SlideShare a Scribd company logo

Defensive API programming techniques for Gophers

Bertold Kolics
Bertold Kolics

Presentation slide deck from the LASCON '2023 conference.

Software
1 of 28
Download to read offline
© 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Defensive API development techniques for Gophers Bertold Kolics 1 LASCON ‘2023, September 27, 2023, Austin, TX USA
© 2023 Verosint. All rights reserved. My Context ● Question Asker, Bulldog Engineer ● Not a ○ Gatekeeper ○ PEN tester, or even a security tester ● Managing risk ● Verosint - small startup < 20 employees ○ SaaS business ○ Detect & prevent online account fraud ● Past roles ○ IT, pre-sales, QA, developer, manager 2
© 2023 Verosint. All rights reserved. Motivation ● API as a business for many vendors just like Verosint ○ APIs are accessed directly and indirectly ● Rarely any SaaS application is built in isolation ○ i.e. consumers of 3rd party applications exposed via APIs ● Para-functional requirements are implied to deliver customer value: ○ security ○ reliability/availability ○ scalability/performance ● Malicious actors may cost business $$$ ○ outgages ○ reduced availability ● Defensive posture at the application layer needed for a multi-pronged approach 3
© 2023 Verosint. All rights reserved. Agenda ● Focus on Go language for building, maintaining and securing HTTP-based APIs ○ code samples, libraries, practices ● Out of scope ○ infrastructure ○ hardware or hosted solutions ○ HTTP/3 ○ Non-HTTP APIs ○ GraphQL ● Basic familiarity with Go, HTTP assumed 4 bit.ly/lascon2023 credit: Pragmatic Programmers
© 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Deployment View 5
© 2023 Verosint. All rights reserved. Typical Cloud Deployment ● Often includes ○ Gateways (API, NAT) ○ Load balancers ○ Reverse Proxies ○ External services (e.g. authentication, authorization) ○ Application ● Understand what protection, mitigation techniques are available at each layer ● Overlap is OK 6
© 2023 Verosint. All rights reserved. API Service Implementation with Go ● Deployment options include: ○ Microservice ○ Serverless ● Implementation will need to address ○ authentication ○ authorization ○ request paths to handle ○ HTTP methods to support (and not support) ○ payload (schema) for requests and responses ○ possibly: resource limits 7
© 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Building HTTP APIs with Go 8
© 2023 Verosint. All rights reserved. Go - The Good Side* ● No 3rd-party library required ○ unlike other languages ○ reduced attack surface ○ much reduced risk for supply chain attacks ● Core language supports testing ○ unit, fuzzing, performance 9 *Is there a bad side? 🤔
© 2023 Verosint. All rights reserved. When You Need 3rd-Party Libraries ● Carefully consider options ○ not just functionality or licenses ● Support is key for both open-source and commercial libraries ● Criteria for evaluating OSS projects ○ age of the project, adoption, responsiveness of maintainers, openness to contributions, commit activity/history, release history/frequency, documentation, automated test coverage, availability of code quality metrics, presence of security tests/scans, number of open issues, rate of closing issues, number of dependencies ● Run your own scanners ● GitHub/GitLab provides plenty of repository information to help assessments 10 Image credit Mohamed Hassan from Pixabay
© 2023 Verosint. All rights reserved. GitHub Insights for Assessing 3rd-Party Libraries 11
© 2023 Verosint. All rights reserved. 3rd-Party Libraries ● Test openness ○ open a pull request ○ open an issue ● And test the time it takes to get a response & the quality of response 12
© 2023 Verosint. All rights reserved. Example: go-resty ● Makes interacting with RESTful HTTP APIs more convenient ● But … ○ maintainer non-responsive for a long time ○ release frequency was poor until last month ● And with a defect present in 2.7.0 ○ sync pool data race condition ○ occurred a few times a day on a production system ○ spent a lot of time chasing the issue ○ only fixed in March without a release tag 13
© 2023 Verosint. All rights reserved. Example: go-resty 14 Library used to incorrectly handle buffers across concurrent requests
© 2023 Verosint. All rights reserved. Keep Go and Dependencies Up-to-Date 15 ● Dependencies - regular updates in all repositories ○ Renovate bot is a life saver ● Use govulncheck to test for vulnerable components ● Go - sign up for release announcements ○ 1.21.3 addresses rapid stream reset vulnerability ● Recent entry from Cloudflare blog ○ HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
