Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deep-Dive: Secure API Management

10,512 views

Published on

Threat protection and application access controls are key security mechanisms that protect APIs when exposed to internal or external users and developers.

In this technical deep-dive webcast, Apigee's security team, led by Subra Kumaraswamy, will discuss API threats and the protection mechanisms that every API and app developer must implement for safe and secure API management.

This webcast will cover:
- the API threat model
- how to design and implement appropriate guardrails for API security using build-in policies and configuration
- a demo of Apigee Edge threat protection features, including TLS encryption, XML/JSON/SQL injection attacks, and rate limiting

Whether you're an IT security architect or an API or app developer, this webcast will help you understand secure API management.

Download Podcast: http://bit.ly/1biiJQS
Watch Video: http://youtu.be/ffs35w1RYRI

  • Be the first to comment

Deep-Dive: Secure API Management

  1. 1. Deep Dive: Secure API Management Subra Kumaraswamy & Chris Von See
  2. 2. youtube.com/apigee
  3. 3. slideshare.net/apigee
  4. 4. @Subrak Subra Kumaraswamy Chris Von See
  5. 5. Agenda • API threats and Protection • API Access Control Considerations • Demo – OAuth “Hello, World!” • Operational Considerations • Demo – Handling Compromised Applications • Securing sensitive run-time data • Demo – Apigee Vault • Threat protection from the OWASP perspective • Demo – SQL Injection Attack • SSL/TLS configuration considerations • Certificate management • Key Takeaways • Questions 5
  6. 6. API Security Stakeholders 6 Product Manager How can I release features with built-in security? How I can reduce the release cycle? Business owner How to reduce risk while expanding API exposure? How to meet compliance? Ops How do I enforce consistent security policy across APIs? What controls I have to mitigate attacks like DoS? Developer What options I have to secure data in rest and transit? How can I securely manage keys? Security & Privacy Team How do I manage the PII life cycle of data exposed via APIs How do I govern APIs exposed to internal and external developers?
  7. 7. API Threat Modeling
  8. 8. Threat Modeling and API/infrastructure Design • Your APIs are vulnerable to the typical Web application security attacks – Think OWASP Top 10 attacks • In addition you have to worry about: – API abuse via API key theft – Hackers reverse engineering Apps to access private APIs – Traffic spike protection by way of Bots or DoS attacks – Identity tracking across API sessions – XML/JSON injection type attacks – Token harvesting due to insecure communication or storage 8
  9. 9. Threat Modeling - APIs9
  10. 10. Threat Modeling – Apigee Edge10
  11. 11. API Deployment Architecture Edge ExternalFirewall Backend Service Enterprise Identity Store 3rd Party Security Services (AAA, Logs, Analytics) TLS HTTPS (Management services) TLS TLS TLS External Developers Apps InternalFirewall Partner • Identity • SAML • RBAC • LDAP • ACL • DDoS • XML/JSON Threats • Rate Limit • Log & Audit • Identity • OAuth • X.509 • API Key • Identity • SAML • RBAC • X.509 Internal Developers
  12. 12. Access Control
  13. 13. Identity for end-to-end security App Developer User APIApp Backend API Developer IT Manager Business User Authentication Authorization, Auditing (AAA) Services • OpenID Connect • Social Login • 2FA • X.509 Cert Enterprise Identity Stores • App Identity • OAuth • TLS • Key protection • Identity • SSO • RBAC • API Key • Threat Protection • Credential Mediation • Secure Token Storage • SAML/OAuth • Identity • SSO • RBAC • SAML • Audit
  14. 14. Demo: Hello World App (OAuth Client Credentials grant type) 14
  15. 15. Operationalization Considerations
  16. 16. Thinking about security from an operational perspective • How can I structure my Apigee instance to optimize access controls? • How do I know if an application has been compromised? • How do I mitigate risks from compromised applications? • How do I manage sensitive back-end system credentials? • How do I protect information from both internal and external threats while it’s in-flight? • Can I segregate and control access to content hosted on my Developer Portal? • Can I control access to entities in the Apigee system? • What options do I have for auditing API requests? for auditing Apigee management requests? 16
  17. 17. Logical partitioning through organizations and environments 17 Web Point of Sale Partner Mobile Backend Dev Environment Organization Test Environment Prod Environment Developers Applications API Team
  18. 18. Mitigating risks from compromised applications • How do you know you have a problem? – Strange source addresses – Unusual request types – Unusual request rates – Custom analytics showing unusual traffic for particular users • Actions you can take to mitigate impact: – Revoke/re-approve/delete an API key – Regenerate API keys and secrets – Revoke/re-approve/delete some or all active OAuth access and refresh tokens – Dynamic invalidation via code in API proxies, based on user IDs, device identifiers or other criteria 18 When this happens… What do you do?
