apis: the new security layer
TRANSCRIPT
![Page 1: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/1.jpg)
APIs: The New Security LayerGreg Brail, Apigee
![Page 2: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/2.jpg)
Slideshareslideshare.com/apigee
Apigee Communityhttps://community.apigee.com
YouTubeyoutube.com/apigee
![Page 3: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/3.jpg)
Today’s Speakers:
3©2008-16 Apigee Corp. All rights reserved.
Greg BrailApigee
![Page 4: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/4.jpg)
• What Happens to Insecure APIs• API Security Fundamentals• The Result: Effective API Security
Agenda
![Page 5: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/5.jpg)
No API Security?Bad things happen
![Page 6: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/6.jpg)
Let’s make it secure thenI have an API!
![Page 7: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/7.jpg)
But I Don’t Have an API!
![Page 8: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/8.jpg)
Everything with a URI has an APIOf Course You Have an API!
8
Wired, 9/22/15
www.ifc0nfig.com, 1/5/15
troyhunt.com, 2/24/16
![Page 9: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/9.jpg)
Breach Reason SourceBuffer Compromised third-party admin password; OAuth secret in
GitHubProgrammableWeb
Snapchat No authentication; no rate limit Gibson SecurityMultiple Kardashian Apps No authentication or authorization WiredMoonPig No authentication or authorization www.ifc0nfig.comFacebook Graph API Users can delete other users’ photos; Improper
authorization checkProgrammableWeb
IRS GetTranscript Application
Password reset mechanism relied on personal data IRS
Instagram Malicious app was stealing passwords; no approval process Daily Dot
Nissan Leaf VIN number only security credential on API Troy Hunt
Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
Some API Security Breaches
![Page 10: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/10.jpg)
• No authentication on some APIs – Climate control, battery status– Only VIN number required
• User ID leaked by some of those APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Nissan Leaf
![Page 11: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/11.jpg)
• No rate limit on request to get friends by phone number
• Hard-coded encryption key• Weak cipher
http://gibsonsec.org/snapchat/Snapchat
![Page 12: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/12.jpg)
Fundamental API SecurityWhat every developer should know
![Page 13: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/13.jpg)
You Have an API
![Page 14: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/14.jpg)
• Prevent unauthorized applications• Prevent unauthorized users• Prevent excessive traffic• Prevent content attacks• Watch for trouble• React to trouble
What You Need to Do
![Page 15: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/15.jpg)
What Do Our Customers Do?
74%OAuth
78%SpikeArrest
72%Threat
Protection
![Page 16: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/16.jpg)
• Application Authorization is a fundamental part of API security– Best way to stop runaway applications– Only options for certain types of apps (anonymous API access)– Requirement for all forms of OAuth
• Best practices– Use different credentials for each version of each app– Makes it easier to pull a bad version– Hide the app credentials as best you can
• Realize that they still can be stolen– Have an approval process for apps
Prevent Unauthorized Applications
![Page 17: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/17.jpg)
• Authenticate all end users for critical apps– Only way to keep security credentials
outside the app
–Use OAuth carefully• Use caution around “password” grant type• Only as good as identity management
– For instance, dodgy password reset practices
– Can you get identity a service?
Prevent Unauthorized Users
![Page 18: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/18.jpg)
• Protect APIs that are vulnerable to brute force– Validating password– Validating anything– Anything where the only ID is in a small space
• Protect from runaway applications– Denial of service is also an attack– Excessive usage may mean data is being
harvested– Not always an attack – developers make mistakes
Prevent Excessive Traffic
![Page 19: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/19.jpg)
• Accepting JSON over the Internet?– Excessive identifier length– Excessive nesting– Large arrays and elements
• Accepting XML over the Internet?– All that and more
• Are you sure there can’t be SQL injection?– Regular expression checks
Prevent Content Attacks
![Page 20: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/20.jpg)
• Monitor the API– Usage patterns– Usage patterns by application– Latency– Error rate
• Monitor the world too– Unusual tweets?– Other social media?
Watch for Trouble
![Page 21: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/21.jpg)
• Traffic comes from unusual places:– iPads in Amazon data centers– US-only retailers with many “customers” in
Eastern Europe• Or unusual patterns:
– Sequential scans of identifiers– API traffic faster than a human can generate
• Identify suspected “bots”– Heuristics, machine learning
• Block them by IP or otherwise
Example: Bot Detection
![Page 22: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/22.jpg)
• Do you have application-level authentication?– Revoke app credentials– Change rate limit– Redirect app to another URL
• No application-level authentication?– Insert additional logic– Worst cast: shut down the API until it’s
fixed
React to Trouble
![Page 23: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/23.jpg)
API Management Can Help
![Page 24: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/24.jpg)
Effective API SecurityApi == Contract == security
![Page 25: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/25.jpg)
An API is a Contract
What is an API, really?
![Page 26: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/26.jpg)
• Simple• Ubiquitous• Widely-understood• Universally
implemented
The “API Stack” is Small
![Page 27: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/27.jpg)
• Since API technology is simple,• So is the contract:
– URIs– JSON schemas– Query parameters– Authentication
• Simpler contracts are:– simpler to validate– simpler to test– simpler to prove
API Contracts are Simple
![Page 28: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/28.jpg)
• Don’t agree? Let’s look at web apps:– Cross-site scripting– Insecure URIs in links– Cross-site request forgery– Insecure redirects– Insecure third-party pages– Insecure and malicious JavaScript
Simpler Means More Secure
![Page 29: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/29.jpg)
• Well-known URI pattern• Documented schemas• Well-known authentication model• Well-known authorization model• One way to secure all API calls
Simpler is Better• Totally dynamic URI pattern is
harder to test• Specified inputs and outputs can
be tested• Haphazard authentication hard to
test• Haphazard authorization hard to
test• Multiple implementations hard to
test
![Page 30: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/30.jpg)
Summing it UpBack to the original point
![Page 31: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/31.jpg)
• We saw lots of places where APIs were compromised– Many of these had nothing to do with an “API”
• Biggest vulnerability is having an API and not realizing it– Everything with a URL has an API
• Well-defined APIs can be secured– Lots of widely-known techniques and technology
• A properly-secured API is verifiable• Use it!
Conclusion
![Page 32: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/32.jpg)
community.apigee.com
![Page 33: APIs: The New Security Layer](https://reader035.vdocuments.mx/reader035/viewer/2022062905/5871d26c1a28ab423c8b5e9b/html5/thumbnails/33.jpg)
Thank you
CONFIDENTIAL