© 2023 Verosint. All rights reserved. Common Pattern for Go API Implementations 16 ● Configure the routes ○ Associate query paths with handler functions using a multiplexer/router ○ Implicitly configure the HTTP methods to handle ● Different router packages available: built-in, chi, gorilla ● Implement the handler function ○ router invokes handler function ○ parallel executions should be expected ● Handler function ○ validates request (request parameters, headers, payload) ○ executes business logic ○ sends response to client
© 2023 Verosint. All rights reserved. Recovery function ● An unrecoverable issue in the handler might cause unexpected state in the application ○ for example: nil pointer dereference ○ in a go routine: it may crash the app ● Create a recovery function ○ allows graceful recovery ○ and the recovery function can also log the details about the crash for diagnosis 17
© 2023 Verosint. All rights reserved. Example Recovery Handler 18
© 2023 Verosint. All rights reserved. Basic Checks ● Disable methods not used: ○ TRACE, HEAD, OPTIONS (may be needed for CORS) ○ but possibly other unused ones: GET, PUT, POST, DELETE ● Check request headers 19 Header Questions Accept can the client accept the content you produce? Content-Type do you support this content from the client? Content-Length is it present, is valid, is it too large? Content-Encoding do you really need to accept chunked encoding?
© 2023 Verosint. All rights reserved. Rate limiting ● Rate limits could be tied to ○ source IP/port (if no authorization is needed), ○ access token, ○ or a combination of rules ● Go has simple built-in rate limiting ○ better to use a library such as redis-go ○ especially when multiple containers/apps are serving ● Most implementations provide hints to the clients about rate limits using response headers ○ Ratelimit-Limit, Ratelimit-Remaining, Ratelimit-Reset 20
© 2023 Verosint. All rights reserved. Fuzzing ● Fuzzing framework built into Go ○ can be run for a limited time ○ can be pre-seeded with corpus (~ test data) ● Best option: fuzz the business logic ● Alternatively: ○ fuzz the handler ○ fuzz the API over network - don’t run it against production(!) 21
© 2023 Verosint. All rights reserved. Payload Validation Using JSON Schema ● JSON payload in HTTP requests may have malicious content ● JSON schema has powerful ways to validate content ○ libraries such as gojsonschema makes eliminates the need for writing additional code ● Examples of rules: ○ setting minimum / maximum length for strings ○ leveraging built-in types (e.g. IPv4 address, UUID) ○ limiting possible property values with a regular expression ○ setting minimum, maximum size for arrays, mandating unique values ○ disabling additional properties to prevent actors using undefined properties ○ allow only a list of fixed values (enumerations) ○ making properties mandatory ● Relevant specifications: OpenAPI, JSON Schema 22
© 2023 Verosint. All rights reserved. Payload Validation Using JSON Schema 23 Example from Verosint API docs at https://docs.verosint.com
© 2023 Verosint. All rights reserved. Payload Validation Using JSON Schema 24
© 2023 Verosint. All rights reserved. There is so much more to cover … That we did not talk about. ● HTTP Server configuration options ○ timeouts (read, header read, idle time out) ○ connection management ○ maximum size of header ○ TLS configuration ● Rate limiting headers ● Authentication/authorization ● Nuances of each HTTP method ○ e.g. GET - URL escaping, leakage of information in logs ● Preventing caching of responses 25
© 2023 Verosint. All rights reserved. Recap ● Understand the deployment of your application ○ what protections are available at what layer ● Building secure APIs require secure toolchain ○ including Go runtime and 3rd-party dependencies ○ keep them up to date ○ be selective about dependencies - less is more ● Make your APIs resilient ○ protect the application from crashes ○ rate limit clients ● Inspect incoming requests ○ headers, payload length, format ○ reduce manual coding using JSON schema validation ○ emit logs that can trigger automated defensive actions ● Test your APIs, business logic with fuzzing 26
© 2023 Verosint. All rights reserved. Additional Resources ● OWASP Top 10 API Security Risks ● Open Source Security Foundation ○ scorecard app ● Getting started with Fuzzing ● How to Parse a JSON Request Body in Go ● Make resilient Go net/http servers using timeouts, deadlines and context cancellation ● Tool selection from ISTQB Certified Tester Advanced Level Test Manager Syllabus 27 bit.ly/lascon202 3
© 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Thank you 28 See you at https://bit.ly/bertold https://www.verosint.com

