Mule soft riyadh virtual meetup_30_aug

[30th Aug 2020]: [MuleSoft Meetup Group Riyadh]
Virtual Meetup
[Riyadh-Saudi Arabia]

All contents © MuleSoft Inc.
Introduction : Organizers, Speaker and You
2A SHOW OF HANDS
Satya Sekhar Das Mandal
Alaa Bani Taha
V.V. Nalini Gowd

Agenda
3
• Introduction
• About API Security
• API Policies
• Demo
• Custom Policy Development
• Demo
• QA & Quiz (3 Winners will receive Certification Voucher from
MuleSoft )

Goal
4
• Understand the API Security
• API Policies
• Available API Policies in Any Point Platform and when to apply
them
• Learn, how to develop custom API policy

All contents © MuleSoft Inc. 6
API Security

APIs Are A More Direct Conduit

API Security

API Security Breach

Current API Landscape
12
• APIs steadily increasing
• Attacks steadily increasing

Current API Security Landscape
13
Reactive -> Proactive
Average Time to Detect First Breach
2018 Verizon DBIR
• 45% not confident in ability to detect malicious API access
• 51% not confident in security team’s awareness of all APIs
API Security Survey:

API Security – A Difficult Problem!
14
IP
Geolocation Time /Day
Session Length
...
API 1
API 2
API 3
API 4
• High number of sessions across
many APIs
• High velocity connections
• Large mix of inbound client types
and activity
– Legitimate clients
– High velocity attackers disrupt
services, access content, etc.
– Hackers with valid credentials blend in
while maliciously accessing API
services
• Looking for a needle in a haystack

API Login and API DDoS Attacks
•Brute force login attacks
•Stolen identifiers: cookies and tokens
•API specific DoS and API DDoS attacks
Compromised Account / Insider Attacks
•Account take over
•Data theft
•Application control
Hackers using Machine Learning
•Every attack looks different
•Every blocked attack leads to a new attack …
How vulnerable are APIs to attacks?

Answer: Leverage AI
MODEL
• Learn from API traffic
• Build model for legit
apps
DETECT
• Inspect runtime
traffic
• Look for deviations
from model
BLOCK
• Block compromised
tokens
• Notify/alert

MuleSoft API Management
17
• API Manager
– Creating an API
– SLA Tiers
– Contracts
– Alerts
– Policies
• Out of the box policies
• Custom Policy from API Manager
• Develop Custom Policy in Anypoint
Studio
• Secure your APIs!
– Monitoring

Securing APIs in MuleSoft With API Manager
18
• Specific to one API
– New feature of automated policies
to apply same set of policies to
many APIs
• Common Policies in API
Manager
– Basic authentication
– IP whitelist/blacklist
– Client ID Enforcement
– OAuth 2.0
– SLA based rate limiting and
throttling

• API Breaches go undetected for months or
years
• Enterprises need incorporate zero-trust for API
Strategy
• Gartner: “by 2022, API abuses will be the
most frequent attack vector that result in
breaches”
• Many attacks can’t be detected with traditional
API security
• Help is here from MuleSoft and PingIntelligence
your
customer
your
org
Attack Landscape Summary

• MuleSoft API Lifecycle
• MuleSoft API Management
• Securing a MuleSoft API
MuleSoft API Management
and Security

API Lifecycle
21
• Design
• Build
• Test
• Deploy
• Manage

API Manager Policies
22
Policies enable you to enforce regulations to help manage security,
control traffic and improve adaptability of your APIs.
What is quite important you can implement policies with no
modification to the code implementation.
Mulesoft provides ready-to-use default policies that are shipped with
the product. Policies differ based on several different factors, such as
category, purpose, version, and configuration options.

API Manager Policies
23

Policy types
24
Main types of policies:
• Default Policies - ready-to-use policies provided by MuleSoft
• Automated Policies – applied on all APIs automaticly
• Custom Policies – policies you need to implement
– Online Custom Policies
– Offline Custom Policies

Policy categories
25
The following table lists default policies by its category and the
function it performs:
• Security
• Compliance
• Transformation
• Troubleshooting
• Quality of Service

Policy categories - Security
26
• Basic Authentication - authenticates the LDAP credentials or single user
password.
• IP Blacklist - blocks a range of IP addresses.
• IP Whitelist - allows access from only a preapproved range of IP addresses.
• JSON Threat Protection - protects against a malicious JSON structure in API
requests.
• XML Threat Protection - protects against malicious XML elements in API
requests.

