Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Takeaways from API Security Breaches Webinar

2,087 views

Published on

Examining today's biggest API breaches to mitigate API security vulnerabilities

Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position?

This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure.

You Will Learn

-Recent breaches in the news involving APIs
-Top attacks that compromise your business
-Mitigating steps to protect your business from attacks and unauthorized access
-API Management solutions that both enable and protect your business

Learn about API Security at http://www.ca.com/api

Published in: Technology
  • Be the first to comment

Takeaways from API Security Breaches Webinar

  1. 1. Takeaways  from  API  Security   Breaches   Jaime  Ryan  –  Sr.  Director,  API  Management  Technical  Strategy   Tyson  WhiBen  –  Director,  API  Management  SoluCons  MarkeCng  
  2. 2. 2   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Agenda   API  BREACHES   RISK  MITIGATION  STEPS   API  MANAGEMENT  SOLUTIONS   QUESTIONS   1   2   3   4  
  3. 3. 3   ©  2015  CA.  ALL  RIGHTS  RESERVED.   APIs  at  the  center   OUTSIDE PARTNERS / DIVISIONS EXTERNAL DEVELOPERS MOBILE APPS CLOUD SERVICES INTERNET OF THINGS API   APPS  
  4. 4. 4   ©  2015  CA.  ALL  RIGHTS  RESERVED.   APIs  expose  sensiCve  data   APIs  are  also  the  a<ack  vector  of  choice   for  hackers  to  disrupt  your  service  or  gain   access  to  private  informaIon   API  
  5. 5. 5   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Prominent  API  Breaches  
  6. 6. Top  API  VulnerabiliCes  and  MiCgaCon   Steps  
  7. 7. 7   ©  2015  CA.  ALL  RIGHTS  RESERVED.   When  an  API  is  hacked  .  .  .     §  API  vulnerabiliCes  surface   –  When  exploits  are  discovered  by  the  API   publisher   –  When  discovered  by  3rd  party   –  When  an  organizaCon  is  actually  hacked   §  Exploits  are  rarely  documented   §  Public  APIs  are  most  scruCnized   §  Private/Hidden  APIs  are  also  vulnerable  
  8. 8. 8   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Top-­‐5  vulnerabiliCes/miCgaCons   §  Most  common/current  vulnerabiliCes  and  miCgaCons  for   securing  your  API   –  Client  impersonaCon   –  Phishing   –  Brute  force   –  InjecCons   –  Unauthorized  access/compromised  secrets  
  9. 9. 9   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon   §  An  aBacker  reverse-­‐engineers  a  secret  assigned  to  an  app  and  uses  it  to  call  an   API  pretending  to  be  the  legiCmate  app   §  E.g.  TwiBer  OAuth  Keys  Leaked   –  March  2013   §  E.g.  Snapchat   –  December  2013  
  10. 10. 10   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon  miCgaCon  #1   §  It’s  either  confidenCal,  or  it  isn’t   –  Don’t  ‘hide’  a  secret  on  a  public  app  store   or  render  it  on  a  web  page   §  Learn  to  ‘let  go’  of  your  app  once   published   –  Design  security  mechanisms  assuming   public  clients   –  Don’t  grant  access  to  resource  based   solely  on  the  app  idenCty  (require  user   auth)  
  11. 11. 11   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Client  impersonaCon  miCgaCon  #2   §  Call  API  from  actual  confidenCal  client   –  Use  frameworks  that  let  you  authoritaCvely  assess  devices,  apps   –  From  server-­‐side  web  app  vs  browser-­‐side  script   –  Provision  app-­‐level  secret  post-­‐installaCon  as  part  of  a  registraCon  step   –  Private  app  stores   API  
  12. 12. 12   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Phishing  aBacks   §  Risk  associated  with  redirecCon-­‐based  handshakes   –  Malicious  ‘applicaCon’  pretends  to  be  legiCmate   –  Inserts  its  own  endpoint  in  callback  address   –  Gets  token   §  *E.g.  Facebook  February  2013   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Do  you  authorize  Legi%mate   app  to  access  API  on  your   behalf?     [X]  Yes   [    ]    No   Tricked   you   *hBp://threatpost.com/facebook-­‐patches-­‐oauth-­‐ authenCcaCon-­‐vulnerability-­‐022613/77563   API  
  13. 13. 13   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Phishing  miCgaCon  101   §  Register  and  validate  redirecCon  URIs   §  Strict  validaCon  (not  parCal)   §  Never  skip  consent  step   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Error    Invalid  callback   foiledL   (out-­‐of-­‐band)   Register  LegiCmate  app   Callback=foo  API  
