Download - Takeaways from API Security Breaches Webinar

Takeaways from API Security Breaches Jaime Ryan – Sr. Director, API Management Technical Strategy Tyson WhiBen – Director, API Management SoluCons MarkeCng

2 © 2015 CA. ALL RIGHTS RESERVED.

Agenda

API BREACHES

RISK MITIGATION STEPS

API MANAGEMENT SOLUTIONS

QUESTIONS

1

2

3

4


APIs at the center

OUTSIDE PARTNERS / DIVISIONS

EXTERNAL DEVELOPERS

MOBILE APPS CLOUD SERVICES INTERNET OF THINGS

API

APPS


APIs expose sensiCve data

APIs are also the a<ack vector of choice for hackers to disrupt your service or gain

access to private informaIon

API


Prominent API Breaches

Top API VulnerabiliCes and MiCgaCon Steps


When an API is hacked . . .

§  API vulnerabiliCes surface –  When exploits are discovered by the API publisher

–  When discovered by 3rd party

–  When an organizaCon is actually hacked

§  Exploits are rarely documented

§  Public APIs are most scruCnized

§  Private/Hidden APIs are also vulnerable


Top-‐5 vulnerabiliCes/miCgaCons

§  Most common/current vulnerabiliCes and miCgaCons for securing your API –  Client impersonaCon –  Phishing –  Brute force –  InjecCons –  Unauthorized access/compromised secrets


Client impersonaCon

§  An aBacker reverse-‐engineers a secret assigned to an app and uses it to call an API pretending to be the legiCmate app

§  E.g. TwiBer OAuth Keys Leaked –  March 2013

§  E.g. Snapchat –  December 2013


Client impersonaCon miCgaCon #1

§  It’s either confidenCal, or it isn’t –  Don’t ‘hide’ a secret on a public app store or render it on a web page

§  Learn to ‘let go’ of your app once published –  Design security mechanisms assuming public clients

–  Don’t grant access to resource based solely on the app idenCty (require user auth)


Client impersonaCon miCgaCon #2

§  Call API from actual confidenCal client –  Use frameworks that let you authoritaCvely assess devices, apps –  From server-‐side web app vs browser-‐side script –  Provision app-‐level secret post-‐installaCon as part of a registraCon step –  Private app stores

API


Phishing aBacks

§  Risk associated with redirecCon-‐based handshakes –  Malicious ‘applicaCon’ pretends to be legiCmate

–  Inserts its own endpoint in callback address –  Gets token

§  *E.g. Facebook February 2013

GET /authorize?response_type=token&client_id=legitimate&redirect_uri=[malicious]

Do you authorize Legi%mate app to access API on your behalf? [X] Yes [ ] No

Tricked you

*hBp://threatpost.com/facebook-‐patches-‐oauth-‐authenCcaCon-‐vulnerability-‐022613/77563

API


Phishing miCgaCon 101

§  Register and validate redirecCon URIs

§  Strict validaCon (not parCal)

§  Never skip consent step

GET /authorize?response_type=token&client_id=legitimate&redirect_uri=[malicious]

Error Invalid callback

foiledL

(out-‐of-‐band) Register LegiCmate app Callback=foo API


Brute force

§  E.g. snapchat find_friend exploit –  December 2013

App Contacts

Get list of phone numbers from local

contacts

API

Is contact a member? [for each local

contact]

Is member? [for every possible phone number]

Steal all phone numbers of members

API


Brute force miCgaCon

Rate LimiCng, Quotas, SLAs

§  Targeted rate limiCng specific aBack vectors –  Limit access to any resource granted without direct ownership

–  Limit failed authenCcaCon, limit password resets

§  Detect brute force paBern and block

§  Correlate idenCty, locaCon, concurrency

§  Rate limit to protect backend API –  Global limits to prevent DoS

§  Apply rate-‐limiCng with applicaCon level awareness –  Limit for a specific operaCon for each user/applicaCon

–  Limit for a specific input for each user/applicaCon

Captcha?