Policy categories - Security
27
• JWT - validates a JWT token.
• OAuth 2.0 access token - enforces token access using the MuleSoft OAuth
Provider policy.
• OpenAM Access Token Enforcement - restricts access to a protected resource
using an Open AM authentication server.
• PingFederate Access Token Enforcement - restricts access to a protected
resource using the PingFederate authentication server.
• Tokenization - transforms sensitive data into nonsensitive equivalent tokens.
• Detokenization - transforms a tokenized value back to the original data.

Policy categories – Compliance and
Transformation
28
Compliance
• Client ID Enforcement - allows access to client applications with a valid client
credentials.
• CORS - enables calls executed in a web page to interact with resources from
different domains.
Transformation
• Header Injection - adds headers to the request or response message of a
policy.
• Header Removal - removes headers from the request or response message of a
policy.

Policy categories - Quality of Service and
Troubleshooting
29
QoS
• HTTP Caching - stores HTTP responses from an API implementation.
• Rate Limiting - enables imposing a limit on the number of requests that an API
can accept within a specified time.
• Rate Limiting, SLA-Based - enables imposing an API request limit based on
SLA tiers.
• Spike Control - controls API traffic.
Troubleshooting
• Message Logging - logs a custom message when an API is invoked.

Policy level
30
Policies are by default applied to the entire API.
Policies which implement an additional level of policy granularity are
called resource-level policies.
At the resource level of granularity, policies are applied to only those
requests that match the criteria. All policies, except the Cross-Origin
Resource Sharing (CORS) policy can be used are resource-level.

Managing default policies
31
• Applying policy in API Manager
• Ordering of policies
– CORS exception
• Disabling policies

Guidelines for using policies
32
• When designing System API you may consider using:
– IP whitelisting – IP address range of implementation of Process APIs
– SLA based Rate Limiting – rejects requests when troughput has been reached
– Spike Control – to protect backend systems
• When designing Process API you may consider using:
– IP whitelisting – IP address range of implementation of Process and
Experience APIs
– Client ID enforcement – identity of API clients is always known
– SLA based Rate Limiting - rejects requests when troughput has been reached
– Spike Control – to protect backend systems

• Create API
• Apply different security policies and see the impact
API Policy Demo

34
• When designing Experience API you may consider using:
– IP whitelisting – IP address of the Aggregator to complement TLS mutual
authentication
– JSON/XML Threat Protection – secure your API
– SLA based Rate Limiting - rejects requests when troughput has been reached
– Avoid using Spike Control – use queuing instead

35
• Use API Manager Alerts to detect policy violations.
• Keep correct order of policies, CORS, Certificate Validation, JSON
Threat Protection should be executed first.
• Use resource-level policies when:
– Securing a subset of an API is required
– Setting different limits on resources is needed
• Use Visualizer to monitor policies

Custom Policies
Development and Deployment
1.Develop the policy.
2.Package the policy.
3.Upload the resulting policy assets to Exchange.
4.Apply the policy to any API through API Manager

How to setup the Project
37
1. Add the below code in Maven’s setting.xml

Setting up project with archetype
38
• Create a new directory where the custom policy project will live.
• Go to that directory in the command line.
• Execute the following command:

Setting up project with archetype
39
• Replace:
– ${orgId} with the Anypoint Platform Organization Id where the policy will
be uploaded.
– Get your organization ID from Access Management > Organization:
• Click the name of your organization.
• Copy the UUID from the browser address. For example, copy 2a4b93c3-7899-
4ea7-9374-f787744d8784 from the URL.
– ${policyName} with the desired name for the custom policy.
• Before finishing, Maven asks you to set up:
– policyDescription: A brief description of your policy.
– policyName: The identifier name of your policy.

Policy source code - yaml
40
https://docs.mulesoft.com/api-manager/2.x/custom-policy-4-reference#yaml-configuration-file

Policy customization
41

42

43

Custom Policy Demo
44
A custom policy which will encrypt the value of the configured fields.