Recommended

A Tester's Life
A Tester's LifeA Tester's Life
A Tester's LifeBertold Kolics
 
The Testers' Secret Weapon - Code Reviews
The Testers' Secret Weapon - Code ReviewsThe Testers' Secret Weapon - Code Reviews
The Testers' Secret Weapon - Code ReviewsBertold Kolics
 
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkNative Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkZachary Klein
 
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.SoftInstigate
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Modern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and ReactorModern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactoracogoluegnes
 
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021Ieva Navickaite
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 

Recommended

A Tester's Life
A Tester's LifeA Tester's Life
A Tester's LifeBertold Kolics
 
The Testers' Secret Weapon - Code Reviews
The Testers' Secret Weapon - Code ReviewsThe Testers' Secret Weapon - Code Reviews
The Testers' Secret Weapon - Code ReviewsBertold Kolics
 
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkNative Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkZachary Klein
 
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.SoftInstigate
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Modern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and ReactorModern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactoracogoluegnes
 
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021Ieva Navickaite
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 
Using an API Gateway for Microservices
Using an API Gateway for MicroservicesUsing an API Gateway for Microservices
Using an API Gateway for MicroservicesNGINX, Inc.
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scaleJuraj Hantak
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scaleAdam Hamsik
 
2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdfDimitrisFinas1
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...JosephTesta9
 
Using Docker Platform to Provide Services
Using Docker Platform to Provide ServicesUsing Docker Platform to Provide Services
Using Docker Platform to Provide ServicesGLC Networks
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
Rethinking The Policy Agent
Rethinking The Policy AgentRethinking The Policy Agent
Rethinking The Policy AgentForgeRock Identity Tech Talks
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsDevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsFedir RYKHTIK
 
Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices securityLeonardo Gonçalves
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Hyperledger community update February 2018
Hyperledger community update February 2018Hyperledger community update February 2018
Hyperledger community update February 2018Christopher Ferris
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetupMatthew Reynolds
 
Web Performance Optimization
Web Performance OptimizationWeb Performance Optimization
Web Performance OptimizationLivares Technologies Pvt Ltd
 
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...VMware Tanzu
 
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...Greg Hamer
 
Asynchronous Frameworks.pptx
Asynchronous Frameworks.pptxAsynchronous Frameworks.pptx
Asynchronous Frameworks.pptxganeshkarthy
 
Taskfile - makefiles are fun again
Taskfile - makefiles are fun againTaskfile - makefiles are fun again
Taskfile - makefiles are fun againBertold Kolics
 
Email privacy
Email privacyEmail privacy
Email privacyBertold Kolics
 

More Related Content

Similar to Defensive API programming techniques for Gophers

Using an API Gateway for Microservices
Using an API Gateway for MicroservicesUsing an API Gateway for Microservices
Using an API Gateway for MicroservicesNGINX, Inc.
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scaleJuraj Hantak
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scaleAdam Hamsik
 
2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdfDimitrisFinas1
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...JosephTesta9
 
Using Docker Platform to Provide Services
Using Docker Platform to Provide ServicesUsing Docker Platform to Provide Services
Using Docker Platform to Provide ServicesGLC Networks
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsDevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsFedir RYKHTIK
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Hyperledger community update February 2018
Hyperledger community update February 2018Hyperledger community update February 2018
Hyperledger community update February 2018Christopher Ferris
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetupMatthew Reynolds
 
