API Security: When Failure looks like Success

When Failure Looks Like Success API Security D. Keith Casey,
Jr. API Problem Solver

© Okta and/or its affiliates. All rights reserved. Okta Confidential
2 Who Am I?

3 Who Am I?

4 Who Am I?

5 Who Am I?

6 Who Am I?

So let’s talk about Failure

9 API Journey: A Maturity Model 9 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1

10 API Journey: A Maturity Model 10 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. The security issue was always there Phase 1

Three Groups – Always at Odds Front End Developers Back End Developers Security Architects

What is API Security?

Aspect #1: We expose only the interfaces which we intend.

Aspect #2: We share and accept only the data which
we intend.

Aspect #3: We grant access only to the people or
systems we intend.

Approach #1: Trust our End Users

No, I’m kidding. Unqualified trust is not security. No, I’m
kidding.

Approach #2: Use an API Gateway

Wait.. We’re talking about tools. What if we have the
wrong mindset?

Aspect #0: Think like a Bad Guy.

• Read the news, look at competitors • Talk to your legal/compliance teams • Talk to your developers about their horror stories • Write a Black Mirror episode How do I think like a Bad Guy?

• Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?

Be Smarter about Data

Be Smarter about Data • Don’t collect it if you don’t have to • Secure it in flight (SSL/TLS) • Encrypt it at rest 25 Ref: https://www.bbc.com/news/technology-46401890

Use the Right Tools

28 Authentication vs Authorization API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 Developer or User 1. Developer makes request to API 2. API returns a 401 Not Authorized 3. Developer authenticates with Okta 4. Okta returns an Access Token and Refresh Token (optional) IdP

29 Token Validation API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 6 5 Developer or User 1. Developer uses Access Token for request 2. Optional: API gateway validates token 3. Gateway relays request 4. Optional: API validates token 5. API returns the response/result to the gateway 6. API gateway relays response to user IdP

Full Lifecycle API Management Lifecycle What state is it in?
• How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities

Stick to the standards

API Keys are Not Good Enough • Not consistent • Not scoped • Not revocable • Included poorly (url vs headers)

A Bad Example • curl –X POST https://api.company.com/projects?key=abcdef012345 --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234?key=abcdef012345 36

A Better Example • curl –X POST https://api.company.com/projects --header “Authorization: Bearer abcdef012345” --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234 --header “Authorization: Bearer abcdef012345” 37

OAuth 2.0 - Hotel key cards, but for apps

40 • OpenID Connect Core 1.0 (spec) • Authorization Code, Implicit, and Hybrid flows • OpenID Provider Metadata (spec) • OAuth 2.0 (RFC 6749) • Authorization Code, Implicit, Resource Owner Password, Client Credentials • JSON Web Token (RFC 7519) • OAuth 2.0 Dynamic Client Registration (RFC 7591) • OAuth 2.0 Authorization Server Metadata (spec) • OAuth 2.0 Bearer Token Usage (RFC 6750) • OAuth 2.0 Multiple Response Types (spec) • OAuth 2.0 Form Response Mode (spec) • OAuth 2.0 Token Revocation (RFC 7009) • OAuth 2.0 Token Introspection (RFC 7662) • Proof Key for Code Exchange for OAuth Public Clients (RFC 7636) Common OAuth/OIDC Specifications

Integrate into your existing processes

Closing Thoughts

Questions to Ask • What is the worst thing someone can do with our API? • What happens if our competitors get our data? • What data do we need to collect & expose? • Who are your users now? In a year? • How are we monitoring for anomalies and bad behavior?

D. Keith Casey, Jr. API Problem Solver @CaseySoftware When Failure
Looks Like Success API Security

API Security: When Failure looks like Success

API Security: When Failure looks like Success

More Decks by Keith Casey

Other Decks in Technology

Featured

Transcript