Detail Documentation
45
• https://docs.mulesoft.com/api-manager/2.x/custom-policy-4-reference#error-
handling

MuleSoft Anypoint Security
46
• Secure all applications deployed
to your Runtime Fabric with Edge
Policies
• Implement a Web Application
Firewall (WAF)
• Other policies
– IP whitelist
– Denial of service
– HTTP limits

MuleSoft + WAF Security
47
• Protects against many common
attacks
– SQL Injection
– Cross Site Scripting
– Body scanning
– OWASP Top 10 attacks
– These are known vulnerabilities!

Security Policies + WAF Protection
48
• What do security policies + WAF
actually protect against?
– Basic attacks (authentication, rate
limiting, SQL injection, etc.)
• What are the vulnerabilities?
– Advanced API attacks from
authenticated hackers
– No way to detect authenticated
attacks
• Google took 2.5 years to detect a breach
• How do we protect against these
vulnerabilities?

PingIntelligence For APIs
PingIntelligence for APIs ®
App
Servers
API Discovery Attack Blocking Deep Reporting
APIs APIs APIs
• Deep API Visibility
– Dynamically discover APIs across all
environments
– Monitor all API activity including every command
and method used throughout a session
• Automated threat detection and blocking
– Detect and stop attacks that use APIs to
compromise data and applications
– Use API honeypots to instantly detect probing
hackers and prevent access to production APIs
• Self Learning
– Use AI to discover expected behavior for each
API in API gateway and app server environment
– Eliminate the need to write and manage policies
and update API attack signatures

• You can’t fully trust your own tokens!
• Bearer tokens are vulnerable (but necessary)
• Vulnerabilities at other vectors are exploited at API level
– Client app, user, 3rd party identities
Phishing
+token
Stolen token
User data
<api>
>collections
_
GitHub leaking client
secrets
Password
reuse
Zero Trust

Comprehensive Security: MuleSoft + PingIntelligence
Foundational API Security
Content Injection
JSON, XML, SQL injection protection, XSS
Flow Control
Throttling, Metering, Quota Management, Circuit-
breakers
Access Control
AuthN, AuthZ, Token Management, Microgateway
AI-Powered Cyberattacks Detection
Automated Cyber Attack Blocking
Blocks stolen tokens/cookies, Bad IP’s & API keys
API Deception & Honeypot
Instant hacking detection and blocking
Deep API Traffic Visibility & Reporting
Monitor & report on all API activity
Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs
PingIntelligence
for APIs

PingIntelligence Augments API Security
Web Application FirewallsPingIntelligence for APIsAPI Gateways
Complementary to API Gateways and WAFs
OWASP Top 10 Protection
+ +
Authenticated users
Advanced attacks
API Management
Security Policies

Hacker Deception

Ping Intelligence Dashboard

References
55
• https://www.mulesoft.com
• OWASP
– https://www.owasp.org/index.php/Main_Page
• PingIntelligence + MuleSoft Integration
– https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pingintel_
32/page/pingintelligence_mulesoft_api_gateway_integration.html
• PingIntelligence
– https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_Guide_p
ingintel_32/page/pingintelligence_product_deployment.html
• Undisturbed REST
– https://www.mulesoft.com/lp/ebook/api/restbook
• API Security
– Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper
• https://www.pingidentity.com/en/resources/client-library/white-papers/2018/evolving-api-
security-landscape.html

Open forum discussion
( Q&A, Topics for next meetup,
activity, quiz )

What’s next
57
• Share:
– Invite your network to join: https://meetups.mulesoft.com/riyadh/
• Feedback:
– Contact your organizer Satya Sekhar Das Mandal & Alaa Bani Taha to
suggest topics
– Contact MuleSoft at meetup@mulesoft.com for ways to improve the program
– Your Feedback is catalyst for us
• Our next meetup:
– Date: TBD
– Location: Riyadh / Virtual
– Topic: TBD

Take a stand !
58
• Nominate yourself for
the next meetup speaker
and suggest a topic as
well.

See you next time
Please send topic suggestions to the organizer

Mule soft riyadh virtual meetup_30_aug

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Mule soft riyadh virtual meetup_30_aug

Similar to Mule soft riyadh virtual meetup_30_aug (20)

More from satyasekhar123

More from satyasekhar123 (9)

Recently uploaded

Recently uploaded (20)

Mule soft riyadh virtual meetup_30_aug