SlideShare a Scribd company logo
1 of 17
Download to read offline
The API Security Platform for the Enterprise
ISABELLE MAUNY - CTO AND CO-FOUNDER
ISABELLE@42CRUNCH.COM
ADVANCED API SECURITY PATTERNS
2
Hello, I am Isabelle!
French native, lives in Madrid, travels the
world
Speak English, French, Spanish
3
DEFINING API SECURITY
API SECURITY ASPECTS TO CONSIDER
Authentication
(Validation and
OIDC Flows)
Integrity
Data has not
been tampered
with
Audit
(Forensics)
Confidentiality
Data can’t be seen
in flight
Availability
(Rate Limiting)
Authorization
(Access
Control and
OAuth flows)
Non Repudiation
(Legal Compliance)
Input/Output
Validation
(Attacks Protection)
5
REQUEST
RESPONSE
1 2
Request
Validation
Message
Validation
3
Token
Validation
Crypto
Validation
4
Tra!c
Enforcement
5 6 7
AAA
Message
Processing
1
Message
Validation
2
Crypto
Operations
3
Response
Validation
4
Message
Processing
TLS covers Confidentiality and Integrity at transport level.
Configuration matters!
✓ Protocol accepted (TLS 1.2, 1.3 are recommended)
✓ Strong cipher suites
Can use Mutual SSL for authentication is some scenarios
Review/Enforce across the whole transaction flow
✓ Inbound/Outbound
Remember: channel is encrypted… but data goes in clear!
6
IT STARTS AT TRANSPORT LEVEL…
REQUEST VALIDATION
Verbs
Path
Headers
Query params
Cookies
CORS
Apply positive and negative security models (a.k.a whitelisting and
blacklisting)
✓ Example: Leverage Open API to apply positive security model!
7
DATA VALIDATION
Payload validation (request, responses, errors!)
Block sensitive data in responses (N26 attack lessons…)
Make sure you don’t return too much information in case of
errors. Too much info for attacker!
✓ Avoid Response.post ( exception.printStackTrace()) !
8
TOKEN VALIDATION
Which token format is accepted ?
Where (query param ? header ?)
Is it of the right format ?
Has it expired ?
Is the signature valid?
Is the signing/encrypting algorithm the right one ( RS256, HS 256)
Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater)
Claims check
✓ What’s the audience value ? See: https://thehackernews.com/2018/04/auth0-authentication-bypass.html
✓ What’s the issuer value ?
✓ Custom checks
Check jwt.io to ensure the libraries you use do the proper checks!
9
CRYPTOGRAPHY
10
CRYPTO VALIDATION
Can I decrypt ?
Can I verify the signature ?
Decrypt before payload validation !
11
INTEGRITY
What I received is what was sent and I know who sent it.
Digital signatures over content.
You probably already use this with OpenID Connect (id token must be
signed and optionally encrypted)
Transport agnostic!
Other applications
✓ Non-Repudiation
12
CONFIDENTIALITY
I don’t want anybody to see the messages exchanged.
Data can only be read by the right person/system
Transport agnostic!
Multiple recipients
✓ Part of message goes to target A, another to target B
13
AAA (AUTHENTICATION/AUTHORIZATION /AUDIT)
Choose OAuth Grant Types wisely
✓ Know the deployment
✓ Know who will invoke the APIs.
Use HTTPs across all actors (Resource Server, Authorization Server, Client)
Prevent Token theft ! Look at
✓ PKCE for mobile apps ( prevents authorization_code from being stolen)
✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800)
✓ Token Binding ( new RFC, still in Draft)
Use proven libs and products !
Audit everything (logs, SIEM, audit trail)
Learn Learn and Learn …
✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce
✓ https://alexbilbie.com/guide-to-oauth-2-grants/
✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 14
OPEN API SECURITY EXTENSIONS
Specify the security contract
Authentication
✓ Basic Auth
✓ API Key
✓ OAuth (flows, URLs to Authorization/Token Server)
Future
✓ Mutual TLS (3.1)
✓ Cryptography support at message level
✓ Additional details for OAuth JWT contract
• Algorithms
• Required Claims
• Signature Type 15
16
www.42crunch.com/whitepaper
CONTACT: INFO@42CRUNCH.COM
WWW.42CRUNCH.COM
The API Security Platform for the Enterprise

