Why is API security a big deal? In the last 10 years there has been a substantial increase in API usage. APIs are everywhere, transforming business systems around the world. This rise will continue with the further adoption of IoT devices. As more APIs are created, cybersecurity risks and threats must be considered. Data and privacy breaches are major pain points for business and IT.
4. 4
●About the organizers:
○ Alexandra Martinez
○ Mahesh Pujari
○ Pravallika Nagaraja
○ Kishore Reddy Paluri
Introductions
A SHOW OF HANDS:
Who is new to this Meetup?
6. 6
● Introductions
● Background of APIs
● API Threats
● API Security
● Securing through MuleSoft
● Take away
● Networking time
Agenda
7. 7
●About the me
○ Satyam Patel, Technical Architect
○ 8+ years in integration domain
○ Performed various roles from developer to project lead
○ Aviation, Oil and Gas industry domains
○ webMethods ESB and BPM
○ MuleSoft integration platform
○ Mule 4.x, Dell Boomi, AWS Solutions Architect Associate, webMethods 9.x certifications
○ Enjoy outdoor activities – hiking, biking, skiing, camping etc.
Introductions
9. 9
● Brief history of APIs – Quick timeline
○ 1950s – 1970s: Subroutines, Libraries, FORTRAN, IBM instruction
set, C Standard libraries, Idea of reimplementation
○ 1980s – 1990s: Interface between HWs and OS, BIOS, Printers,
CLIs, etc.
○ 1990s – 2000s: Windows OS APIs, UNIX, Java class libraries and
functions, Delicious web APIs
● Rise of API based IT solutions (2000s and onwards)
○ CRM – Salesforce officially launched its API on February 7, 2000
○ eBay – On November 20, 2000, eBay launched the eBay
Application Program Interface (API) along with the eBay Developers
Program
○ Amazon – On July 16, 2002, Amazon launched Amazon.com Web
Services
● The present and the possible future
○ Social media boom – FB, Flickr, Twitter, etc.
Background of APIs
10. 10
● APIs currently account for 83% of all
hits on internet
● Media organizations are the largest
users
● Need for seamless integrations
across industries
● Rise of IoT devices, Mobile apps,
Smart homes, complex systems in
Aviation and cars, unified platforms
and more !
● What’s the next big thing?
Where are we today and what’s coming in
future?
The growth over time of the ProgrammableWeb API
directory to more than 23,000 entries
11. 11
●Infrastructure
○ Architecture
○ Networking & VPCs
○ Load balancing
○ Firewalls
●Solutions
○ Design and structure
○ Data handling
○ Connectivity
●Data
○ Storage and management
○ Access control
Overall security areas
12. 12
General security framework
●Identify
○ Assess and Strategize
●Protect
○ Implement and Secure
●Detect
○ Intelligent monitoring
●Respond
○ Analyze and Mitigate
●Recover
○ Plan and Improve
19. 19
● Injection Attacks – A malicious code, usually a query or a script, is embedded into an
unsecured software program
● Man-In-The-Middle-Attack (MITM) – An unauthorized third party secretly relays and possibly
alters the communications between two parties
● CSRF Attack – Cross-Site Request Forgery (CSRF) force logged-in users to silently open
URLs that perform actions unintentionally
REST API security threats
20. 20
● Broken Access Control – An attacker can bypass
or control authentication into web applications
compromising web tokens, API keys, passwords,
account recovery options, password reset methods,
etc.
● Distributed Denial of Services – Most common
type of attack where a malicious attempt is made to
disrupt normal traffic
● Web Parameter Tampering – Based on the
manipulation of parameters exchanged between
client and server
● Sensitive Data Exposure – When sensitive data
isn’t encrypted in transit or at rest it could lead to
abuse of this information
REST API security threats
21. Security as a design principle
API SECURITY SOLUTIONS
24. 24
● Enforce secure communications
○ Enable TLS 1.2 or subsequent versions, in accordance with CSE
guidance.
