Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enhancing your Security APIs


Published on

Presentation from Apigee's Open Banking & PSD2 Summit in London on 19th May 2016. This presentation covers Apigee's innovative data driven security approach that detects intelligent bots, transaction anomalies, and helps protect your APIs from cyberthreats.

Published in: Technology
  • Be the first to comment

Enhancing your Security APIs

  1. 1. Secure APIs for Finance Lessons from API security successes and failures Greg Brail Apigee May 2016
  2. 2. Agenda What Happens to Insecure APIs API Security Fundamentals Why APIs are less risky The Result: Effective API Security
  3. 3. No API Security Bad things happen
  4. 4. I have an API!
  5. 5. ©2015 Apigee Corp. All Rights Reserved. But I Don’t Have an API!
  6. 6. Of Course You Have an API! 6 Wired, 9/22/15, 1/5/15, 2/24/16 Everything with a URI has an API
  7. 7. Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
  8. 8. Nissan Leaf • •  No authentication on some APIs •  Climate control, battery status •  Only VIN number required •  User ID leaked by some of those APIs
  9. 9. •  No rate limit on request to get friends by phone number •  Hard-coded encryption key •  Weak cipher • Snapchat
  10. 10. Mobile Banking Apps •  Security researcher Ariel Sanchez examined 20 iOS banking apps from banks around the world •  More than 30% used non-TLS-encrypted links for at least part of the app •  Down from 90% two years ago •  Demonstrated JavaScript interception of some apps’ “login” page to gather passwords 10 Ariel Sanchez,
  11. 11. A South Asian Bank •  Security researcher Sathya Prakash tested the security of the app he used for one of his bank accounts •  Found many major flaws and one huge one •  All validation of account numbers for funds transfers was performed in the mobile app only – not on the server 11
  12. 12. SWIFT •  Over $900 million in fraudulent transfer requests due to compromise at a member bank •  Became $81 million due to a typo BAE Systems Applied Intelligence
  13. 13. APIs for Finance Applying security lessons
  14. 14. APIs for Controlled Access •  APIs provide a controlled way for third parties to access a service •  Not having an API means that third parties will find another way •  That’s why JPMC is considering this:
  15. 15. Federated Security is a Must Systems like OAuth and OpenID exist for the purpose of managing secure access without sharing passwords -- JPMorgan Chase, 2015 letter to shareholders
  16. 16. Trusted Endpoints Aren’t •  API security must assume untrusted endpoints •  User authentication •  Fraud detection •  Application-level authentication
  17. 17. Fundamental API Security What every developer should know
  18. 18. ©2015 Apigee Corp. All Rights Reserved. You Have an API
  19. 19. What You Need to Do •  Prevent unauthorized applications •  Prevent unauthorized users •  Prevent excessive traffic •  Prevent content attacks •  Watch for trouble •  React to trouble
  20. 20. What Do Apigee Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
  21. 21. What do Others Do? •  A wide variety of solutions out there •  87% percent have “API management” •  83% are “concerned” about API security
  22. 22. Prevent Unauthorized Applications •  Application Authorization is a fundamental part of API security •  Best way to stop runaway applications •  Only options for certain types of apps (anonymous API access) •  Requirement for all forms of OAuth •  Best practices •  Use different credentials for each version of each app •  Makes it easier to pull a bad version •  Hide the app credentials as best you can •  Realize that they still can be stolen •  Have an approval process for apps
  23. 23. Prevent Unauthorized Users •  Authenticate all end users for critical apps •  Only way to keep security credentials outside the app •  Use OAuth carefully •  Use caution around “password” grant type •  Only as good as identity management •  For instance, dodgy password reset practices •  Can you get identity a service?
  24. 24. Don’t Make It Up •  OAuth 1.0: Bug •  OAuth 1.0a: Better •  OAuth 2.0 authorization code grant type: Attack identified •  RFC 7636 (PKCE) fixes it •  Would you have discovered this on your own?
  25. 25. Prevent Excessive Traffic •  Protect APIs that are vulnerable to brute force •  Validating password •  Validating anything •  Anything where the only ID is in a small space •  Protect from runaway applications •  Denial of service is also an attack •  Excessive usage may mean data is being harvested •  Not always an attack – developers make mistakes
  26. 26. Prevent Content Attacks •  Accepting JSON over the Internet? •  Excessive identifier length •  Excessive nesting •  Large arrays and elements •  Accepting XML over the Internet? •  All that and more •  Are you sure there can’t be SQL injection? •  Regular expression checks
  27. 27. Watch for Trouble •  Monitor the API •  Usage patterns •  Usage patterns by application •  Latency •  Error rate •  Monitor the world too •  Unusual tweets? •  Other social media?
  28. 28. Example: Bot Detection •  Traffic comes from unusual places: •  iPads in Amazon data centers •  US-only retailers with many “customers” in Eastern Europe •  Or unusual patterns: •  Sequential scans of identifiers •  API traffic faster than a human can generate •  Identify suspected “bots” •  Heuristics, machine learning •  Block them by IP or otherwise
  29. 29. React to Trouble •  Do you have application-level authentication? •  Revoke app credentials •  Change rate limit •  Redirect app to another URL •  No application-level authentication? •  Insert additional logic •  Worst cast: shut down the API until it’s fixed
  30. 30. API Management Can Help
  31. 31. Effective API Security API == Contract == Security
  32. 32. An API is a Contract What is an API, really?
  33. 33. The “API Stack” is Small •  Simple •  Ubiquitous •  Widely-understood •  Universally implemented
  34. 34. API Contracts are Simple •  Since API technology is simple, •  So is the contract: •  URIs •  JSON schemas •  Query parameters •  Authentication •  Simpler contracts are: •  simpler to validate •  simpler to test •  simpler to prove
  35. 35. Simpler Means More Secure •  Don’t agree? Let’s look at web apps: •  Cross-site scripting •  Insecure URIs in links •  Cross-site request forgery •  Insecure redirects •  Insecure third-party pages •  Insecure and malicious JavaScript
  36. 36. Simpler is Better •  Well-known URI pattern •  Documented schemas •  Well-known authentication model •  Well-known authorization model •  One way to secure all API calls •  Totally dynamic URI pattern is harder to test •  Specified inputs and outputs can be tested •  Haphazard authentication hard to test •  Haphazard authorization hard to test •  Multiple implementations hard to test
  37. 37. Summing it Up APIs are essentail for security’ Security is essential to APIs’ APIs risk is well-understood.
  38. 38. Conclusion •  We saw lots of places where APIs were compromised •  Many of these had nothing to do with an “API” •  Biggest vulnerability is having an API and not realizing it •  Everything with a URL has an API •  Well-defined APIs can be secured •  Lots of widely-known techniques and technology •  A properly-secured API is verifiable •  Use it!
  39. 39. Thank You