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...VMware Tanzu
 
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...Greg Hamer
 
Asynchronous Frameworks.pptx
Asynchronous Frameworks.pptxAsynchronous Frameworks.pptx
Asynchronous Frameworks.pptxganeshkarthy
 

Similar to Defensive API programming techniques for Gophers (20)

Using an API Gateway for Microservices
Using an API Gateway for MicroservicesUsing an API Gateway for Microservices
Using an API Gateway for Microservices
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scale
 
Monitoring with prometheus at scale
Monitoring with prometheus at scaleMonitoring with prometheus at scale
Monitoring with prometheus at scale
 
2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
Using Docker Platform to Provide Services
Using Docker Platform to Provide ServicesUsing Docker Platform to Provide Services
Using Docker Platform to Provide Services
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Rethinking The Policy Agent
Rethinking The Policy AgentRethinking The Policy Agent
Rethinking The Policy Agent
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsDevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and Projects
 
Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Hyperledger community update February 2018
Hyperledger community update February 2018Hyperledger community update February 2018
Hyperledger community update February 2018
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetup
 
Web Performance Optimization
Web Performance OptimizationWeb Performance Optimization
Web Performance Optimization
 
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
 
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
 
Asynchronous Frameworks.pptx
Asynchronous Frameworks.pptxAsynchronous Frameworks.pptx
Asynchronous Frameworks.pptx
 

More from Bertold Kolics

Taskfile - makefiles are fun again
Taskfile - makefiles are fun againTaskfile - makefiles are fun again
Taskfile - makefiles are fun againBertold Kolics
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
GitHub Actions demo with mabl
GitHub Actions demo with mablGitHub Actions demo with mabl
GitHub Actions demo with mablBertold Kolics
 
Improve quality culture using visualization
Improve quality culture using visualizationImprove quality culture using visualization
Improve quality culture using visualizationBertold Kolics
 
Funnels of Hiring Test Engineers
Funnels of Hiring Test EngineersFunnels of Hiring Test Engineers
Funnels of Hiring Test EngineersBertold Kolics
 
Session Based Testing Made Fun
Session Based Testing Made FunSession Based Testing Made Fun
Session Based Testing Made FunBertold Kolics
 

More from Bertold Kolics (8)

Taskfile - makefiles are fun again
Taskfile - makefiles are fun againTaskfile - makefiles are fun again
Taskfile - makefiles are fun again
 
Email privacy
Email privacyEmail privacy
Email privacy
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - Lastpass
 
Make DevOps inclusive
Make DevOps inclusiveMake DevOps inclusive
Make DevOps inclusive
 
GitHub Actions demo with mabl
GitHub Actions demo with mablGitHub Actions demo with mabl
GitHub Actions demo with mabl
 
Improve quality culture using visualization
Improve quality culture using visualizationImprove quality culture using visualization
Improve quality culture using visualization
 
Funnels of Hiring Test Engineers
Funnels of Hiring Test EngineersFunnels of Hiring Test Engineers
Funnels of Hiring Test Engineers
 
Session Based Testing Made Fun
Session Based Testing Made FunSession Based Testing Made Fun
Session Based Testing Made Fun
 

Recently uploaded

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Recently uploaded (20)

