Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

APIDays Paris Security Workshop

670 views

Published on

Slides from my workshop in Paris, with practical tips on Security at the technical and organisational levels.

Published in: Software
  • Be the first to comment

APIDays Paris Security Workshop

  1. 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER / CO-FOUNDER PRACTICAL API SECURITY WORKSHOP
  2. 2. OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication* A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring* * APPLIES TO APIs!
  3. 3. LET’S LOOK AT A BROKEN APP 3
  4. 4. 4
  5. 5. NOT ONLY IN DEMOS… 5
  6. 6. BROKEN AUTHENTICATION (A2) 6 I am not advertising this API, how could anyone know about it ?! https://motherboard.vice.com/en_us/article/598xaa/remini-app-exposed-childrens-data-open-api
  7. 7. 7 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/filepool/ projects/n26/n26-roots.pdf Watch video at: https://media.ccc.de/v/ 33c3-7969-shut_up_and_take_my_money
  8. 8. N26 CONTINUED… 8
  9. 9. 9 Failed to properly validate that you can’t input any other number than yours!
  10. 10. TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 10
  11. 11. 11https://www.talosintelligence.com/reports/TALOS-2018-0539/
  12. 12. UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 12https://ninja.style/post/bcard/
  13. 13. AND OF COURSE …. EQUIFAX FOR A9 13
  14. 14. WHY IS THIS HAPPENING? 14
  15. 15. WE ARE HUMANS! 15
  16. 16. 16
  17. 17. TITLE TEXTDIGITAL TRANSFORMATION MADNESS…. 17 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY
  18. 18. CONTROLLER LAYER IS GONE! 18Internal Applications Legacy Systems Databases Integration Layer Technical and Functional (micro)Services SaaS Applications Things App-level APIs
  19. 19. TITLE TEXTHOW SECURITY PEOPLE FEEL ABOUT APIS 19
  20. 20. YOU GOT THE POWER! 20
  21. 21. LETS COVER THE BASICS… 21
  22. 22. 22 And this is why…
  23. 23. SOCIAL ENGINEERING 23 https://youtu.be/lc7scxvKQOo?t=23
  24. 24. KNOW YOUR APIS 24 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
  25. 25. OPEN BANKING SAMPLE CATEGORISATION 25 API Category Data Sensitivity Operations Sensitivity Authentication Requirements Integrity Requirement ATMs OpenData Low Low None None Accounts Read High Medium Medium Required Payments Write High High High Required
  26. 26. VALIDATE AND SANITIZE INPUT 26 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
  27. 27. USE OAUTH PROPERLY 27 OAuth Grant Types ✓ Authorization Code ✓ Others are usually not the safe option. Do not use OAuth as proof of authentication, use OpenID Connect instead. Leverage PKCE 3 OPENAPI SPECIFICATION to the RESCUE !
  28. 28. OAUTH THREAT LANDSCAPE Sensitive information ✓ Access tokens: the key to open the API door ✓ Refresh tokens: the key to obtain many valid access tokens ✓ Authorization code : to obtain an access token ✓ State : protection against CSRF attacks Common attacks vectors ✓ Token leakage g TLS 1.2 + strong ciphers, short-lived, token binding, protected storage ✓ Code Interception attacks g Use PKCE (Proof Key for Code Exchange) ✓ Token replay g Token Binding (over TLS) or Mutual TLS for OAuth ✓ Redirect URI Forgery g standard CRSF attacks countermeasures (OWASP) REQUIRES PROTECTION MEASURES ON CLIENT AND SERVER SIDE 28
  29. 29. VALIDATE JSON WEB TOKENS 29 Don’t trust the incoming tokens! Client could have been compromised… Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 4 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
  30. 30. EXTERNAL/ PUBLIC VS INTERNAL TOKENS 30 Token Server Validate/ Issue token
  31. 31. FINE-GRAIN AUTHORIZATION 31 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? OAuth Scopes are often not enough ! ✓ Need Attributes-based Access Control (ABAC) solution (XACML!) 5
  32. 32. FINDING VULNERABILITIES 32
  33. 33. START EARLY: SHIFT LEFT ! 33 DeploymentTestingDevelopmentDesign
  34. 34. 34 Development Security Operations Business
  35. 35. COVER THE BASICS 35 Use Trusted Libraries Don’t re-invent the wheel! Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
  36. 36. 36 https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
  37. 37. 37
  38. 38. HACK YOURSELVES! 38 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
  39. 39. 39 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
  40. 40. Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 40 MONITOR AND ANALYZE 4
  41. 41. JOIN THE MAILING LIST ! APISECURITY.IO REGISTER AND LEARN FROM MORE STORIES!
  42. 42. RESOURCES 42
  43. 43. RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 43
  44. 44. RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens Node JS Security recommendations ✓ https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d 44

×