Successfully reported this slideshow.
Your SlideShare is downloading. ×

Practical API Security - Midwest PHP 2018

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 90 Ad

Practical API Security - Midwest PHP 2018

Download to read offline

With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.

With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.

Advertisement
Advertisement

More Related Content

Similar to Practical API Security - Midwest PHP 2018 (20)

Advertisement

More from Adam Englander (19)

Advertisement

Practical API Security - Midwest PHP 2018

  1. 1. @adam_englander Practical API Security Adam Englander, Software Architect iovation
  2. 2. @adam_englander Let's set some expectations...
  3. 3. @adam_englander What are we protecting against?
  4. 4. @adam_englander
  5. 5. @adam_englander 1: Injection
  6. 6. @adam_englander 2: Broken Authentication
  7. 7. @adam_englander 3: Sensitive Data Exposure
  8. 8. @adam_englander 4: XML External Entities (XXE)
  9. 9. @adam_englander libxml_disable_entity_loader(true);
  10. 10. @adam_englander Use defusedxml and defusedexpat to protect lib.xml
  11. 11. @adam_englander 5: Broken Access Control
  12. 12. @adam_englander 6: Security Misconfiguration
  13. 13. @adam_englander 7: Cross-Site Scripting XSS
  14. 14. @adam_englander 8: Insecure Deserialization
  15. 15. @adam_englander 9: Using Components with Known Vulnerabilities
  16. 16. @adam_englander PHP Resources • https://security.sensiolabs.org/ • roave/security-advisories package • https://github.com/FriendsOfPHP/security- advisories
  17. 17. @adam_englander 10: Insufficient Logging & Monitoring
  18. 18. @adam_englander How do we provide that protection?
  19. 19. @adam_englander
  20. 20. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  21. 21. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  22. 22. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  23. 23. @adam_englander
  24. 24. @adam_englander
  25. 25. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  26. 26. @adam_englander Replay prevention requires unique requests
  27. 27. @adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json
  28. 28. @adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json X-Nonce: 5ed518e8c5c51a64638b2b50c192242d
  29. 29. @adam_englander Store that unique value in a datastore so you can verify you don't see it again
  30. 30. @adam_englander Use the add function on the cache to prevent race conditions
  31. 31. @adam_englander Cache Example if ($token === null) { throw new AuthorizationRequiredException(); } elseif (!$this->cache->add(hash('sha512', $token), 1, 10)) { throw new InvalidRequestException(); }
  32. 32. @adam_englander Use insert on unique index for RDBMS to prevent race conditions
  33. 33. @adam_englander Rate limiting requires unique identification for restrictions
  34. 34. @adam_englander api-user-id|create-widget|20:01 ebf4e1d4bb33e5f6028e8443d6a1d6aa
  35. 35. @adam_englander Use the add and increment functions of the cache to prevent race conditions
  36. 36. @adam_englander Cache Example $key = sprintf("%s|root-post|%s", $userId, $timeSlice); $this->cache->add($key, 0, 1); $total = $this->cache->increment($key);
  37. 37. @adam_englander Use insert with unique index and update returning in RDBMS to prevent race conditions
  38. 38. @adam_englander Data stores can be done in three ways.
  39. 39. @adam_englander In Memory Datastore
  40. 40. @adam_englander Local Datastore
  41. 41. @adam_englander Global Datastore
  42. 42. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  43. 43. @adam_englander Do not make authentication part of the body
  44. 44. @adam_englander Use the Authorization header
  45. 45. @adam_englander HTTP Basic Authentication Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
  46. 46. @adam_englander HTTP Digest Authentication DO NOT USE!
  47. 47. @adam_englander HTTP Bearer Authentication Authorization: Bearer mF_9.B5f-4.1JqM
  48. 48. @adam_englander Roll Your Own
  49. 49. @adam_englander Many APIs do this
  50. 50. @adam_englander What about never rolling your own crypto?
  51. 51. @adam_englander Single Use JWT
  52. 52. @adam_englander No auth service required
  53. 53. @adam_englander Can use existing JWT libraries to create and validate
  54. 54. @adam_englander Can be extended beyond auth to provide data validation and MITM protection
  55. 55. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  56. 56. @adam_englander Message Validation
  57. 57. @adam_englander Request Validation
  58. 58. @adam_englander Method Validation GET /user/abc HTTP/1.1 Accept: application/json
  59. 59. @adam_englander Method Validation DELETE /user/abc HTTP/1.1 Accept: application/json
  60. 60. @adam_englander Path Validation GET /user/abc HTTP/1.1 Accept: application/json
  61. 61. @adam_englander Path Validation GET /user/def HTTP/1.1 Accept: application/json
  62. 62. @adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "valid@user.com"}
  63. 63. @adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "pwned@hkr.com"}
  64. 64. @adam_englander Response Validation
  65. 65. @adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
  66. 66. @adam_englander Status Code Validation HTTP/1.1 400 Invalid Request Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
  67. 67. @adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
  68. 68. @adam_englander Status Code Validation HTTP/1.1 301 Moved Content-Type: application/json; charset=UTF-8 Content-Length: 21 Location: https://bad.actor.com {"expected": "value"}
  69. 69. @adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: no-cache {"expected": "value"}
  70. 70. @adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: max-age=99999999 {"expected": "value"}
  71. 71. @adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": false}
  72. 72. @adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": true}
  73. 73. @adam_englander Validation of request data
  74. 74. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
  75. 75. @adam_englander Encrypt Data at Rest
  76. 76. @adam_englander Use a structure format that allows for in-place key rotation and nonce storage
  77. 77. @adam_englander COSE CBOR Object Signing and Encryption (COSE) Concise Binary Object Representation (CBOR)
  78. 78. @adam_englander Roll Your Own keyid|nonce|encrypted-data
  79. 79. @adam_englander Encrypt Data in Transit
  80. 80. @adam_englander WW?D
  81. 81. @adam_englander JSON Web Encryption
  82. 82. @adam_englander Log Everything
  83. 83. @adam_englander Log in a structured format for easier parsing
  84. 84. @adam_englander Log all pertinent actions
  85. 85. @adam_englander Include all data regarding state. Anonymize sensitive data.
  86. 86. @adam_englander Include origin data to identify bad actors.
  87. 87. @adam_englander Utilize tools like ELK or Greylog to aggregate logs
  88. 88. @adam_englander Determine anomalous conditions and alert on those conditions.
  89. 89. @adam_englander And now a demonstration...
  90. 90. @adam_englander https://joind.in/talk/9895f

×