Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Test and Protect Your API


Published on

Protect your APIs from hackers and achieve API security.

Published in: Software
  • Be the first to comment

Test and Protect Your API

  1. 1. @Axway @SmartBear #APISecurity Test & Protect Your API Practical Tips to Achieve API Security Nirvana with Axway & Ready! API 1
  2. 2. @Axway @SmartBear #APISecurity The API Lifecycle – SmartBear approach SmartBear Confidential and  Open source based and driven  Integrated tools for Dev/Test across API lifecycle  Extendable and easily integrated into API lifecycle workflow  Data driven and automated  Protocol and runtime independent  Leverage and reuse assets across lifecycle  Democratize advanced dev/test capabilities
  3. 3. @Axway @SmartBear #APISecurity  Axway technology manages interactions between applications, people and communities.  Security and integration across B2B (EDI, MFT, and APIs)  Positioned as a leader in Gartner Magic Quadrants for “On-Premises Application Integration Suites” and for “Application Services Governance” 3 About Axway
  4. 4. @Axway @SmartBear #APISecurity Webinar Attendee Statistics 3% 41% 56% How important is API Security to your organization? Not important at all Growing importance Very important 23% 65% 12% How much API Security testing do you do today? None Some Extensive 56% of attendees for this webinar responded that API security is “very important,” and yet only 12% are doing extensive security testing
  5. 5. @Axway @SmartBear #APISecurity  Security vulnerabilities related to APIs  Enabling account information exposure (Snapchat) 5 APIs – A soft underbelly for security?
  6. 6. @Axway @SmartBear #APISecurity 6 IRS Data Breach Insecure API Access
  7. 7. @Axway @SmartBear #APISecurity 7 And more security vulnerabilities…
  8. 8. @Axway @SmartBear #APISecurity  Insecure APIs are often the source of mobile app security issues  Sniffers can detect insecure API calls 8 Mobile App vulnerabilities are often API vulnerabilities in disguise… Source:
  9. 9. @Axway @SmartBear #APISecurity  Problem:  API Keys are often simply passed in URLs  &APIKey=123456  Vulnerable to sniffing and replay attacks  Amazon uses two keys:  Secret Key ID to perform HMAC signing  With detection of replay attacks  Access Key ID to identify the client 9 Beware Weak API Key Authentication
  10. 10. @Axway @SmartBear #APISecurity 10 The solution – API Management Configure API Keys Configure OAuth
  11. 11. @Axway @SmartBear #APISecurity  Managing usage quotas for APIs to prevent misuse of DoS 11 Quota Management for APIs Configure Quotas
  12. 12. @Axway @SmartBear #APISecurity 12 The Role of the API Gateway
  13. 13. @Axway @SmartBear #APISecurity  Protective Security  Content-Level Threats (XDoS, XXE, etc)  WAF functionality (OWASP Top Ten, etc)  Throttling  Policy Decision and Enforcement Point  STS- Security Token Creation, Consumption, Mediation  Dynamic Authorization  Data Flow Introspection and Governance  Integration (lightweight ESB)  Heterogeneous, Vendor Agnostic  Multiple Protocol and Standard Support  Enterprise Architecture Intelligence and Protection  SSO Enablement  Architecture wide auditing and risk analysis 13 API Gateway – Security and more
  14. 14. @Axway @SmartBear #APISecurity API Gateway protects against threats to Web Services / APIs including:  Unauthorised Access  Parameter Manipulation and Data Harvesting  Network eaves dropping  Disclosure of sensitive customer data  Message replay 14 Security provide by API Gateways Unauthorised Access Parameter Manipulation Virus Insertion Consumer Network Eavesdropping Message Replay Firewall API Disclosure of customer data Standard network firewalls offer no protection against these threats
  15. 15. @Axway @SmartBear #APISecurity Client Applications REST API SOAP/XML/REST/JSON API Manager Services Applications Data Application Developers API Portal API API Registration & Lifecycle API Catalog Partner & Policy Administration Self-Service API consumption Build developer community New channel to market brand API Developers API Administrators Self-register to resources Browse and learn APIs Manage application credentials R E S T SOAP Web Services POX, JMS, FTP Integration with non- REST API services Policy Enforcement API Gateway Register and manage API lifecycle Perform partner, policy and process admin Monitor and report API use Policy Developers Create and extend policies Integrate with applications and infrastructure API Gateways in API Management
  16. 16. @Axway @SmartBear #APISecurity  API breaches can result in:  Stolen data  Server attacks  Spoofing  IoT device tampering 16 API Security testing: Why is it so important?
  17. 17. @Axway @SmartBear #APISecurity • We want to know as much as possible about an API’s endpoints, messages, parameters, behavior • The more we know about the API’s surface – the better we can target our attack! Thinking like a hacker
  18. 18. @Axway @SmartBear #APISecurity  OWASP.ORG  Identify the most likely “soft spots”  Run all the scans but automate & repeat the most important ones  Don’t neglect payload analysis  Pay attention and respond quickly 18 Looking for vulnerabilities in your API
  19. 19. @Axway @SmartBear #APISecurity Show Me How to Protect My API 19
  20. 20. @Axway @SmartBear #APISecurity Demo – Scenario Bank Account API with – One method for users get balance one of their accounts – Vulnerable to SQL Injection User authentication out of scope – Focus on the SQL Injection attack
  21. 21. @Axway @SmartBear #APISecurity Demo – Detecting API Threats API vulnerable to SQL injections Definition imported prior to demo 1. Normal request 2. scanning GET http://<host>/account/balance?accnt=123456789 HTTP/1.1  SELECT balance FROM accountinfo WHERE account=123456789;  Returns the balance from account 123456789 GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1  SELECT balance FROM accountinfo WHERE account=1 OR 1=1;  Returns the balance from all accounts!
  22. 22. @Axway @SmartBear #APISecurity Demo – Protecting Against API Threats Threat Protection API Gateway Protected API API Manager 1. Normal request 2. scanning API vulnerable to SQL injections GET http://<host>/account/balance?accnt=123456789 HTTP/1.1  SELECT balance FROM accountinfo WHERE account=123456789;  Returns the balance from account 123456789 GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1  Detected and Blocked by Axway API Gateway!
  23. 23. @Axway @SmartBear #APISecurity Key Takeaways API Protection API Testing Create APIs with Confidence  Put protection in place for your APIs  Apply throttling, input validation, threat detection  Block the full spectrum of attacks  is your friend  Focus on most likely vulnerabilities first  Build security testing into your dev plans 23
  24. 24. @Axway @SmartBear #APISecurity Try For Free FREE TRIAL FREE TRIAL