  14. 14. 14   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Brute  force   §  E.g.  snapchat  find_friend  exploit   –  December  2013   App  Contacts   Get  list  of  phone   numbers  from  local   contacts     API   Is  contact  a  member?   [for  each  local   contact]   Is  member?   [for  every  possible   phone  number]   Steal  all  phone   numbers  of  members   API  
  15. 15. 15   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Brute  force  miCgaCon   Rate  LimiCng,  Quotas,  SLAs   §  Targeted  rate  limiCng  specific  aBack  vectors   –  Limit  access  to  any  resource  granted  without  direct  ownership   –  Limit  failed  authenCcaCon,  limit  password  resets   §  Detect  brute  force  paBern  and  block   §  Correlate  idenCty,  locaCon,  concurrency   §  Rate  limit  to  protect  backend  API   –  Global  limits  to  prevent  DoS   §  Apply  rate-­‐limiCng  with  applicaCon  level  awareness   –  Limit  for  a  specific  operaCon  for  each  user/applicaCon   –  Limit  for  a  specific  input  for  each  user/applicaCon   Captcha?   SupporCng  headless  clients  
  16. 16. 16   ©  2015  CA.  ALL  RIGHTS  RESERVED.   InjecCon   §  InjecCon  aBacks,  parCcularly  in  public  clients  scenario  is  at  the  core  of  the  most   common  exploits   –  SQL/LDAP/Xpath/Xquery/Code  injecCons   §  *E.g.  InjecCon  in  query  parameters   GET /history?transactionid=123456 select from table where id=‘[ ]’ GET /history?transactionid=%27+OR+%271%27%3D%271 select from table where id=‘’ or ‘1’=‘1’ *hBp://forums.sugarcrm.com/f6/rest-­‐api-­‐sql-­‐injecCon-­‐ exploit-­‐89589/  
  17. 17. 17   ©  2015  CA.  ALL  RIGHTS  RESERVED.   InjecCon  MiCgaCon   §  Input  saniCzaCon   –  Parse  input  parameters  (payload/transport)   –  Apply  paBern  validaCon   –  JSON  Path,  XPath,  XSD,  JSON  Schema,  RegEx,  …   –  Own  and  Cghten  your  metadata   –  Code-­‐level  saniCzaCon  (e.g.  Prepared  Statements)   §  Signature-­‐based  threat  detecCon   –  Look  for  injecCon  paBerns  in  payload  and  at  transport  level  
  18. 18. 18   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Unauthorized  access   §  E.g.  Unsecured  API   §  E.g.  AuthenCcated  client  can  access  resource   that  should  be  restricted   §  E.g.  Session  secret  compromised   Balancing  UX  and  Security   More  Convenience   More  Risk   Less  Convenience   Less  Risk   No  credenCals   Device  Passcode   App  security
  19. 19. 19   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Unauthorized  Access  MiCgaCon   §  AuthenCcaCon   –  Local  auth,  integraCon  into  exisCng   idenCty  providers   –  Social  provider  integraCon   –  FederaCon,  SAML   §  Token  issuing,  lifecycle   management   –  OAuth,  OpenID  Connect   –  JWT/JWS   –  Token  refresh,  revocaCon   §  Assert  user/app/device  idenCCes   §  Scope   –  User-­‐granted  permissions   §  Resource  Server   –  Map  token  idenCCes  and  resource   ownership   §  IdenCty  mapping   –  SAML/OAuth/local/Kerberos/…   –  RunCme  mapping  internal/external  
  20. 20. How  API  Management  can  help  
  21. 21. 21   ©  2015  CA.  ALL  RIGHTS  RESERVED.   CA  API  Management  Manages  &  Secures  APIs     @  Design  &  RunCme   CA API GATEWAY … MOBILE DEVELOPERS MOBILE APPS CA API DEVELOPER PORTAL API   API   Design  Time   RunCme   §  Discover  APIs   §  Self-­‐register   §  Collaborate  &  test   §  AdaptaCon,  mediaCon   §  ThroBling,  caching   §  Policy  &  access  control   §  Create  &  publish  APIs   §  API  Plans  &  pricing   §  Monitoring  &  analyCcs   §  Embed  app  security   §  SSO,  social,  risk   §  OAuth  2.0,  OpenID   Connect,  UMA  
  22. 22. 22   ©  2015  CA.  ALL  RIGHTS  RESERVED.   On-­‐Premise     Hybrid   SaaS   The  Gateway  and  Portal  –  Flexible  Delivery  Models     §  Soyware  ownership   §  Highly  customizable  to  match  business  needs   §  Control  over  infrastructure  and  upgrades   §  Flexible  combinaCon  of  on/off  premise   soluCons   §  Provides  business  and  compliance  flexibility   §  Includes  integraCon   §  Faster  deployment/less  customizaCon   §  Reduced  infrastructure/upgrade  costs   §  Simple  scalability   §  Growing  set  of  funcConality   Flexibility  for  iniIal   investment  and  in   the  rate/extent  of   migraIon  to  the   cloud  
