Better API Security with Automation

The API Security Platform for the Enterprise
ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER
ISABELLE@42CRUNCH.COM
BETTER SECURITY
WITH AN AUTOMATED APPROACH

OWASP : FROM 2010 THROUGH 2017
2
TOP 10 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Top 10 2017
A1: Injection*
A2: Broken Authentication
A3: Sensitive Data Exposure*
A4: XML External Entities (XXE)*
A5: Broken Access Control*
A6: Security Misconfiguration*
A7: Cross-Site Scripting (XSS)*
A8: Insecure Deserialization*
A9: Using Components with Known Vulnerabilities*
A10: Insufficient Logging&Monitoring
*= API related

3By 2022 APIs will become the most common attack vector - Gartner

KNOW YOUR
APIS
9
1
See: https://www.owasp.org/index.php/Application_Threat_Modeling

VALIDATE AND
SANITIZE INPUT
10
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
Content-Type validation
✓ Don’t accept as-is!
Accept Header validation
✓ Don’t copy into Content-Type
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary
2
OPENAPI SPECIFICATION to the RESCUE !

VALIDATE JWT
TOKENS
11
Don’t trust the incoming token!
Validate algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.
3
OPENAPI SPECIFICATION (AGAIN) to the RESCUE !

FINE-GRAIN
AUTHORIZATION
12
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
What can they do ?
Example: T-Mobile number
Scopes are often not enough !
✓ Need ABAC solution (XACML!)
4

START EARLY: SHIFT LEFT !
14
DeploymentTestingDevelopmentDesign

15
Development
Security
Operations
Business

COVER THE
BASICS
16
Automated Analysis
Static code analysis
3rd party libraries validation (CVEs), e.g.
NPS / Snyk for Node.js
GitHub dependencies graph
Manual Analysis
Code reviews
1

HACK
YOURSELVES!
17
API Scanning/Fuzzing
✓ Veracode, Coverity
✓ 42Crunch (coming soon!)
Transport analysis
✓ SSL Labs
✓ Hardenize
Further Analysis
✓ Bug Bounty
✓ Pen Testing
2

18
PROTECT YOUR
APIS
3
Protect all APIs ( public, private, SaaS)
AUTOMATICALLY deploy security measures
such as API Security Gateways/Firewalls
✓ Enforce Rate Limiting
• Brute force attacks (see N26!)
• DOS attacks
✓ Data Validation / JWT Validation / Auth / Azn
✓ Serves as Virtual Patching (as a WAF does for applications)
✓ Deploy at the edge and/or close to APIs (microservices
architecture)

Use Development ticketing system for
tracking issues
Analyse runtime behaviour and raise
issues automatically
19
MONITOR AND
ANALYZE
4

JOIN THE MAILING LIST !
APISECURITY.IO
NEWS AND TOOLS FOR BETTER API SECURITY

PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS
22
Monitor
Assess
Protect
Test
Develop Deploy
Monitor Security
Vulnerabilities and
runtime behavior
Continuous API hardening
including API fuzzing
Deploy to containerized
PEP
Configure and apply
security policies from
assessed risk
Assess API description
and evaluate risk level
Develop and document API
with OpenAPI/Swagger

CONTENT INJECTION: WORDPRESS API
23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

TITLE TEXT
Remote Command Execution (A1)
SQL Injection (A1)
JSON injection (A1)
Information Leakage (A3)
Broken Access Control (A5)
Check: https://blog.talosintelligence.com/2018/07/
samsung-smartthings-vulns.html
24

25
https://www.talosintelligence.com/reports/TALOS-2018-0539/

26
Information Leakage (A3)
Broken Access Control (A5)
Check: https://www1.cs.fau.de/
filepool/projects/n26/n26-roots.pdf

28
Failed to properly validate that you
can’t input any other number than
yours!

UNPROTECTED API ! (A6)
Remote Command Execution
SQL Injection
Buffer Overflow
JSON injection
Information Leakage
Check: https://blog.talosintelligence.com/2018/07/samsung-
smartthings-vulns.html
29

AND OF COURSE …. EQUIFAX FOR A9
30

JWT TOKEN VALIDATION
31
Failed to properly validate JWT token (A5)
Algorithm (set to None)
Claims (audience)

RESOURCES
OWASP Top 10
✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project
OWASP DevSlop Project
✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project
Chaos Engineering
✓ http://principlesofchaos.org
✓ https://github.com/dastergon/awesome-chaos-engineering
OWASP ZAP
✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Source Code Analysis
✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Code Security reviews
✓ https://www.owasp.org/index.php/Code_Review_Introduction
Systems Scans
✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
Security Methodology
✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32

RESOURCES
SSL Setup Scan
✓ https://hardenize.com
✓ https://securityheaders.io
✓ https://www.ssllabs.com/ssltest/
Threat Modelling
✓ https://www.owasp.org/index.php/Application_Threat_Modeling
Attacks Type Information
✓ XSS: https://excess-xss.com
✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo
✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc
✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc
Pixi / DevSlop
✓ https://github.com/DevSlop/Pixi
✓ https://devslop.co
JWT as session data
✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens
33

Better API Security with Automation

More Related Content

What's hot

Similar to Better API Security with Automation

Recently uploaded

Better API Security with Automation