20160225 OWASP Atlanta Prevoty RASP
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (8)
Similar to Practical API Security - Midwest PHP 2018 (20)
More from Adam Englander (19)
Recently uploaded (20)
Practical API Security - Midwest PHP 2018
- 1. @adam_englander Practical API Security Adam Englander, Software Architect iovation
- 2. @adam_englander Let's set some expectations...
- 3. @adam_englander What are we protecting against?
- 4. @adam_englander
- 5. @adam_englander 1: Injection
- 6. @adam_englander 2: Broken Authentication
- 7. @adam_englander 3: Sensitive Data Exposure
- 8. @adam_englander 4: XML External Entities (XXE)
- 9. @adam_englander libxml_disable_entity_loader(true);
- 10. @adam_englander Use defusedxml and defusedexpat to protect lib.xml
- 11. @adam_englander 5: Broken Access Control
- 12. @adam_englander 6: Security Misconfiguration
- 13. @adam_englander 7: Cross-Site Scripting XSS
- 14. @adam_englander 8: Insecure Deserialization
- 15. @adam_englander 9: Using Components with Known Vulnerabilities
- 16. @adam_englander PHP Resources • https://security.sensiolabs.org/ • roave/security-advisories package • https://github.com/FriendsOfPHP/security- advisories
- 17. @adam_englander 10: Insufficient Logging & Monitoring
- 18. @adam_englander How do we provide that protection?
- 19. @adam_englander
- 20. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 21. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 22. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 23. @adam_englander
- 24. @adam_englander
- 25. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 26. @adam_englander Replay prevention requires unique requests
- 27. @adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json
- 28. @adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json X-Nonce: 5ed518e8c5c51a64638b2b50c192242d
- 29. @adam_englander Store that unique value in a datastore so you can verify you don't see it again
- 30. @adam_englander Use the add function on the cache to prevent race conditions
- 31. @adam_englander Cache Example if ($token === null) { throw new AuthorizationRequiredException(); } elseif (!$this->cache->add(hash('sha512', $token), 1, 10)) { throw new InvalidRequestException(); }
- 32. @adam_englander Use insert on unique index for RDBMS to prevent race conditions
- 33. @adam_englander Rate limiting requires unique identification for restrictions
- 34. @adam_englander api-user-id|create-widget|20:01 ebf4e1d4bb33e5f6028e8443d6a1d6aa
- 35. @adam_englander Use the add and increment functions of the cache to prevent race conditions
- 36. @adam_englander Cache Example $key = sprintf("%s|root-post|%s", $userId, $timeSlice); $this->cache->add($key, 0, 1); $total = $this->cache->increment($key);
- 37. @adam_englander Use insert with unique index and update returning in RDBMS to prevent race conditions
- 38. @adam_englander Data stores can be done in three ways.
- 39. @adam_englander In Memory Datastore
- 40. @adam_englander Local Datastore
- 41. @adam_englander Global Datastore
- 42. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 43. @adam_englander Do not make authentication part of the body
- 44. @adam_englander Use the Authorization header
- 45. @adam_englander HTTP Basic Authentication Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
- 46. @adam_englander HTTP Digest Authentication DO NOT USE!
- 47. @adam_englander HTTP Bearer Authentication Authorization: Bearer mF_9.B5f-4.1JqM
- 48. @adam_englander Roll Your Own
- 49. @adam_englander Many APIs do this
- 50. @adam_englander What about never rolling your own crypto?
- 51. @adam_englander Single Use JWT
- 52. @adam_englander No auth service required
- 53. @adam_englander Can use existing JWT libraries to create and validate
- 54. @adam_englander Can be extended beyond auth to provide data validation and MITM protection
- 55. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 56. @adam_englander Message Validation
- 57. @adam_englander Request Validation
- 58. @adam_englander Method Validation GET /user/abc HTTP/1.1 Accept: application/json
- 59. @adam_englander Method Validation DELETE /user/abc HTTP/1.1 Accept: application/json
- 60. @adam_englander Path Validation GET /user/abc HTTP/1.1 Accept: application/json
- 61. @adam_englander Path Validation GET /user/def HTTP/1.1 Accept: application/json
- 62. @adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "valid@user.com"}
- 63. @adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "pwned@hkr.com"}
- 64. @adam_englander Response Validation
- 65. @adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
- 66. @adam_englander Status Code Validation HTTP/1.1 400 Invalid Request Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
- 67. @adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
- 68. @adam_englander Status Code Validation HTTP/1.1 301 Moved Content-Type: application/json; charset=UTF-8 Content-Length: 21 Location: https://bad.actor.com {"expected": "value"}
- 69. @adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: no-cache {"expected": "value"}
- 70. @adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: max-age=99999999 {"expected": "value"}
- 71. @adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": false}
- 72. @adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": true}
- 73. @adam_englander Validation of request data
- 74. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 75. @adam_englander Encrypt Data at Rest
- 76. @adam_englander Use a structure format that allows for in-place key rotation and nonce storage
- 77. @adam_englander COSE CBOR Object Signing and Encryption (COSE) Concise Binary Object Representation (CBOR)
- 78. @adam_englander Roll Your Own keyid|nonce|encrypted-data
- 79. @adam_englander Encrypt Data in Transit
- 80. @adam_englander WW?D
- 81. @adam_englander JSON Web Encryption
- 82. @adam_englander Log Everything
- 83. @adam_englander Log in a structured format for easier parsing
- 84. @adam_englander Log all pertinent actions
- 85. @adam_englander Include all data regarding state. Anonymize sensitive data.
- 86. @adam_englander Include origin data to identify bad actors.
- 87. @adam_englander Utilize tools like ELK or Greylog to aggregate logs
- 88. @adam_englander Determine anomalous conditions and alert on those conditions.
- 89. @adam_englander And now a demonstration...
- 90. @adam_englander https://joind.in/talk/9895f