● Design APIs to be resistant to attacks
○ Treat all submitted data as untrusted and validate before processing
● Avoid putting sensitive data in request URLs
○ URL strings can be tracked and compromised
● Protect access to APIs
○ Authenticate and authorize before any operation
○ Use open standards such as OpenID Connect and Open Authorization
2.0 (OAuth 2.0)
API security best practices
25. 25
● Use gateways and proxies instead of whitelists
○ Use a secure gateway layer to provide a security control point instead of simply
whitelisting inbound Internet Protocol addresses (IPs)
● Integrate security testing
○ Automate security testing to validate any new changes to API source code
● Audit access to sensitive data
○ Access to APIs dealing with sensitive and/or personal data must be logged for
future audit and reviewed on a regular basis
● Log and monitor for performance and activity
○ Track usage and monitor for suspicious activity including abnormal access
patterns such as after-hours requests, large data requests, etc.
API security best practices
26. 26
● Identity:
○ User and app authentication
○ API and server authentication
○ User and app authorization
● Identity Provider:
○ Single Sign-on multi-experience
○ Single Sign-on single experience
○ WS-Security with SAML Assertions
○ OpenID Connect with JWT ID Tokens
API security best practices
27. 27
● Message Integrity
○ Digital Signatures
● Message confidentiality
○ Public key cryptography
○ Digital Certificates
○ Mutual authentication with
Digital Certificates
○ HTTPS
● Availability
API security best practices
28. 28
● Handling of data – know the data, share minimum and only required data (yes, even
with reusability) – Implement data masking, encryptions for sensitive data etc.
● Accessing end systems – Securely access the end systems, ask for limited access,
restrictions
● Temporary storage of business data – shouldn’t be stored locally, if at all required
should clear it when processed
● Object stores – do not store sensitive information in memory
API Design considerations for security
30. 30
● API Manager
● Secret Manager
● Access Manager
● Monitoring Dashboards
● Alerting Mechanism
● Ability to externalize logs for analysis
MuleSoft Provided Components
31. 31
MuleSoft API Manager
● API Manager Policy types
○ Default Policies
○ Automated Policies
○ Custom Policies
● Policy classification
○ Security
○ Compliance
○ Transformation
○ Troubleshooting
○ Quality of Service
32. 32
● Security
○ Basic Authentication – LDAP - Authenticates the LDAP credentials
○ Basic Authentication – Simple - Authenticates a single user password
○ IP Blacklist – Blocks a range of IP addresses.
○ IP Whitelist – Allows access from only a preapproved range of IP addresses
○ JSON Threat Protection– Protects against a malicious JSON structure in API requests
○ XML Threat Protection – Protects against malicious XML elements in API requests
○ Client ID Enforcement – Allows access to client applications with a valid client credentials
○ JWT – Validates a JWT token
MuleSoft Provided API Policies
33. 33
● Security
○ OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy – Enforces token access using the
MuleSoft OAuth Provider policy.
○ OpenAM Access Token Enforcement – Restricts access to a protected resource using an Open AM
authentication server.
○ PingFederate Access Token Enforcement – Restricts access to a protected resource using the PingFederate
authentication server.
○ Tokenization – Transforms sensitive data into non-sensitive equivalent tokens.
○ Detokenization – Transforms a tokenized value back to the original data
MuleSoft Provided API Policies
34. 34
● Compliance
○ Client ID Enforcement – Allows access to client applications with a valid client credentials
○ CORS – Enables calls executed in a web page to interact with resources from different domains
● Quality of Service
○ HTTP Caching – Stores HTTP responses from an API implementation
○ Rate Limiting – Enables imposing a limit on the number of requests that an API can accept within a specified time.
○ Rate Limiting, SLA-Based – Enables imposing an API request limit based on SLA tiers.
○ Spike Control – Controls API traffic and provides queuing feature
Message Logging – Logs a custom message when an API is invoked.
MuleSoft Provided API Policies
36. API manager alerts
● An API alert is an alarm that flags one of the following problems:
○ The API request violates a policy Automated Policies
○ Requests received by the API exceed a given number within a period of time
○ The API returns a specified HTTP error code
○ The API response time exceeds a certain amount
36
37. API event analytics and forwarding
37
● Analytics providing data on
○ Requests by Date
○ Requests by Location
○ Requests by Application
○ Requests by Platform
● Externalize analytics data
○ API Analytics Report API
○ Forward API Analytics events
38. Runtime manager alerts
● Number of errors
○ The number of errors in one minute reaches the specified limit
● Number of Mule messages
○ The number of Mule messages since the application started reaches the specified limit
● Response time
○ The response time reaches the specified limit
● Use Runtime Manager to Export Data to External Analytics Tools
○ Splunk and Elk plugins
38
39. Are the APIs truly secured?
API SECURITY ACHIEVED?