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 

Defensive API programming techniques for Gophers

  • 1. © 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Defensive API development techniques for Gophers Bertold Kolics 1 LASCON ‘2023, September 27, 2023, Austin, TX USA
  • 2. © 2023 Verosint. All rights reserved. My Context ● Question Asker, Bulldog Engineer ● Not a ○ Gatekeeper ○ PEN tester, or even a security tester ● Managing risk ● Verosint - small startup < 20 employees ○ SaaS business ○ Detect & prevent online account fraud ● Past roles ○ IT, pre-sales, QA, developer, manager 2
  • 3. © 2023 Verosint. All rights reserved. Motivation ● API as a business for many vendors just like Verosint ○ APIs are accessed directly and indirectly ● Rarely any SaaS application is built in isolation ○ i.e. consumers of 3rd party applications exposed via APIs ● Para-functional requirements are implied to deliver customer value: ○ security ○ reliability/availability ○ scalability/performance ● Malicious actors may cost business $$$ ○ outgages ○ reduced availability ● Defensive posture at the application layer needed for a multi-pronged approach 3
  • 4. © 2023 Verosint. All rights reserved. Agenda ● Focus on Go language for building, maintaining and securing HTTP-based APIs ○ code samples, libraries, practices ● Out of scope ○ infrastructure ○ hardware or hosted solutions ○ HTTP/3 ○ Non-HTTP APIs ○ GraphQL ● Basic familiarity with Go, HTTP assumed 4 bit.ly/lascon2023 credit: Pragmatic Programmers
  • 5. © 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Deployment View 5
  • 6. © 2023 Verosint. All rights reserved. Typical Cloud Deployment ● Often includes ○ Gateways (API, NAT) ○ Load balancers ○ Reverse Proxies ○ External services (e.g. authentication, authorization) ○ Application ● Understand what protection, mitigation techniques are available at each layer ● Overlap is OK 6
  • 7. © 2023 Verosint. All rights reserved. API Service Implementation with Go ● Deployment options include: ○ Microservice ○ Serverless ● Implementation will need to address ○ authentication ○ authorization ○ request paths to handle ○ HTTP methods to support (and not support) ○ payload (schema) for requests and responses ○ possibly: resource limits 7
  • 8. © 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Building HTTP APIs with Go 8
  • 9. © 2023 Verosint. All rights reserved. Go - The Good Side* ● No 3rd-party library required ○ unlike other languages ○ reduced attack surface ○ much reduced risk for supply chain attacks ● Core language supports testing ○ unit, fuzzing, performance 9 *Is there a bad side? 🤔
  • 10. © 2023 Verosint. All rights reserved. When You Need 3rd-Party Libraries ● Carefully consider options ○ not just functionality or licenses ● Support is key for both open-source and commercial libraries ● Criteria for evaluating OSS projects ○ age of the project, adoption, responsiveness of maintainers, openness to contributions, commit activity/history, release history/frequency, documentation, automated test coverage, availability of code quality metrics, presence of security tests/scans, number of open issues, rate of closing issues, number of dependencies ● Run your own scanners ● GitHub/GitLab provides plenty of repository information to help assessments 10 Image credit Mohamed Hassan from Pixabay
  • 11. © 2023 Verosint. All rights reserved. GitHub Insights for Assessing 3rd-Party Libraries 11
  • 12. © 2023 Verosint. All rights reserved. 3rd-Party Libraries ● Test openness ○ open a pull request ○ open an issue ● And test the time it takes to get a response & the quality of response 12
  • 13. © 2023 Verosint. All rights reserved. Example: go-resty ● Makes interacting with RESTful HTTP APIs more convenient ● But … ○ maintainer non-responsive for a long time ○ release frequency was poor until last month ● And with a defect present in 2.7.0 ○ sync pool data race condition ○ occurred a few times a day on a production system ○ spent a lot of time chasing the issue ○ only fixed in March without a release tag 13
  • 14. © 2023 Verosint. All rights reserved. Example: go-resty 14 Library used to incorrectly handle buffers across concurrent requests
  • 15. © 2023 Verosint. All rights reserved. Keep Go and Dependencies Up-to-Date 15 ● Dependencies - regular updates in all repositories ○ Renovate bot is a life saver ● Use govulncheck to test for vulnerable components ● Go - sign up for release announcements ○ 1.21.3 addresses rapid stream reset vulnerability ● Recent entry from Cloudflare blog ○ HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
