APIs: The New Security LayerGreg Brail, Apigee

Slideshareslideshare.com/apigee

Apigee Communityhttps://community.apigee.com

YouTubeyoutube.com/apigee

Today’s Speakers:

3©2008-16 Apigee Corp. All rights reserved.

Greg BrailApigee

• What Happens to Insecure APIs• API Security Fundamentals• The Result: Effective API Security

Agenda

No API Security?Bad things happen

Let’s make it secure thenI have an API!

But I Don’t Have an API!

Everything with a URI has an APIOf Course You Have an API!

8

Wired, 9/22/15

www.ifc0nfig.com, 1/5/15

troyhunt.com, 2/24/16

Breach Reason SourceBuffer Compromised third-party admin password; OAuth secret in

GitHubProgrammableWeb

Snapchat No authentication; no rate limit Gibson SecurityMultiple Kardashian Apps No authentication or authorization WiredMoonPig No authentication or authorization www.ifc0nfig.comFacebook Graph API Users can delete other users’ photos; Improper

authorization checkProgrammableWeb

IRS GetTranscript Application

Password reset mechanism relied on personal data IRS

Instagram Malicious app was stealing passwords; no approval process Daily Dot

Nissan Leaf VIN number only security credential on API Troy Hunt

Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere

Some API Security Breaches

• No authentication on some APIs – Climate control, battery status– Only VIN number required

• User ID leaked by some of those APIs

http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Nissan Leaf

• No rate limit on request to get friends by phone number

• Hard-coded encryption key• Weak cipher

http://gibsonsec.org/snapchat/Snapchat

Fundamental API SecurityWhat every developer should know

You Have an API

• Prevent unauthorized applications• Prevent unauthorized users• Prevent excessive traffic• Prevent content attacks• Watch for trouble• React to trouble

What You Need to Do

What Do Our Customers Do?

74%OAuth

78%SpikeArrest

72%Threat

Protection

• Application Authorization is a fundamental part of API security– Best way to stop runaway applications– Only options for certain types of apps (anonymous API access)– Requirement for all forms of OAuth

• Best practices– Use different credentials for each version of each app– Makes it easier to pull a bad version– Hide the app credentials as best you can

• Realize that they still can be stolen– Have an approval process for apps

Prevent Unauthorized Applications

• Authenticate all end users for critical apps– Only way to keep security credentials

outside the app

–Use OAuth carefully• Use caution around “password” grant type• Only as good as identity management

– For instance, dodgy password reset practices

– Can you get identity a service?

Prevent Unauthorized Users

• Protect APIs that are vulnerable to brute force– Validating password– Validating anything– Anything where the only ID is in a small space

• Protect from runaway applications– Denial of service is also an attack– Excessive usage may mean data is being

harvested– Not always an attack – developers make mistakes

Prevent Excessive Traffic

• Accepting JSON over the Internet?– Excessive identifier length– Excessive nesting– Large arrays and elements

• Accepting XML over the Internet?– All that and more

• Are you sure there can’t be SQL injection?– Regular expression checks

Prevent Content Attacks

• Monitor the API– Usage patterns– Usage patterns by application– Latency– Error rate

• Monitor the world too– Unusual tweets?– Other social media?

Watch for Trouble

• Traffic comes from unusual places:– iPads in Amazon data centers– US-only retailers with many “customers” in

Eastern Europe• Or unusual patterns:

– Sequential scans of identifiers– API traffic faster than a human can generate

• Identify suspected “bots”– Heuristics, machine learning

• Block them by IP or otherwise

Example: Bot Detection

• Do you have application-level authentication?– Revoke app credentials– Change rate limit– Redirect app to another URL

• No application-level authentication?– Insert additional logic– Worst cast: shut down the API until it’s

fixed

React to Trouble

API Management Can Help

Effective API SecurityApi == Contract == security

An API is a Contract

What is an API, really?

• Simple• Ubiquitous• Widely-understood• Universally

implemented

The “API Stack” is Small

• Since API technology is simple,• So is the contract:

– URIs– JSON schemas– Query parameters– Authentication

• Simpler contracts are:– simpler to validate– simpler to test– simpler to prove

API Contracts are Simple

• Don’t agree? Let’s look at web apps:– Cross-site scripting– Insecure URIs in links– Cross-site request forgery– Insecure redirects– Insecure third-party pages– Insecure and malicious JavaScript

Simpler Means More Secure

• Well-known URI pattern• Documented schemas• Well-known authentication model• Well-known authorization model• One way to secure all API calls

Simpler is Better• Totally dynamic URI pattern is

harder to test• Specified inputs and outputs can

be tested• Haphazard authentication hard to

test• Haphazard authorization hard to

test• Multiple implementations hard to

test

Summing it UpBack to the original point

• We saw lots of places where APIs were compromised– Many of these had nothing to do with an “API”

• Biggest vulnerability is having an API and not realizing it– Everything with a URL has an API

• Well-defined APIs can be secured– Lots of widely-known techniques and technology

• A properly-secured API is verifiable• Use it!

Conclusion

community.apigee.com

Thank you

CONFIDENTIAL