Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced API Security Patterns


Published on

While TLS and OAuth are widely used today, they are not always well-used and in many cases they are not enough. In this presentation, we introduce all aspects of security to consider as well as the OpenAPI security extensions which can be leveraged to better express the contract between the consumer and the provider.

Published in: Software
  • Be the first to comment

Advanced API Security Patterns

  2. 2. 2 Hello, I am Isabelle! French native, lives in Madrid, travels the world Speak English, French, Spanish
  4. 4. API SECURITY ASPECTS TO CONSIDER Authentication (Validation and OIDC Flows) Integrity Data has not been tampered with Audit (Forensics) Confidentiality Data can’t be seen in flight Availability (Rate Limiting) Authorization (Access Control and OAuth flows) Non Repudiation (Legal Compliance) Input/Output Validation (Attacks Protection)
  5. 5. 5 REQUEST RESPONSE 1 2 Request Validation Message Validation 3 Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing
  6. 6. TLS covers Confidentiality and Integrity at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Strong cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 6 IT STARTS AT TRANSPORT LEVEL…
  7. 7. REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply positive and negative security models (a.k.a whitelisting and blacklisting) ✓ Example: Leverage Open API to apply positive security model! 7
  8. 8. DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid ( exception.printStackTrace()) ! 8
  9. 9. TOKEN VALIDATION Which token format is accepted ? Where (query param ? header ?) Is it of the right format ? Has it expired ? Is the signature valid? Is the signing/encrypting algorithm the right one ( RS256, HS 256) Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) Claims check ✓ What’s the audience value ? See: ✓ What’s the issuer value ? ✓ Custom checks Check to ensure the libraries you use do the proper checks! 9
  10. 10. CRYPTOGRAPHY 10
  11. 11. CRYPTO VALIDATION Can I decrypt ? Can I verify the signature ? Decrypt before payload validation ! 11
  12. 12. INTEGRITY What I received is what was sent and I know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 12
  13. 13. CONFIDENTIALITY I don’t want anybody to see the messages exchanged. Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 13
  14. 14. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose OAuth Grant Types wisely ✓ Know the deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession ( ✓ Token Binding ( new RFC, still in Draft) Use proven libs and products ! Audit everything (logs, SIEM, audit trail) Learn Learn and Learn … ✓ ✓ ✓ 14
  15. 15. OPEN API SECURITY EXTENSIONS Specify the security contract Authentication ✓ Basic Auth ✓ API Key ✓ OAuth (flows, URLs to Authorization/Token Server) Future ✓ Mutual TLS (3.1) ✓ Cryptography support at message level ✓ Additional details for OAuth JWT contract • Algorithms • Required Claims • Signature Type 15
  16. 16. 16
  17. 17. CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The API Security Platform for the Enterprise