  • 16. © 2023 Verosint. All rights reserved. Common Pattern for Go API Implementations 16 ● Configure the routes ○ Associate query paths with handler functions using a multiplexer/router ○ Implicitly configure the HTTP methods to handle ● Different router packages available: built-in, chi, gorilla ● Implement the handler function ○ router invokes handler function ○ parallel executions should be expected ● Handler function ○ validates request (request parameters, headers, payload) ○ executes business logic ○ sends response to client
  • 17. © 2023 Verosint. All rights reserved. Recovery function ● An unrecoverable issue in the handler might cause unexpected state in the application ○ for example: nil pointer dereference ○ in a go routine: it may crash the app ● Create a recovery function ○ allows graceful recovery ○ and the recovery function can also log the details about the crash for diagnosis 17
  • 18. © 2023 Verosint. All rights reserved. Example Recovery Handler 18
  • 19. © 2023 Verosint. All rights reserved. Basic Checks ● Disable methods not used: ○ TRACE, HEAD, OPTIONS (may be needed for CORS) ○ but possibly other unused ones: GET, PUT, POST, DELETE ● Check request headers 19 Header Questions Accept can the client accept the content you produce? Content-Type do you support this content from the client? Content-Length is it present, is valid, is it too large? Content-Encoding do you really need to accept chunked encoding?
  • 20. © 2023 Verosint. All rights reserved. Rate limiting ● Rate limits could be tied to ○ source IP/port (if no authorization is needed), ○ access token, ○ or a combination of rules ● Go has simple built-in rate limiting ○ better to use a library such as redis-go ○ especially when multiple containers/apps are serving ● Most implementations provide hints to the clients about rate limits using response headers ○ Ratelimit-Limit, Ratelimit-Remaining, Ratelimit-Reset 20
  • 21. © 2023 Verosint. All rights reserved. Fuzzing ● Fuzzing framework built into Go ○ can be run for a limited time ○ can be pre-seeded with corpus (~ test data) ● Best option: fuzz the business logic ● Alternatively: ○ fuzz the handler ○ fuzz the API over network - don’t run it against production(!) 21
  • 22. © 2023 Verosint. All rights reserved. Payload Validation Using JSON Schema ● JSON payload in HTTP requests may have malicious content ● JSON schema has powerful ways to validate content ○ libraries such as gojsonschema makes eliminates the need for writing additional code ● Examples of rules: ○ setting minimum / maximum length for strings ○ leveraging built-in types (e.g. IPv4 address, UUID) ○ limiting possible property values with a regular expression ○ setting minimum, maximum size for arrays, mandating unique values ○ disabling additional properties to prevent actors using undefined properties ○ allow only a list of fixed values (enumerations) ○ making properties mandatory ● Relevant specifications: OpenAPI, JSON Schema 22
  • 23. © 2023 Verosint. All rights reserved. Payload Validation Using JSON Schema 23 Example from Verosint API docs at https://docs.verosint.com
  • 24. © 2023 Verosint. All rights reserved. Payload Validation Using JSON Schema 24
  • 25. © 2023 Verosint. All rights reserved. There is so much more to cover … That we did not talk about. ● HTTP Server configuration options ○ timeouts (read, header read, idle time out) ○ connection management ○ maximum size of header ○ TLS configuration ● Rate limiting headers ● Authentication/authorization ● Nuances of each HTTP method ○ e.g. GET - URL escaping, leakage of information in logs ● Preventing caching of responses 25
  • 26. © 2023 Verosint. All rights reserved. Recap ● Understand the deployment of your application ○ what protections are available at what layer ● Building secure APIs require secure toolchain ○ including Go runtime and 3rd-party dependencies ○ keep them up to date ○ be selective about dependencies - less is more ● Make your APIs resilient ○ protect the application from crashes ○ rate limit clients ● Inspect incoming requests ○ headers, payload length, format ○ reduce manual coding using JSON schema validation ○ emit logs that can trigger automated defensive actions ● Test your APIs, business logic with fuzzing 26
  • 27. © 2023 Verosint. All rights reserved. Additional Resources ● OWASP Top 10 API Security Risks ● Open Source Security Foundation ○ scorecard app ● Getting started with Fuzzing ● How to Parse a JSON Request Body in Go ● Make resilient Go net/http servers using timeouts, deadlines and context cancellation ● Tool selection from ISTQB Certified Tester Advanced Level Test Manager Syllabus 27 bit.ly/lascon202 3
  • 28. © 2023 Verosint. All rights reserved. © 2023 Verosint. All rights reserved. Thank you 28 See you at https://bit.ly/bertold https://www.verosint.com