SupporCng headless clients


InjecCon

§  InjecCon aBacks, parCcularly in public clients scenario is at the core of the most common exploits –  SQL/LDAP/Xpath/Xquery/Code injecCons

§  *E.g. InjecCon in query parameters

GET /history?transactionid=123456 select from table where id=‘[ ]’

GET /history?transactionid=%27+OR+%271%27%3D%271

select from table where id=‘’ or ‘1’=‘1’

*hBp://forums.sugarcrm.com/f6/rest-‐api-‐sql-‐injecCon-‐exploit-‐89589/


InjecCon MiCgaCon

§  Input saniCzaCon –  Parse input parameters (payload/transport) –  Apply paBern validaCon –  JSON Path, XPath, XSD, JSON Schema, RegEx, … –  Own and Cghten your metadata –  Code-‐level saniCzaCon (e.g. Prepared Statements)

§  Signature-‐based threat detecCon –  Look for injecCon paBerns in payload and at transport level


Unauthorized access

§  E.g. Unsecured API

§  E.g. AuthenCcated client can access resource that should be restricted

§  E.g. Session secret compromised

Balancing UX and Security

More Convenience More Risk

Less Convenience Less Risk

No credenCals Device Passcode App security


Unauthorized Access MiCgaCon

§  AuthenCcaCon –  Local auth, integraCon into exisCng idenCty providers

–  Social provider integraCon –  FederaCon, SAML

§  Token issuing, lifecycle management –  OAuth, OpenID Connect –  JWT/JWS –  Token refresh, revocaCon

§  Assert user/app/device idenCCes §  Scope

–  User-‐granted permissions

§  Resource Server –  Map token idenCCes and resource ownership

§  IdenCty mapping –  SAML/OAuth/local/Kerberos/… –  RunCme mapping internal/external

How API Management can help


CA API Management Manages & Secures APIs @ Design & RunCme

CA API GATEWAY …

MOBILE DEVELOPERS

MOBILE APPS

CA API DEVELOPER PORTAL

API

API

Design Time

RunCme

§  Discover APIs

§  Self-‐register

§  Collaborate & test

§  AdaptaCon, mediaCon

§  ThroBling, caching

§  Policy & access control

§  Create & publish APIs

§  API Plans & pricing

§  Monitoring & analyCcs

§  Embed app security

§  SSO, social, risk

§  OAuth 2.0, OpenID

Connect, UMA


On-‐Premise

Hybrid

SaaS

The Gateway and Portal – Flexible Delivery Models

§  Soyware ownership §  Highly customizable to match business needs §  Control over infrastructure and upgrades

§  Flexible combinaCon of on/off premise soluCons

§  Provides business and compliance flexibility §  Includes integraCon

§  Faster deployment/less customizaCon §  Reduced infrastructure/upgrade costs §  Simple scalability §  Growing set of funcConality

Flexibility for iniIal investment and in the rate/extent of migraIon to the

cloud


Goals of the business, employee and consumer To move seamlessly and securely between apps and devices


App Context IdenCty

A B C D

2. User provides Enterprise credenCals

1. User taps one of the four enterprise apps

3. User can seamlessly switch between the four enterprise apps


Discuss Q4 targets with Bob. Don’t forget to

Discuss Q4 targets with Bob. Don’t forget to cover incenCves.

1.  Phone detects it is close to tablet using Bluetooth Low Energy

2.  Session migrates to tablet so user does not have to reenter credenCals

App Context

3.  App session context pushed to secure cloud storage

Source

Target

4.  Context can be pushed to different target apps §  Email §  Notes §  …etc.

IdenCty


Latest analyst reviews: CA API Management is a leader

“CA Technologies has strong API security, integraIon, and mobile app support. With Layer 7’s long history as an SOA applicaCon gateway provider, CA’s soluCon has among the best API security, message transformaCon, and integraCon features in our evaluaCon. Among the tradiConal gateway vendors, Layer 7 was an early mover into the API management space, which has given CA a head start to round out the features of its portal and tooling for API product managers. The gateway’s mobile app support is also among the best in our evaluaCon ..”

The Forrester Wave: API Management SoluIons, Q3 2014.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representaCon of Forrester's call on a market and is ploBed using a detailed spreadsheet with exposed scores, weighCngs, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. InformaCon is based on best available resources. Opinions reflect judgment at the Cme and are subject to change

Forrester Research Inc., “Forrester Wave: API Management SoluCons, Q3 2014”, September 29, 2014


Summary

§  Protect your APIs –  But support developers –  Do not sacrifice UX

§  Leverage API infrastructure to implement API security best pracCces


CA API Management at RSA

Director API Management Product MarkeCng [email protected]

Tyson Whi<en

ca.com/api

Sr Director, Technical Strategy [email protected]

Jaime Ryan


Legal NoCce

© Copyright CA 2015. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respecCve companies. No unauthorized use, copying or distribuCon permiBed.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the informaCon. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connecCon with this presentaCon, including, without limitaCon, lost profits, lost investment, business interrupCon, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.

Download - Takeaways from API Security Breaches Webinar

Top Related