  19. 19. Demo: Handling Compromised Applications 19
  20. 20. Securing sensitive runtime information
  21. 21. Sensitive data storage using Apigee Vault 21 Dev Environment Organization Test Environment Prod Environment Environment-specific vaults for back-end system credentials or other sensitive information that varies as proxies move through the development lifecycle Organization-specific vaults for sensitive information that is global to all environments or APIs Vaults are encrypted storage areas accessible for write access via the Management API and for read access by the Node.js runtime
  22. 22. Demo: Apigee Vault 22
  23. 23. Threat protection: the OWASP perspective
  24. 24. OWASP Top 10 Protection 24 OWASP Top 10 Threats Apigee Edge A1 – Injection Threat Protection Policy A2 – Broken Authentication TLS, Standard OAuth protection, LDAP, AD A3 – Cross-Site Scripting (XSS) Consistent JSON transformation A4 – Insecure Direct Object References Sanitize API A5 – Security Misconfiguration Hardened API Management Platform A6 – Sensitive Data Exposure Data Masking, Encryption, Key Mgmt A7 – Missing Function Level Access RBAC, OAuth Scope A8 – Cross-Site Request Forgery Use of tokens in API header, OAuth State Parameter A9 – Using Known Vulnerable Components Hardened API platform A10 – Unvalidated Redirects and Forwards API transformation with sanity checks
  25. 25. API Specific Threats 25 Threats to API Apigee Edge DoS Attacks Rate Limiting Policy Developer Abuse Quota Policy Token Harvesting 2-way TLS (Inbound and Outbound) Key Theft Secure Key Storage XML/JSON Bombs XML/JSON Injection policy Run-time Privilege escalation OAuth with API Products Management Privilege escalation RBAC for Management Team
  26. 26. Demo: Mitigating OWASP Top 10 Threats 26
  27. 27. SSL/TLS Configuration
  28. 28. Inbound Security – App to Edge Apigee Edge Threat Protectio n Policy Trust Store Key Store 2-Way TLS Backend All Channels TLS Cipher Config
  29. 29. SSL/TLS configuration – App to Edge <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VirtualHost name="secure"> <HostAliases> <HostAlias>apiconnect.yourdomain.com</HostAlias> </HostAliases> <Interfaces/> <Port>443</Port> <SSLInfo> <Ciphers> <Cipher>TLS_RSA_WITH_AES_128_CBC_SHA</Cipher> <Cipher>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Cipher> <Cipher>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Cipher> <Cipher>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Cipher> <Cipher>SSL_DHE_DSS_WITH_DES_CBC_SHA</Cipher> <Cipher>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</Cipher> <Cipher>TLS_KRB5_WITH_DES_CBC_SHA</Cipher> </Ciphers> <ClientAuthEnabled>True</ClientAuthEnabled> <Enabled>true</Enabled> <IgnoreValidationErrors>false</IgnoreValidationErrors> <KeyAlias>mycorp</KeyAlias> <KeyStore>mycorp</KeyStore> <Protocols> <Protocol>TLSv1.1</Protocol> <Protocol>TLSv1.12</Protocol> </Protocols> </SSLInfo> </VirtualHost> 29
  30. 30. Outbound Security – Edge to API Apigee Edge Threat Protectio n Policy Trust Store Key Store Backend TLS Cipher Config 2-Way TLS
  31. 31. SSL/TLS configuration – Gateway to Backend (Southbound) - - <HTTPTargetConnection> <URL>http://mycorp.com</URL> <SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>true</ClientAuthEnabled> <KeyStore>myKeystore</KeyStore> <KeyAlias>myKey</KeyAlias> <TrustStore>myTruststore</TrustStore> <Ciphers/> <Protocols/> </SSLInfo> </HTTPTargetConnection> 31
  32. 32. Certificate management • View keystore and trust store certificates in the UI • Add and manage keystore and trust store certificates via the Management API 32
  33. 33. Certificate management • View keystore and trust store certificates in the UI • Add and manage keystore and trust store certificates via the Management API 33
  34. 34. Key Takeaways • Follow API Threat Model and Security Operations best practice • Protect your backend from OWASP Top 10, DoS and API specific threats using threat protection policies • Build apps with built-in access control policies (OAuth, SAML, Cert) • Leverage built-in TLS to secure communications end-to-end • Prepared to respond to the next threat using API security configurations 34
  35. 35. Questions?
  36. 36. Thank you
  37. 37. Security Architecture Policy Store Log Store API Run-time Security Authentication Authorization Traffic Management Logging & Auditing API Management Security User Management RBAC Management Policy Management Certificate Management Keys/Token Management Threat Protection TLS DDoS Rate Limiting & Quota Payload Protection Analytics Compliance (SOC 2, PCI DSS, HIPAA) and Cloud Security Developers Apps IT Security /Architect Key Store Policy Enforcement

×