More Related Content

What's hot

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.Isabelle Mauny
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at ScaleNordic APIs
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API SecurityIsabelle Mauny
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
 WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 

What's hot (20)

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
 WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 

Similar to Advanced API Security Patterns

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityBui Kiet
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIsSteven Chen
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersMukesh Singh
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhamzaaqqa7
 
Integration step up session
Integration step up sessionIntegration step up session
Integration step up sessionAmit Behere
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Security overview (grahame)
Security overview (grahame)Security overview (grahame)
Security overview (grahame)DevDays
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 

Similar to Advanced API Security Patterns (20)

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Integration step up session
Integration step up sessionIntegration step up session
Integration step up session
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Security overview (grahame)
Security overview (grahame)Security overview (grahame)
Security overview (grahame)
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 

Recently uploaded

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 

Recently uploaded (20)

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 

Advanced API Security Patterns

  • 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CTO AND CO-FOUNDER ISABELLE@42CRUNCH.COM ADVANCED API SECURITY PATTERNS
  • 2. 2 Hello, I am Isabelle! French native, lives in Madrid, travels the world Speak English, French, Spanish
  • 4. API SECURITY ASPECTS TO CONSIDER Authentication (Validation and OIDC Flows) Integrity Data has not been tampered with Audit (Forensics) Confidentiality Data can’t be seen in flight Availability (Rate Limiting) Authorization (Access Control and OAuth flows) Non Repudiation (Legal Compliance) Input/Output Validation (Attacks Protection)
  • 5. 5 REQUEST RESPONSE 1 2 Request Validation Message Validation 3 Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing
  • 6. TLS covers Confidentiality and Integrity at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Strong cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 6 IT STARTS AT TRANSPORT LEVEL…
  • 7. REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply positive and negative security models (a.k.a whitelisting and blacklisting) ✓ Example: Leverage Open API to apply positive security model! 7
  • 8. DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid Response.post ( exception.printStackTrace()) ! 8
  • 9. TOKEN VALIDATION Which token format is accepted ? Where (query param ? header ?) Is it of the right format ? Has it expired ? Is the signature valid? Is the signing/encrypting algorithm the right one ( RS256, HS 256) Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) Claims check ✓ What’s the audience value ? See: https://thehackernews.com/2018/04/auth0-authentication-bypass.html ✓ What’s the issuer value ? ✓ Custom checks Check jwt.io to ensure the libraries you use do the proper checks! 9
  • 11. CRYPTO VALIDATION Can I decrypt ? Can I verify the signature ? Decrypt before payload validation ! 11
  • 12. INTEGRITY What I received is what was sent and I know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 12
  • 13. CONFIDENTIALITY I don’t want anybody to see the messages exchanged. Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 13
  • 14. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose OAuth Grant Types wisely ✓ Know the deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800) ✓ Token Binding ( new RFC, still in Draft) Use proven libs and products ! Audit everything (logs, SIEM, audit trail) Learn Learn and Learn … ✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce ✓ https://alexbilbie.com/guide-to-oauth-2-grants/ ✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 14
  • 15. OPEN API SECURITY EXTENSIONS Specify the security contract Authentication ✓ Basic Auth ✓ API Key ✓ OAuth (flows, URLs to Authorization/Token Server) Future ✓ Mutual TLS (3.1) ✓ Cryptography support at message level ✓ Additional details for OAuth JWT contract • Algorithms • Required Claims • Signature Type 15
  • 17. CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The API Security Platform for the Enterprise