Upload
apigee-google-cloud
View
6.380
Download
0
Embed Size (px)
Citation preview
APIs: The New Security LayerGreg Brail, Apigee
Slideshareslideshare.com/apigee
Apigee Communityhttps://community.apigee.com
YouTubeyoutube.com/apigee
Today’s Speakers:
3©2008-16 Apigee Corp. All rights reserved.
Greg BrailApigee
• What Happens to Insecure APIs• API Security Fundamentals• The Result: Effective API Security
Agenda
No API Security?Bad things happen
Let’s make it secure thenI have an API!
But I Don’t Have an API!
Everything with a URI has an APIOf Course You Have an API!
8
Wired, 9/22/15
www.ifc0nfig.com, 1/5/15
troyhunt.com, 2/24/16
Breach Reason SourceBuffer Compromised third-party admin password; OAuth secret in
GitHubProgrammableWeb
Snapchat No authentication; no rate limit Gibson SecurityMultiple Kardashian Apps No authentication or authorization WiredMoonPig No authentication or authorization www.ifc0nfig.comFacebook Graph API Users can delete other users’ photos; Improper
authorization checkProgrammableWeb
IRS GetTranscript Application
Password reset mechanism relied on personal data IRS
Instagram Malicious app was stealing passwords; no approval process Daily Dot
Nissan Leaf VIN number only security credential on API Troy Hunt
Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
Some API Security Breaches
• No authentication on some APIs – Climate control, battery status– Only VIN number required
• User ID leaked by some of those APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Nissan Leaf
• No rate limit on request to get friends by phone number
• Hard-coded encryption key• Weak cipher
http://gibsonsec.org/snapchat/Snapchat
Fundamental API SecurityWhat every developer should know
You Have an API
• Prevent unauthorized applications• Prevent unauthorized users• Prevent excessive traffic• Prevent content attacks• Watch for trouble• React to trouble
What You Need to Do
What Do Our Customers Do?
74%OAuth
78%SpikeArrest
72%Threat
Protection
• Application Authorization is a fundamental part of API security– Best way to stop runaway applications– Only options for certain types of apps (anonymous API access)– Requirement for all forms of OAuth
• Best practices– Use different credentials for each version of each app– Makes it easier to pull a bad version– Hide the app credentials as best you can
• Realize that they still can be stolen– Have an approval process for apps
Prevent Unauthorized Applications
• Authenticate all end users for critical apps– Only way to keep security credentials
outside the app
–Use OAuth carefully• Use caution around “password” grant type• Only as good as identity management
– For instance, dodgy password reset practices
– Can you get identity a service?
Prevent Unauthorized Users
• Protect APIs that are vulnerable to brute force– Validating password– Validating anything– Anything where the only ID is in a small space
• Protect from runaway applications– Denial of service is also an attack– Excessive usage may mean data is being
harvested– Not always an attack – developers make mistakes
Prevent Excessive Traffic
• Accepting JSON over the Internet?– Excessive identifier length– Excessive nesting– Large arrays and elements
• Accepting XML over the Internet?– All that and more
• Are you sure there can’t be SQL injection?– Regular expression checks
Prevent Content Attacks
• Monitor the API– Usage patterns– Usage patterns by application– Latency– Error rate
• Monitor the world too– Unusual tweets?– Other social media?
Watch for Trouble
• Traffic comes from unusual places:– iPads in Amazon data centers– US-only retailers with many “customers” in
Eastern Europe• Or unusual patterns:
– Sequential scans of identifiers– API traffic faster than a human can generate
• Identify suspected “bots”– Heuristics, machine learning
• Block them by IP or otherwise
Example: Bot Detection
• Do you have application-level authentication?– Revoke app credentials– Change rate limit– Redirect app to another URL
• No application-level authentication?– Insert additional logic– Worst cast: shut down the API until it’s
fixed
React to Trouble
API Management Can Help
Effective API SecurityApi == Contract == security
An API is a Contract
What is an API, really?
• Simple• Ubiquitous• Widely-understood• Universally
implemented
The “API Stack” is Small
• Since API technology is simple,• So is the contract:
– URIs– JSON schemas– Query parameters– Authentication
• Simpler contracts are:– simpler to validate– simpler to test– simpler to prove
API Contracts are Simple
• Don’t agree? Let’s look at web apps:– Cross-site scripting– Insecure URIs in links– Cross-site request forgery– Insecure redirects– Insecure third-party pages– Insecure and malicious JavaScript
Simpler Means More Secure
• Well-known URI pattern• Documented schemas• Well-known authentication model• Well-known authorization model• One way to secure all API calls
Simpler is Better• Totally dynamic URI pattern is
harder to test• Specified inputs and outputs can
be tested• Haphazard authentication hard to
test• Haphazard authorization hard to
test• Multiple implementations hard to
test
Summing it UpBack to the original point
• We saw lots of places where APIs were compromised– Many of these had nothing to do with an “API”
• Biggest vulnerability is having an API and not realizing it– Everything with a URL has an API
• Well-defined APIs can be secured– Lots of widely-known techniques and technology
• A properly-secured API is verifiable• Use it!
Conclusion
community.apigee.com
Thank you
CONFIDENTIAL