Token and Refresh Token (optional) IdP
  9. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    29 Token Validation API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 6 5 Developer or User 1. Developer uses Access Token for request 2. Optional: API gateway validates token 3. Gateway relays request 4. Optional: API validates token 5. API returns the response/result to the gateway 6. API gateway relays response to user IdP
  10. Full Lifecycle API Management Lifecycle What state is it in?

    • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities
  11. Full Lifecycle API Management Lifecycle What state is it in?

    • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities
  12. Full Lifecycle API Management Lifecycle What state is it in?

    • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities
  13. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  14. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    API Keys are Not Good Enough • Not consistent • Not scoped • Not revocable • Included poorly (url vs headers)
  15. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    A Bad Example • curl –X POST https://api.company.com/projects?key=abcdef012345 --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234?key=abcdef012345 36
  16. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    A Better Example • curl –X POST https://api.company.com/projects --header “Authorization: Bearer abcdef012345” --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234 --header “Authorization: Bearer abcdef012345” 37
  17. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    40 • OpenID Connect Core 1.0 (spec) • Authorization Code, Implicit, and Hybrid flows • OpenID Provider Metadata (spec) • OAuth 2.0 (RFC 6749) • Authorization Code, Implicit, Resource Owner Password, Client Credentials • JSON Web Token (RFC 7519) • OAuth 2.0 Dynamic Client Registration (RFC 7591) • OAuth 2.0 Authorization Server Metadata (spec) • OAuth 2.0 Bearer Token Usage (RFC 6750) • OAuth 2.0 Multiple Response Types (spec) • OAuth 2.0 Form Response Mode (spec) • OAuth 2.0 Token Revocation (RFC 7009) • OAuth 2.0 Token Introspection (RFC 7662) • Proof Key for Code Exchange for OAuth Public Clients (RFC 7636) Common OAuth/OIDC Specifications
  18. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  19. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  20. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    Questions to Ask • What is the worst thing someone can do with our API? • What happens if our competitors get our data? • What data do we need to collect & expose? • Who are your users now? In a year? • How are we monitoring for anomalies and bad behavior?