API Security in the Digital AgeSubra Kumaraswamy, Apigee & Jason Kobus, Silicon Valley Bank
youtube.com/apigee
slideshare.net/apigee
@SubrakSubra Kumaraswamy Jason Kobus
Silicon Valley Bank
5
Agenda• API Security 101• Launching an API Platform for a regulated company• Key Takeaways
Apigee
Management
Developer
API Team
Enterprise Security Requirements
6
API Threat Protection
IT Security
Developer friendly security features – Secure SDLCThreat protection by configuration
Identity and fine granular access control
Security for App and API Developers
Security by global policies – Separation of Duties Security automation enabled by APIs
End-to-End security – In Rest and Transit
OOB features for security and compliance management
End-to-End Security
User ApigeeRun-time
App/Device Backend
API Security Stakeholders
7
Product ManagerHow can I release features with built-in security?How I can reduce the release cycle?
Business ownerHow to reduce risk while expanding API exposure?How to meet compliance?
OpsHow do I enforce consistent security policy across APIs?What controls I have to mitigate attacks like DoS?
API DeveloperWhat options I have to secure data in rest and transit?How can I securely manage keys?
Security & Privacy TeamHow do I manage the PII life cycle of data exposed via APIs
How do I govern APIs exposed to internal and external developers?
The risk must be mitigated on several layers
8
Application Architecture (user and data mgmt)
Application Topology (zoning, protocols, …)
Operating System security (access control, patches, …)
Network security (firewall, topology, filtering, …)
API Security (auth* and backend sheltering)
Auditing,Monitoring,Processes
(Data center,
Development, Deployment)
Scope of API Security Deployment
9
Threat Modeling and API/infrastructure Design
• Your APIs are vulnerable to the typical Web application security attacks – Think OWASP Top 10 attacks
• In addition you have to worry about:– API abuse via API key theft– Hackers reverse engineering Apps to access private APIs– Traffic spike protection by way of Bots or DoS attacks– Identity tracking across API sessions– XML/JSON injection type attacks– Token harvesting due to insecure communication or storage
API Security Governance – Integrate into Life Cycle
Govern
Design
Develop
Secure
Deploy
Doc.
Test
10
Support for open standards & protocols (eg. SAML, OAuth, TLS, etc) Security & Access Control Policies - Authentication, Authorization, Transport level security Input validation & vulnerability detection ( XSS, CSRF,SQL injection..) Rate Limiting & Throttling
Launching an API Platform for a regulated company{
“Jason Kobus”: {
“role”: “Director API Banking / Fintech Integration”,
“company”: “Silicon Valley Bank”,
“credentials”: {“current”: [“CSPO”, “CISSP”, “CISA”]}, {“former”: [“CIA”, “CISM”, “CIPP, “Series 7”, “PMP”, “ISO 27001 LI”]},
“mission”: “Deliver secure financial APIs to make clients happy and extend reach / increase revenue”
}
}
September 29, 2015
DISCLAIMER: The content on this site, and comments made during the presentation, are my own and don't necessarily represent the positions, strategies, or opinions of Silicon Valley Bank.
API Opportunity and Risk Management
What are the biggest cyber-threats facing regulated financial entities today and on the horizon? How can organizations embracing innovation and agile development culture while balancing the time to market goals with risk management mission?
– Visibility– Data protection– API security– Partner integration
Visibility
• Risk Assessment: – OWASP/NIST for typical threats– Brute force: How strong are your keys?
• Vulnerability assessment• Penetration testing• Packet Capture• Know your API operations:
– What are they capable of? – Could they be exploited by fraudsters?
The first step in avoiding a trap is knowing of its existence!" -- Thufir Hawat, Dune
Protect Sensitive Data
• Avoid Data breaches, Partner with Privacy:– GLBA, HIPAA, PCI DSS, EU DPD, State laws, etc. == Compliance Complexity
• Controls:– Network: SSL termination– Data protection strategy:
• Avoid, Redact, Encrypt, Insure• Read-only/non-transact
– more...
API $ecurity
• Vet your API gateway partner and leverage their security infrastructure, assurance, and experts.
• Consider the worst case scenario – what if there is an event? Make sure your Legal understands.
• API Authentication paradigms in financial services– "data aggregation“ APIs used to pull account, balance, transaction data
• User ID and password (challenge questions) = same creds as online banking• User ID and read-only PIN
– OAUTH • Enforce client security better• Where purpose and actual grant align
Partner Integration
• How to “Trust” your API partners:– Good vendor management – financials / SOC-2– Data sharing agreements– Work with partners to ensure end users get clear and unambiguous notice
to customers before they authorize the access
UK report "Data sharing and open data in banking": https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/413766/PU1793_Open_data_response.pdf
Security at Points of Engagement
17
PA I
Users Apps Developers APIs API Team Backend
Mutual TLSIP Access control
RBACIdentity & Access Mgmt.
Audit
Spike ArrestRate Limits
Threat ProtectionIntrusion Detection
DDoS
AccessBlock
RevokeSSO
RBAC
API keyOAuth2
TLS
OAuth2MFA
Federated LoginIP Access Control
18
Key Takeaways
• Follow API Threat Model and build API security into your API products
• Ensure identity and security controls at every points of API lifecycle and integrate best practice into SDLC
• Gain visibility into API security risks, data sensitivity prior to deployment
• Protect sensitive data – In transit and at rest• Layered Protection is key
Thank you