Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SecDevOps for API Security

112 views

Published on

As the pace at which APIs are created, proper security requires automation. This presentation introduces top OWASP issues which are occurring today and a series of steps to better protect our APIs.

Published in: Software
  • Be the first to comment

  • Be the first to like this

SecDevOps for API Security

  1. 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CTO & CO-FOUNDER ISABELLE@42CRUNCH.COM SEC-DEV-OPS AN AUTOMATED APPROACH TO API SECURITY
  2. 2. OWASP : FROM 2010 THROUGH 2017 2 For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are: • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards • For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are: • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards • • Top 10 2017 • A1:2017-Injection • A2:2017-Broken Authentication • A3:2017-Sensitive Data Exposure • A4:2017-XML External Entities (XXE) • A5:2017-Broken Access Control • A6:2017-Security Misconfiguration • A7:2017-Cross-Site Scripting (XSS) • A8:2017-Insecure Deserialization • A9:2017-Using Components with Known Vulnerabilities • A10:2017-Insufficient Logging&Monitoring
  3. 3. A FEW EXAMPLES 3
  4. 4. CONTENT INJECTION: WORDPRESS API 4https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  5. 5. TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 5
  6. 6. 6 https://www.talosintelligence.com/reports/TALOS-2018-0539/
  7. 7. 7 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
  8. 8. N26 CONTINUED… 8
  9. 9. 9 Failed to properly validate that you can’t input any other number than yours!
  10. 10. UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 10
  11. 11. AND OF COURSE …. EQUIFAX FOR A9 11
  12. 12. JWT TOKEN VALIDATION 12 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
  13. 13. HOW DID WE GET THERE? 13
  14. 14. WE ARE HUMANS! 14
  15. 15. 15
  16. 16. COVERING THE BASICS 16
  17. 17. 17
  18. 18. KNOW YOUR APIS 18 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
  19. 19. VALIDATE AND SANITIZE INPUT 19 URL validation Verb validation ✓ Reject if not valid ✓ Reject if user not-authorized Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPEN API to the RESCUE !
  20. 20. VALIDATE JWT TOKENS 20 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ? ✓ RS256 (recommended) Reject None Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims Add your own claims 3 OPEN API to the RESCUE !
  21. 21. EXTERNAL TOKEN VS. INTERNAL JWT 21 Token Server Validate/ Issue token
  22. 22. FINE-GRAIN AUTHORIZATION 22 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution ✓ SAML ! 4
  23. 23. FINDING VULNERABILITIES 23
  24. 24. START EARLY: SHIFT LEFT ! 24 DeploymentTestingDevelopmentDesign
  25. 25. COVER THE BASICS 25 Automated Analysis Static code analysis 3rd party libraries validation (CVEs) NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
  26. 26. HACK YOURSELVES! 26 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (alpha) Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
  27. 27. PROTECTION 27
  28. 28. 28 PROTECT YOUR APIS 1 Deploy security measures such as API Security Gateways/Firewalls ✓ Introduce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Security Policies automatically applied and enforced ✓ Serves as Virtual Patching for protection ✓ Deploy at the edge and/or close to APIs (microservices architecture)
  29. 29. Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 29 MONITOR AND ANALYZE 2
  30. 30. 42CRUNCH DEV-SEC-OPS CYCLE FOR APIS 30 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
  31. 31. TITLE TEXTHOW SECURITY PEOPLE FEEL ABOUT APIS 31
  32. 32. CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The API Security Platform for the Enterprise
  33. 33. RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 33
  34. 34. RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 34

×