Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Better API Security with Automation

190 views

Published on

API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.

Published in: Software
  • This story has been featured in APISecurity.io newsletter: https://apisecurity.io/issue-5-bad-tls-client-authentication-not-use-curl-state-software-security/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Better API Security with Automation

  1. 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM BETTER SECURITY WITH AN AUTOMATED APPROACH
  2. 2. OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring *= API related
  3. 3. 3By 2022 APIs will become the most common attack vector - Gartner
  4. 4. HOW DID WE GET THERE? 4
  5. 5. WE ARE HUMANS! 5
  6. 6. 6
  7. 7. COVERING THE BASICS 7
  8. 8. 8
  9. 9. KNOW YOUR APIS 9 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
  10. 10. VALIDATE AND SANITIZE INPUT 10 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
  11. 11. VALIDATE JWT TOKENS 11 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 3 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
  12. 12. FINE-GRAIN AUTHORIZATION 12 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution (XACML!) 4
  13. 13. FINDING VULNERABILITIES 13
  14. 14. START EARLY: SHIFT LEFT ! 14 DeploymentTestingDevelopmentDesign
  15. 15. 15 Development Security Operations Business
  16. 16. COVER THE BASICS 16 Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
  17. 17. HACK YOURSELVES! 17 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
  18. 18. 18 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
  19. 19. Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 19 MONITOR AND ANALYZE 4
  20. 20. JOIN THE MAILING LIST ! APISECURITY.IO NEWS AND TOOLS FOR BETTER API SECURITY
  21. 21. ADDITIONAL INFORMATION 21
  22. 22. PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS 22 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
  23. 23. CONTENT INJECTION: WORDPRESS API 23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  24. 24. TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 24
  25. 25. 25 https://www.talosintelligence.com/reports/TALOS-2018-0539/
  26. 26. 26 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
  27. 27. N26 CONTINUED… 27
  28. 28. 28 Failed to properly validate that you can’t input any other number than yours!
  29. 29. UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 29
  30. 30. AND OF COURSE …. EQUIFAX FOR A9 30
  31. 31. JWT TOKEN VALIDATION 31 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
  32. 32. RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32
  33. 33. RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 33

×