Takeaways from API Security Breaches Webinar

Download Takeaways from API Security Breaches Webinar

Post on 14-Jul-2015

490 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>Takeaways from API Security Breaches Jaime Ryan Sr. Director, API Management Technical Strategy Tyson WhiBen Director, API Management SoluCons MarkeCng </p></li><li><p>2 2015 CA. ALL RIGHTS RESERVED. </p><p>Agenda </p><p>API BREACHES </p><p>RISK MITIGATION STEPS </p><p>API MANAGEMENT SOLUTIONS </p><p>QUESTIONS </p><p>1 </p><p>2 </p><p>3 </p><p>4 </p></li><li><p>3 2015 CA. ALL RIGHTS RESERVED. </p><p>APIs at the center </p><p>OUTSIDE PARTNERS / DIVISIONS </p><p>EXTERNAL DEVELOPERS </p><p>MOBILE APPS CLOUD SERVICES INTERNET OF THINGS </p><p>API </p><p>APPS </p></li><li><p>4 2015 CA. ALL RIGHTS RESERVED. </p><p>APIs expose sensiCve data </p><p>APIs are also the a</p></li><li><p>5 2015 CA. ALL RIGHTS RESERVED. </p><p>Prominent API Breaches </p></li><li><p>Top API VulnerabiliCes and MiCgaCon Steps </p></li><li><p>7 2015 CA. ALL RIGHTS RESERVED. </p><p>When an API is hacked . . . </p><p> API vulnerabiliCes surface When exploits are discovered by the API </p><p>publisher When discovered by 3rd party When an organizaCon is actually hacked </p><p> Exploits are rarely documented Public APIs are most scruCnized Private/Hidden APIs are also vulnerable </p></li><li><p>8 2015 CA. ALL RIGHTS RESERVED. </p><p>Top-5 vulnerabiliCes/miCgaCons </p><p> Most common/current vulnerabiliCes and miCgaCons for securing your API Client impersonaCon Phishing Brute force InjecCons Unauthorized access/compromised secrets </p></li><li><p>9 2015 CA. ALL RIGHTS RESERVED. </p><p>Client impersonaCon </p><p> An aBacker reverse-engineers a secret assigned to an app and uses it to call an API pretending to be the legiCmate app </p><p> E.g. TwiBer OAuth Keys Leaked March 2013 </p><p> E.g. Snapchat December 2013 </p></li><li><p>10 2015 CA. ALL RIGHTS RESERVED. </p><p>Client impersonaCon miCgaCon #1 </p><p> Its either condenCal, or it isnt Dont hide a secret on a public app store or render it on a web page </p><p> Learn to let go of your app once published Design security mechanisms assuming public clients </p><p> Dont grant access to resource based solely on the app idenCty (require user auth) </p></li><li><p>11 2015 CA. ALL RIGHTS RESERVED. </p><p>Client impersonaCon miCgaCon #2 </p><p> Call API from actual condenCal client Use frameworks that let you authoritaCvely assess devices, apps From server-side web app vs browser-side script Provision app-level secret post-installaCon as part of a registraCon step Private app stores </p><p>API </p></li><li><p>12 2015 CA. ALL RIGHTS RESERVED. </p><p>Phishing aBacks </p><p> Risk associated with redirecCon-based handshakes Malicious applicaCon pretends to be legiCmate Inserts its own endpoint in callback address Gets token </p><p> *E.g. Facebook February 2013 </p><p>GET /authorize?response_type=token&amp;client_id=legitimate&amp;redirect_uri=[malicious]</p><p>Do you authorize Legi%mate app to access API on your behalf? [X] Yes [ ] No </p><p>Tricked you </p><p>*hBp://threatpost.com/facebook-patches-oauth-authenCcaCon-vulnerability-022613/77563 </p><p>API </p></li><li><p>13 2015 CA. ALL RIGHTS RESERVED. </p><p>Phishing miCgaCon 101 </p><p> Register and validate redirecCon URIs Strict validaCon (not parCal) Never skip consent step </p><p>GET /authorize?response_type=token&amp;client_id=legitimate&amp;redirect_uri=[malicious]</p><p>Error Invalid callback </p><p>foiledL </p><p>(out-of-band) Register