  23. 23. 23   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Goals  of  the  business,  employee  and  consumer   To  move  seamlessly  and  securely  between  apps  and  devices  
  24. 24. 24   ©  2015  CA.  ALL  RIGHTS  RESERVED.   App  Context  IdenCty   2.  User  provides  Enterprise   credenCals   1.  User  taps  one  of  the  four   enterprise  apps   3.  User  can  seamlessly  switch  between     the  four  enterprise  apps  
  25. 25. 25   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Discuss  Q4   targets  with  Bob.     Don’t  forget  to   Discuss  Q4   targets  with  Bob.     Don’t  forget  to   cover  incenCves.   1.  Phone  detects  it  is  close  to  tablet   using  Bluetooth  Low  Energy   2.  Session  migrates  to  tablet  so  user   does  not  have  to  reenter  credenCals   App  Context   3.  App  session  context  pushed   to  secure  cloud  storage   Source   Target   4.  Context  can  be  pushed   to  different  target  apps     §  Email   §  Notes   §  …etc.   IdenCty  
  26. 26. 26   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Latest analyst reviews: CA API Management is a leader “CA  Technologies  has  strong  API  security,   integraIon,  and  mobile  app  support.    With   Layer  7’s  long  history  as  an  SOA  applicaCon   gateway  provider,  CA’s  soluCon  has  among  the   best  API  security,  message  transformaCon,  and   integraCon  features  in  our  evaluaCon.    Among   the  tradiConal  gateway  vendors,  Layer  7  was   an  early  mover  into  the  API    management   space,  which  has  given  CA  a  head  start  to   round  out  the  features  of  its  portal  and  tooling   for  API  product  managers.    The  gateway’s   mobile  app  support  is  also  among  the  best  in   our  evaluaCon  ..”   The  Forrester  Wave:  API  Management  SoluIons,  Q3  2014.   The  Forrester  Wave™  is  copyrighted  by  Forrester  Research,  Inc.  Forrester  and  Forrester  Wave™  are  trademarks  of  Forrester  Research,  Inc.  The  Forrester  Wave™  is  a  graphical   representaCon  of  Forrester's  call  on  a  market  and  is  ploBed  using  a  detailed  spreadsheet  with  exposed  scores,  weighCngs,  and  comments.  Forrester  does  not  endorse  any  vendor,   product,  or  service  depicted  in  the  Forrester  Wave.  InformaCon  is  based  on  best  available  resources.  Opinions  reflect  judgment  at  the  Cme  and  are  subject  to  change   Forrester  Research  Inc.,  “Forrester  Wave:  API  Management  SoluCons,  Q3  2014”,  September  29,  2014  
  27. 27. 27   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Summary   §  Protect  your  APIs   –  But  support  developers   –  Do  not  sacrifice  UX   §  Leverage  API  infrastructure  to  implement  API  security  best   pracCces  
  28. 28. 28   ©  2015  CA.  ALL  RIGHTS  RESERVED.   CA  API  Management  at  RSA  
  29. 29. Director  API  Management  Product  MarkeCng   Tyson.WhiBen@ca.com   Tyson  Whi<en           ca.com/api   Sr  Director,  Technical  Strategy   Jaime.Ryan@ca.com   Jaime  Ryan  
  30. 30. 30   ©  2015  CA.  ALL  RIGHTS  RESERVED.   Legal  NoCce   ©  Copyright  CA  2015.    All  rights  reserved.  All  trademarks,  trade  names,  service  marks  and  logos  referenced  herein  belong  to  their  respecCve  companies.  No   unauthorized  use,  copying  or  distribuCon  permiBed.     THIS  PRESENTATION  IS  FOR  YOUR  INFORMATIONAL  PURPOSES  ONLY.  CA  assumes  no  responsibility  for  the  accuracy  or  completeness  of  the  informaCon.  TO   THE  EXTENT  PERMITTED  BY  APPLICABLE  LAW,  CA  PROVIDES  THIS  DOCUMENT  “AS  IS”  WITHOUT  WARRANTY  OF  ANY  KIND,  INCLUDING,  WITHOUT   LIMITATION,  ANY  IMPLIED  WARRANTIES  OF  MERCHANTABILITY,  FITNESS  FOR  A  PARTICULAR  PURPOSE,  OR  NONINFRINGEMENT.    In  no  event  will  CA  be   liable  for  any  loss  or  damage,  direct  or  indirect,  in  connecCon  with  this  presentaCon,  including,  without  limitaCon,  lost  profits,  lost  investment,  business   interrupCon,  goodwill,  or  lost  data,  even  if  CA  is  expressly  advised  of  the  possibility  of  such  damages.  

×