SlideShare a Scribd company logo

Advanced API Security Patterns

42Crunch
42Crunch

While TLS and OAuth are widely used today, they are not always well-used and in many cases they are not enough. In this presentation, we introduce all aspects of security to consider as well as the OpenAPI security extensions which can be leveraged to better express the contract between the consumer and the provider.

Software
1 of 17
Download to read offline
The API Security Platform for the Enterprise ISABELLE MAUNY - CTO AND CO-FOUNDER ISABELLE@42CRUNCH.COM ADVANCED API SECURITY PATTERNS
2 Hello, I am Isabelle! French native, lives in Madrid, travels the world Speak English, French, Spanish
3 DEFINING API SECURITY
API SECURITY ASPECTS TO CONSIDER Authentication (Validation and OIDC Flows) Integrity Data has not been tampered with Audit (Forensics) Confidentiality Data can’t be seen in flight Availability (Rate Limiting) Authorization (Access Control and OAuth flows) Non Repudiation (Legal Compliance) Input/Output Validation (Attacks Protection)
5 REQUEST RESPONSE 1 2 Request Validation Message Validation 3 Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing
TLS covers Confidentiality and Integrity at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Strong cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 6 IT STARTS AT TRANSPORT LEVEL…
REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply positive and negative security models (a.k.a whitelisting and blacklisting) ✓ Example: Leverage Open API to apply positive security model! 7
DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid Response.post ( exception.printStackTrace()) ! 8
TOKEN VALIDATION Which token format is accepted ? Where (query param ? header ?) Is it of the right format ? Has it expired ? Is the signature valid? Is the signing/encrypting algorithm the right one ( RS256, HS 256) Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) Claims check ✓ What’s the audience value ? See: https://thehackernews.com/2018/04/auth0-authentication-bypass.html ✓ What’s the issuer value ? ✓ Custom checks Check jwt.io to ensure the libraries you use do the proper checks! 9
CRYPTOGRAPHY 10
CRYPTO VALIDATION Can I decrypt ? Can I verify the signature ? Decrypt before payload validation ! 11
INTEGRITY What I received is what was sent and I know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 12
CONFIDENTIALITY I don’t want anybody to see the messages exchanged. Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 13
AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose OAuth Grant Types wisely ✓ Know the deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800) ✓ Token Binding ( new RFC, still in Draft) Use proven libs and products ! Audit everything (logs, SIEM, audit trail) Learn Learn and Learn … ✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce ✓ https://alexbilbie.com/guide-to-oauth-2-grants/ ✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 14
OPEN API SECURITY EXTENSIONS Specify the security contract Authentication ✓ Basic Auth ✓ API Key ✓ OAuth (flows, URLs to Authorization/Token Server) Future ✓ Mutual TLS (3.1) ✓ Cryptography support at message level ✓ Additional details for OAuth JWT contract • Algorithms • Required Claims • Signature Type 15
16 www.42crunch.com/whitepaper
CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The API Security Platform for the Enterprise

Recommended

Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 

Recommended

Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
42Crunch
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 

More Related Content

What's hot

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 

What's hot (20)

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 

Similar to Advanced API Security Patterns

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
Bui Kiet
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
Steven Chen
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
Dileep Kalidindi
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
Mukesh Singh
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hamzaaqqa7
 
Integration step up session
Integration step up sessionIntegration step up session
Integration step up session
Amit Behere
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
Security overview (grahame)
Security overview (grahame)Security overview (grahame)
Security overview (grahame)
DevDays
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
Mark Diodati
 

Similar to Advanced API Security Patterns (20)

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Integration step up session
Integration step up sessionIntegration step up session
Integration step up session
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Security overview (grahame)
Security overview (grahame)Security overview (grahame)
Security overview (grahame)
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 

Recently uploaded

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Yara Milbes
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 

Recently uploaded (20)

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 

Advanced API Security Patterns

  • 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CTO AND CO-FOUNDER ISABELLE@42CRUNCH.COM ADVANCED API SECURITY PATTERNS
  • 2. 2 Hello, I am Isabelle! French native, lives in Madrid, travels the world Speak English, French, Spanish
  • 4. API SECURITY ASPECTS TO CONSIDER Authentication (Validation and OIDC Flows) Integrity Data has not been tampered with Audit (Forensics) Confidentiality Data can’t be seen in flight Availability (Rate Limiting) Authorization (Access Control and OAuth flows) Non Repudiation (Legal Compliance) Input/Output Validation (Attacks Protection)
  • 5. 5 REQUEST RESPONSE 1 2 Request Validation Message Validation 3 Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing
  • 6. TLS covers Confidentiality and Integrity at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Strong cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 6 IT STARTS AT TRANSPORT LEVEL…
  • 7. REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply positive and negative security models (a.k.a whitelisting and blacklisting) ✓ Example: Leverage Open API to apply positive security model! 7
  • 8. DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid Response.post ( exception.printStackTrace()) ! 8
  • 9. TOKEN VALIDATION Which token format is accepted ? Where (query param ? header ?) Is it of the right format ? Has it expired ? Is the signature valid? Is the signing/encrypting algorithm the right one ( RS256, HS 256) Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) Claims check ✓ What’s the audience value ? See: https://thehackernews.com/2018/04/auth0-authentication-bypass.html ✓ What’s the issuer value ? ✓ Custom checks Check jwt.io to ensure the libraries you use do the proper checks! 9
  • 11. CRYPTO VALIDATION Can I decrypt ? Can I verify the signature ? Decrypt before payload validation ! 11
  • 12. INTEGRITY What I received is what was sent and I know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 12
  • 13. CONFIDENTIALITY I don’t want anybody to see the messages exchanged. Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 13
  • 14. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose OAuth Grant Types wisely ✓ Know the deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800) ✓ Token Binding ( new RFC, still in Draft) Use proven libs and products ! Audit everything (logs, SIEM, audit trail) Learn Learn and Learn … ✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce ✓ https://alexbilbie.com/guide-to-oauth-2-grants/ ✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 14
  • 15. OPEN API SECURITY EXTENSIONS Specify the security contract Authentication ✓ Basic Auth ✓ API Key ✓ OAuth (flows, URLs to Authorization/Token Server) Future ✓ Mutual TLS (3.1) ✓ Cryptography support at message level ✓ Additional details for OAuth JWT contract • Algorithms • Required Claims • Signature Type 15
  • 17. CONTACT: INFO@42CRUNCH.COM WWW.42CRUNCH.COM The API Security Platform for the Enterprise