LegiCmate app Callback=foo API </p></li><li><p>14 2015 CA. ALL RIGHTS RESERVED. </p><p>Brute force </p><p> E.g. snapchat nd_friend exploit December 2013 </p><p>App Contacts </p><p>Get list of phone numbers from local </p><p>contacts </p><p>API </p><p>Is contact a member? [for each local </p><p>contact] </p><p>Is member? [for every possible phone number] </p><p>Steal all phone numbers of members </p><p>API </p></li><li><p>15 2015 CA. ALL RIGHTS RESERVED. </p><p>Brute force miCgaCon </p><p>Rate LimiCng, Quotas, SLAs </p><p> Targeted rate limiCng specic aBack vectors Limit access to any resource granted without direct ownership Limit failed authenCcaCon, limit password resets </p><p> Detect brute force paBern and block Correlate idenCty, locaCon, concurrency Rate limit to protect backend API </p><p> Global limits to prevent DoS </p><p> Apply rate-limiCng with applicaCon level awareness Limit for a specic operaCon for each user/applicaCon Limit for a specic input for each user/applicaCon </p><p>Captcha? </p><p>SupporCng headless clients </p></li><li><p>16 2015 CA. ALL RIGHTS RESERVED. </p><p>InjecCon </p><p> InjecCon aBacks, parCcularly in public clients scenario is at the core of the most common exploits SQL/LDAP/Xpath/Xquery/Code injecCons </p><p> *E.g. InjecCon in query parameters </p><p>GET /history?transactionid=123456 select from table where id=[ ]</p><p>GET /history?transactionid=%27+OR+%271%27%3D%271</p><p>select from table where id= or 1=1</p><p>*hBp://forums.sugarcrm.com/f6/rest-api-sql-injecCon-exploit-89589/ </p></li><li><p>17 2015 CA. ALL RIGHTS RESERVED. </p><p>InjecCon MiCgaCon </p><p> Input saniCzaCon Parse input parameters (payload/transport) Apply paBern validaCon JSON Path, XPath, XSD, JSON Schema, RegEx, Own and Cghten your metadata Code-level saniCzaCon (e.g. Prepared Statements) </p><p> Signature-based threat detecCon Look for injecCon paBerns in payload and at transport level </p></li><li><p>18 2015 CA. ALL RIGHTS RESERVED. </p><p>Unauthorized access </p><p> E.g. Unsecured API E.g. AuthenCcated client can access resource </p><p>that should be restricted </p><p> E.g. Session secret compromised </p><p>Balancing UX and Security </p><p>More Convenience More Risk </p><p>Less Convenience Less Risk </p><p>No credenCals Device Passcode App security </p></li><li><p>19 2015 CA. ALL RIGHTS RESERVED. </p><p>Unauthorized Access MiCgaCon </p><p> AuthenCcaCon Local auth, integraCon into exisCng idenCty providers </p><p> Social provider integraCon FederaCon, SAML </p><p> Token issuing, lifecycle management OAuth, OpenID Connect JWT/JWS Token refresh, revocaCon </p><p> Assert user/app/device idenCCes Scope </p><p> User-granted permissions </p><p> Resource Server Map token idenCCes and resource ownership </p><p> IdenCty mapping SAML/OAuth/local/Kerberos/ RunCme mapping internal/external </p></li><li><p>How API Management can help </p></li><li><p>21 2015 CA. ALL RIGHTS RESERVED. </p><p>CA API Management Manages &amp; Secures APIs @ Design &amp; RunCme </p><p>CA API GATEWAY </p><p>MOBILE DEVELOPERS </p><p>MOBILE APPS </p><p>CA API DEVELOPER PORTAL </p><p>API </p><p>API </p><p>Design Time </p><p>RunCme </p><p> Discover APIs Self-register Collaborate &amp; test </p><p> AdaptaCon, mediaCon ThroBling, caching Policy &amp; access control </p><p> Create &amp; publish APIs API Plans &amp; pricing Monitoring &amp; analyCcs </p><p> Embed app security SSO, social, risk OAuth 2.0, OpenID Connect, UMA </p></li><li><p>22 2015 CA. ALL RIGHTS RESERVED. </p><p>On-Premise </p><p>Hybrid </p><p>SaaS </p><p>The Gateway and Portal Flexible Delivery Models </p><p> Soyware ownership Highly customizable to match business needs Control over infrastructure and upgrades </p><p> Flexible combinaCon of on/o premise soluCons </p><p> Provides business and compliance exibility Includes integraCon </p><p> Faster deployment/less customizaCon Reduced infrastructure/upgrade costs Simple scalability Growing set of funcConality </p><p>Flexibility for iniIal investment and in the rate/extent of migraIon to the </p><p>cloud </p></li><li><p>23 2015 CA. ALL RIGHTS RESERVED. </p><p>Goals of the business, employee and consumer To move seamlessly and securely between apps and devices </p></li><li><p>24 2015 CA. ALL RIGHTS RESERVED. </p><p>App Context IdenCty </p><p>A B C D </p><p>2. User provides Enterprise credenCals </p><p>1. User taps one of the four enterprise apps </p><p>3. User can seamlessly switch between the four enterprise apps </p></li><li><p>25 2015 CA. ALL RIGHTS RESERVED. </p><p>Discuss Q4 targets with Bob. Dont forget to </p><p>Discuss Q4 targets with Bob. Dont forget to cover incenCves. </p><p>1. Phone detects it is close to tablet using Bluetooth Low Energy </p><p>2. Session migrates to tablet so user does not have to reenter credenCals </p><p>App Context </p><p>3. App session context pushed to secure cloud storage </p><p>Source </p><p>Target </p><p>4. Context can be pushed to dierent target apps Email Notes etc. </p><p>IdenCty </p></li><li><p>26 2015 CA. ALL RIGHTS RESERVED. </p><p>Latest analyst reviews: CA API Management is a leader </p><p>CA Technologies has strong API security, integraIon, and mobile app support. With Layer 7s long history as an SOA applicaCon gateway provider, CAs soluCon has among the best API security, message transformaCon, and integraCon features in our evaluaCon. Among the tradiConal gateway vendors, Layer 7 was an early mover into the API management space, which has given CA a head start to round out the features of its portal and tooling for API product managers. The gateways mobile app support is also among the best in our evaluaCon .. </p><p>The Forrester Wave: API Management SoluIons, Q3 2014. </p><p>The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representaCon of Forrester's call on a market and is ploBed using a detailed spreadsheet with exposed scores, weighCngs, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. InformaCon is based on best available resources. Opinions reect judgment at the Cme and are subject to change </p><p>Forrester Research Inc., Forrester Wave: API Management SoluCons, Q3 2014, September 29, 2014 </p></li><li><p>27 2015 CA. ALL RIGHTS RESERVED. </p><p>Summary </p><p> Protect your APIs But support developers Do not sacrice UX </p><p> Leverage API infrastructure to implement API security best pracCces </p></li><li><p>28 2015 CA. ALL RIGHTS RESERVED. </p><p>CA API Management at RSA </p></li><li><p>Director API Management Product MarkeCng Tyson.WhiBen@ca.com </p><p>Tyson Whi</p></li><li><p>30 2015 CA. ALL RIGHTS RESERVED. </p><p>Legal NoCce </p><p> Copyright CA 2015. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respecCve companies. No unauthorized use, copying or distribuCon permiBed. </p><p>THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the informaCon. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connecCon with this presentaCon, including, without limitaCon, lost prots, lost investment, business interrupCon, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. </p></li></ul>