40. 40
● Try some attacks yourself
● Find some tools or apps to test policies
● Get the organization’s security department to test the code and
environment
● Have professionals attack and assess API security
● Regular Pen-tests
Have APIs attacked!
41. 41
● Credentials
● Authentication
● Authorization
● Session
● Privacy
● Data
● Certificates
Security testing areas
● Source
● System
● Files
● Logs
● Emails
● Services
● Cryptography
● Architecture
● Networks
● Virtualization
● Physical
● Mobile
● Social
43. 43
● Know the big picture, the infrastructure and business
● Security comes at a cost
● There will be side-effects
● Only recommend what’s right and needed
● There’s no one way to do it
● Ensure it gets thoroughly tested for security
● Security is not one-time activity
● Leverage proactive monitoring and implement policies
● Follow best practices and be as restrictive as possible in API design
● Discuss in the community, let MS know for additional support
Take away
45. 45
● Blog - http://bit.ly/APISecurityBlog
● Connect on LinkedIn - http://bit.ly/LinkSatyam
● Please spend few seconds to post your valuable feedback here - http://bit.ly/MS-feedback
Connect with me – feedback/ideas
47. How does the quiz work?
1. Organizers show the question.
2. Organizers read the question out loud.
3. Organizers will write in the chat the following message: “Answers from question n start
here” after reading the question.
4. Only answers that appear after this message will be taken into account.
5. A final raffle, with the people that answered the quiz correctly, will take place after the quiz,
where the 3 lucky winners will receive a training or certification voucher.
6. The 3 winners will send their email in the chat so we can contact them for further steps.
47
48. Rules:
1. First person to give the correct answer in the chat will enter the final raffle.
2. If you already answered one question correctly, please stop answering and give a chance to
the rest. You don’t receive “extra points” for answering correctly more than once.
3. If the answer is sent before the “Answers from question n start here” message appears in the
chat, it won’t be taken into account.
48
50. 1. Which business launched their first APIs in
2000?
A: Salesforce
50
51. 2. Name of a popular web API directory where
public APIs are published.
World’s leading source for internet-based
application programming interfaces (APIs).
51
52. 2. Name of a popular web API directory where
public APIs are published.
World’s leading source for internet-based
application programming interfaces (APIs).
A: Programmableweb
52
53. 3. What would this type of attack be called where
the message in transit was compromised and
possibly altered?
53
54. 3. What would this type of attack be called where
the message in transit was compromised and
possibly altered?
A: Man-In-The-Middle-Attack (MITM)
54
55. 4. Can you set an alert in Anypoint Platform if a
request is coming from some geographic
location?
55
56. 4. Can you set an alert in Anypoint Platform if a
request is coming from some geographic
location?
A: No (false)
56
57. 5. Can you set an alert in Anypoint Platform if the
payload’s size is above some threshold?
57
58. 5. Can you set an alert in Anypoint Platform if the
payload’s size is above some threshold?
A: No (false)
58
59. 6. What policy could help limit the number of API
hits in a given period of time?
59
60. 6. What policy could help limit the number of API
hits in a given period of time?
A: Rate Limiting SLA
60
61. 7. Which policy helps in controlling API traffic and
provides support for queuing?
61
62. 7. Which policy helps in controlling API traffic and
provides support for queuing?
A: Spike Control
62
63. 8. Incidents of breaches – What was this type of
attack on Panera Bread?
Please apply knowledge of attacks.
63
64. 8. Incidents of breaches – What was this type of
attack on Panera Bread?
Please apply knowledge of attacks.
A: Possibly Web parameter tampering
OR SQL injection
OR both.
64
65. 65
● Share:
○ Tweet using the hashtag #MuleSoftMeetups
○ Invite your network to join: https://meetups.mulesoft.com/toronto/
● Feedback:
○ Fill out the survey feedback and suggest topics for upcoming events
○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program
What’s next?
66. 66
● Toronto Virtual Meetup #6 - How to use Salesforce composite request connector in Mule
○ Wed, Oct 21, 2020
○ 5:30 PM (EDT)
● Speaker:
○ Rajiv Mishra
○ Associate at Cognizant Technology Solutions
● https://meetups.mulesoft.com/events/details/mulesoft-toronto-presents-toronto-virtual-meetup-
6-how-to-use-salesforce-composite-request-connector-in-mule/#/
Next event