42Crunch Security Audit for WSO2 API Manager 3.1
1 like233 views
The document discusses the importance of API security, highlighting that 83% of web traffic is now API traffic and emphasizes the potential risks of not prioritizing API security. It details WSO2 API Manager's security features, which include static and dynamic checks, and the integration with 42Crunch for automated API security audits. Furthermore, the document outlines best practices for proactively securing APIs and the benefits of utilizing the audit report to identify vulnerabilities before publication.
42Crunch Security Audit for WSO2 API Manager 3.1
- 1. API Security Audit A partnership between 42Crunch and WSO2 28th May 2020 8.30 P.M (IST), 8.00 A.M (PST), 11.00 A.M (EST), 4.00 P.M (BST), 3:00 P.M (UTC)
- 3. WSO2 API Manager 3.1.0 - Introduction
- 4. WSO2 API Management Overview ENTERPRISE INTEGRATOR MicroIntegrator Streaming Integrator Message Broker Process Manager Integrator Analytics Data Services Developer Studio ESB IDENTITY & ACCESS MANAGER Federation SSO Adaptive Auth
- 6. The State Of API Security ● 83% of all web traffic is now API traffic (Akamai, 2019) ● 363 different APIs are being managed by organizations on average, with 69% of them making those APIs public (Survey: APIs a Growing Cybersecurity Risk | Imperva, 2018) ● APIs will be the most frequently attacked vector for enterprise web application data breaches by 2022 (How to Build an Effective API Security Strategy, 2017)
- 7. Why API Security Must Not Be An Afterthought Not taking API Security seriously can have devastating consequences on organizations: ● Operation disruptions ● Negative publicity ● Legal problems ● Repeat attacks ● Suppliers can be compromised
- 8. Facebook Data Breach - 2019* ● Security expert Bob Diachenko discovered database containing sensitive information of more than 267 million Facebook users were left exposed. ● Exposed data included Facebook ID, phone number, email address and other profile details. ● It is highly suspected that the data was stolen from Facebook’s Developer API, which allowed third-party developers access to phone numbers until 2018. ● Could have been prevented if vulnerabilities in the Developer API are identified and fixed pro-actively. *(267M Facebook Users’ Phone Numbers Exposed Online, 2019)
- 9. API Security in WSO2 API Gateway ● Static Checks ○ SQL injection ○ Parsing attacks(XML/JSON) ○ Payload attacks* ○ OpenAPI Security Violations/Vulnerabilities ○ Schema violations* ○ SSL/TLS ○ API Implementation and API Contract mismatches ● Dynamic Checks ○ Rate limiting for API calls. ○ Throttle API calls. ○ Authentication/Authorization. ○ Anomaly detection. ○ AI based threat detection. ○ Real-time protection for APIs via API Firewall
- 10. Static and Dynamic Security for APIs AI-powered Threat Protection for APIs OpenAPI Exploitation API Security Audit, API Conformance Scan, API Firewall Data & Application Attacks Advanced Persistent Threats, Data exfiltration, Deletion DoS & DDoS Attacks DDoS API attack, Login service DDoS attack, Botnet attacking API Login Attacks Stolen tokens or cookies, Credential stuffing, Fuzzing Payload Scanning JSON/XML threat protection, SQL injection, XSS, Schema validation, Encryption & signature, Redaction Access Control Authentication, Authorization, Token Translation Rate Limiting Client throttling, Provider throttling, Quotas, Spike Arrest Network Privacy SSL/TLS Fine Grained Permission Validation OAuth 2.0 based scopes /XACML Combined Security Features API Security Tools to identify and remedy OpenAPI vulnerabilities and offer runtime protection for APIs
- 12. © COPYRIGHT 42CRUNCH | CONFIDENTIAL Deploy & Protect API Firewall is automatically configured from OAS file and deployed in line of traffic. The firewall can be deployed as sidecar in Kubernetes or reverse proxy in front of API Management solutions. Develop Developer documents the API contract with OpenAPI/Swagger. API Contract security is evaluated from VSCode using 42Crunch plugin. Integrate & Test API Contract quality is enforced via CI/CD pipeline. Builds are blocked when minimal security requirements defined by security teams are not met. API implementation is tested via Conformance Scan Design Developer initiates security work at design time. Best practices and recommendations are documented.
- 13. 42CRUNCH AND API MANAGEMENT ARE COMPLEMENTARY API Threat Protection API Access Control API/Identity managementAPI Firewall ➡ Content validation ➡ Token validation ➡ DOS Protection ➡ Payload security (encrypt/sign) ➡ Access tokens management ➡ Authentication ➡ Authorization ➡ Identity management ➡ Traffic management API Security
- 14. © COPYRIGHT 42CRUNCH | CONFIDENTIAL • Developers describe the API contract in a language they know • Audit is available from IDEs and CI/CD plugins • Actionable report with zero false positives Key Benefits • Instant visibility into API security status • Governance of corporate security standards • Required security is declared instead of developed/maintained manually across multiple tools/environments DEVELOPERS INITIATE SECURITY AT DESIGN TIME The 42C Audit service performs 200+ security checks
- 15. SAMPLE REPORT
- 16. How To Secure APIs Proactively? ● Step 1 - Make sure API Definitions conform to OAS. ● Step 2 - Perform comprehensive security audits on API Definitions
- 17. Integration Implementation ● The API Security Audit functionality is built-in to WSO2 API Manager ● Once it is enabled, an Audit API button will be shown in the API Definition tab in API Publisher ● Clicking on the Audit API button will send the API Definition to 42Crunch to be audited ● The result from the audit will be shown as a report in API Publisher
- 18. Demo “
- 20. Q&A
- 23. Audit Score and Summary
- 25. Security
- 26. Data Validation
- 27. What are the benefits of this Audit Report? ● Ability to identify vulnerabilities in an API even before it has been published - This will help to improve the security then and there ● Easy to prioritize what issues to be addressed first ● Convenience of being able to use the built-in Swagger Editor in WSO2 API Manager to edit the API Definition