APIs: The New Security Layer

APIs: The New Security Layer
Greg Brail, Apigee

Slideshare
slideshare.com/apigee
Apigee Community
https://community.apigee.com
YouTube
youtube.com/apigee

Today’s Speakers:
3©2008-16 Apigee Corp. All rights reserved.
Greg Brail
Apigee

• What Happens to Insecure APIs
• API Security Fundamentals
• The Result: Effective API Security
Agenda

No API Security?
Bad things happen

Let’s make it secure then
I have an API!

Everything with a URI has an API
Of Course You Have an API!
8
Wired, 9/22/15
www.ifc0nfig.com, 1/5/15
troyhunt.com, 2/24/16

Breach Reason Source
Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb
Snapchat No authentication; no rate limit Gibson Security
Multiple Kardashian Apps No authentication or authorization Wired
MoonPig No authentication or authorization www.ifc0nfig.com
Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb
IRS GetTranscript Application Password reset mechanism relied on personal data IRS
Instagram Malicious app was stealing passwords; no approval process Daily Dot
Nissan Leaf VIN number only security credential on API Troy Hunt
Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
Some API Security Breaches

• No authentication on some APIs
– Climate control, battery status
– Only VIN number required
• User ID leaked by some of those APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Nissan Leaf

• No rate limit on request to get friends by phone
number
• Hard-coded encryption key
• Weak cipher
http://gibsonsec.org/snapchat/
Snapchat

Fundamental API Security
What every developer should know

• Prevent unauthorized applications
• Prevent unauthorized users
• Prevent excessive traffic
• Prevent content attacks
• Watch for trouble
• React to trouble
What You Need to Do

What Do Our Customers Do?
74%
OAuth
78%
Spike
Arrest
72%
Threat
Protection

• Application Authorization is a fundamental part of API security
– Best way to stop runaway applications
– Only options for certain types of apps (anonymous API access)
– Requirement for all forms of OAuth
• Best practices
– Use different credentials for each version of each app
– Makes it easier to pull a bad version
– Hide the app credentials as best you can
• Realize that they still can be stolen
– Have an approval process for apps
Prevent Unauthorized Applications

• Authenticate all end users for critical apps
– Only way to keep security credentials outside the
app
– Use OAuth carefully
• Use caution around “password” grant type
• Only as good as identity management
– For instance, dodgy password reset practices
– Can you get identity a service?
Prevent Unauthorized Users

• Protect APIs that are vulnerable to brute force
– Validating password
– Validating anything
– Anything where the only ID is in a small space
• Protect from runaway applications
– Denial of service is also an attack
– Excessive usage may mean data is being harvested
– Not always an attack – developers make mistakes
Prevent Excessive Traffic

• Accepting JSON over the Internet?
– Excessive identifier length
– Excessive nesting
– Large arrays and elements
• Accepting XML over the Internet?
– All that and more
• Are you sure there can’t be SQL injection?
– Regular expression checks
Prevent Content Attacks

• Monitor the API
– Usage patterns
– Usage patterns by application
– Latency
– Error rate
• Monitor the world too
– Unusual tweets?
– Other social media?
Watch for Trouble

• Traffic comes from unusual places:
– iPads in Amazon data centers
– US-only retailers with many “customers” in Eastern
Europe
• Or unusual patterns:
– Sequential scans of identifiers
– API traffic faster than a human can generate
• Identify suspected “bots”
– Heuristics, machine learning
• Block them by IP or otherwise
Example: Bot Detection

• Do you have application-level
authentication?
– Revoke app credentials
– Change rate limit
– Redirect app to another URL
• No application-level authentication?
– Insert additional logic
– Worst cast: shut down the API until it’s fixed
React to Trouble

Effective API Security
Api == Contract == security

An API is a Contract
What is an API, really?

• Simple
• Ubiquitous
• Widely-understood
• Universally implemented
The “API Stack” is Small

• Since API technology is simple,
• So is the contract:
– URIs
– JSON schemas
– Query parameters
– Authentication
• Simpler contracts are:
– simpler to validate
– simpler to test
– simpler to prove
API Contracts are Simple

• Don’t agree? Let’s look at web apps:
– Cross-site scripting
– Insecure URIs in links
– Cross-site request forgery
– Insecure redirects
– Insecure third-party pages
– Insecure and malicious JavaScript
Simpler Means More Secure

• Well-known URI pattern
• Documented schemas
• Well-known authentication model
• Well-known authorization model
• One way to secure all API calls
Simpler is Better
• Totally dynamic URI pattern is harder
to test
• Specified inputs and outputs can be
tested
• Haphazard authentication hard to test
• Haphazard authorization hard to test
• Multiple implementations hard to test

Summing it Up
Back to the original point

• We saw lots of places where APIs were compromised
– Many of these had nothing to do with an “API”
• Biggest vulnerability is having an API and not realizing it
– Everything with a URL has an API
• Well-defined APIs can be secured
– Lots of widely-known techniques and technology
• A properly-secured API is verifiable
• Use it!
Conclusion

APIs: The New Security Layer

More Related Content

What's hot

Viewers also liked

Similar to APIs: The New Security Layer

More from Apigee | Google Cloud

Recently uploaded

APIs: The New Security Layer