Api security-present
1 like720 views
Five simple strategies are proposed for securing APIs: 1. Validate all parameters from consumers to prevent injection attacks. 2. Apply explicit threat detection such as blacklisting dangerous tags and virus scanning. 3. Enable SSL encryption everywhere to protect against man-in-the-middle attacks. 4. Apply rigorous authentication and authorization using multiple identity factors and OAuth. 5. Use proven security solutions like an API gateway to separate the API implementation from security concerns and provide access control, monitoring, and auditing.
Api security-present
- 1. Five Simple Strategies for Securing APIs Tran Minh Tri Security bootcamp 2018
- 2. Product manager tritm@mi2.com.vn Tran Minh Tri @tridalat Slideshare.net/tridalat Linkedin.com/tridalat https://api.mi2.vn
- 3. 3 Contents WHAT ARE APIS ? ARE THEY WORTH THE RISK ? THE THREE ATTACK VECTORS TO WATCH OUT FOR FIVE SIMPLE MITIGATION STRATEGIES YOU MIGHT HAVE OVERLOOKED CONCLUSION
- 4. WHAT ARE APIS ? APIs are like windows into an application
- 5. 5 APIs are the building blocks of digital transformation IOT Devices Cloud Mobile Partners/External Divisions External Developers Data Your Digital Business
- 6. 6
- 7. 7 Digital transformation as a maturity model Low digital maturity High digital maturity Offline/In-Person Web Mobile Omnichannel Ecosystem How Do APIs Increase an Organization’s Risk?
- 8. 8 Digital Transformation in Retail Low digital maturity High digital maturity RETAIL STORE CATALOG & CALL CENTER WEB STOREFRONT AFFILIATE CHANNELS MOBILE STOREFRONT SHOPPER PROFILE APIs PRODUCT CATALOG APIs PERSISTENT CART APIs IN-STORE/PROXIMITY APIs INVENTORY/LOGISTICS APIs PERSONALIZED PROFILE APIs ADVANCED PAYMENT APIs LOYALTY PARTNER APIs MARKETPLACE APIs SMART PRODUCT APIs Offline / In-Person Web Mobile Omnichannel Ecosystem
- 9. 9Low digital maturity High digital maturity Offline / In-Person Web Mobile Omnichannel Ecosystem DEALER SERVICE CENTER/MECHANIC BRAND CONTENT ONLINE PRODUCT DATA RATINGS & REVIEWS DEALER APIs PRODUCT DATA APIs DRIVER PROFILE APIs DIAGNOSTIC APIs VEHICLE FEATURE APIs HISTORY/MAINTENANCE APIs OTA UPDATE APIs UBI APIs LOCATION & CONTEXT APIs INSURANCE APIs VEHICLE SHARE APIs Digital Transformation in Automotive
- 10. 10Low digital maturity High digital maturity DROPOFF / PICKUP CENTER COURIER WEB RESEARCH WEB SCHEDULING WEB TRACKING RATE AND SLA APIs SERVICE APIs TRACKING APIs FLEET TRACKING APIs SUPPLY CHAIN APIs TRAFFIC MANAGEMENT APIs ENROUTE REDIRECT APIs PROOF OF DELIVERY APIs TRAFFIC DATA APIs 3PL SERVICES APIs 3P PICKUP/DROPOFF APIs Digital Transformation in Transportation & Logistics Offline / In-Person Web Mobile Omnichannel Ecosystem
- 11. 11Low digital maturity High digital maturity PRACTITIONER OFFICE OFFLINE HEALTH RECORDS CALL CENTER ONLINE RESEARCH CLAIMS & HISTORY APPOINTMENT APIs PLAN SELECION APIs INSURER INTEGRATON APIs TELEHEALTH APIs BIOTELEMETRY APIs EHR APIs MONITORING DEVICE APIs CARE ANALYTICS APIs PARTNER SERVICES APIs Digital Transformation in Healthcare Offline / In-Person Web Mobile Omnichannel Ecosystem
- 12. 12Low digital maturity High digital maturity RETAIL BANKING ONLINE BANKING LOCATION & SERVICE APIs ACCOUNT APIs ALERT/MONITORING APIs MOBILE PAYMENT APIs DIRECT DEPOSIT APIs INVESTMENT APIs P2P MOBILE PAYMENT APIs LOYALTY PARTNER APIs P2P LENDING APIs WEALTH MANAGEMENT APIs Digital Transformation in Financial Services Offline / In-Person Web Mobile Omnichannel Ecosystem
- 13. 13Low digital maturity High digital maturity BROADCAST MEDIA PROPRIETARY STB ONLINE PURCHASE GUIDE & METADATA STREAMING MEDIA APIs METADATA APIs ENTITLEMENT APIs VIEWER PROFILE APIs QUAD-PLAY APIs SERVICE DASHBOARD APIs WALLET/PAYMENT APIs PARTNER ENTITLEMENT APIs CONTENT-KEYED APIs AD NETWORK APIs EVENT APIs Digital Transformation in Media & Entertainment Offline / In-Person Web Mobile Omnichannel Ecosystem
- 14. 14Low digital maturity High digital maturity BROADCAST SPORTS DISCONNECTED DEVICES SCORES & STATS ONLINE CONTENT SCORES & STATS APIs TRACK & MONITOR APIs FITNESS PROFILE APIs REAL-TIME 2ND SCREEN APIs MULTI-DEVICE PROFILE APIs FITNESS PLATFORM APIs HEALTH CONNECTIVITY APIs DATA SUBSCRIPTION APIs Digital Transformation in Sports & Fitness Offline / In-Person Web Mobile Omnichannel Ecosystem
- 15. 15Low digital maturity High digital maturity PROPRIETARY RESERVATIONS TRAVEL AGENT FARES & SCHEDULES ONLINE BOOKING ONLINE CHANNELS FARE & SCHEDULE APIs STATUS & ALERT APIs TRAVELER PROFILE APIs IDENTITY & ACCESS APIs LOCATION-AWARE APIs ENROUTE SERVICES APIs LOYALTY PARTNER APIs MULTI-MODE TRAVEL APIs Digital Transformation in Travel & Hospitality Offline / In-Person Web Mobile Omnichannel Ecosystem
- 16. 16
- 18. 18 Niantic's API for Pokemon Go Cracked API functions as the access point for accessing DB and algorithm 3rd parties found the API and created apps that aid in the capture Server side issues (including downtime) increased as a result Pokevision FastPokeMap
- 19. The Three Attack Vectors to Watch Out For
- 20. 20 Outside the Enterprise Internet of Things Mobile SaaS/Cloud Solutions AWS, Google, SFDC … Partner Ecosystems External Developers Within the Enterprise Secure Data Application Portfolio ID/Authentication Reporting & Analytics Internal Teams The Three Attack Vectors to Watch Out For Many API developers come directly from a web design background, and may bring with them some bad habits Identity Identity attacks exploit flaws in authentication, authorization, and session tracking. In particular, many of these are the result of migrating bad practices from the web world into API development. Parameters Parameter attacks exploit the data sent into an API, including URL, query parameters, HTTP headers, and/or post content Main-in-the-middle Simplify These attacks intercept legitimate transactions and exploit unsigned and/or unencrypted data being sent between the client and the server. They can reveal confdential information (such as personal data), alter a transaction in flight, or even replay legitimate transactions.
- 21. 21 Attack Vector: Parameters API functions as the access point for accessing DB and algorithm – In the traditional web world, parameterization was limited and indirect – Subject to the capabilities of URLs and forms APIs in contrast and offer much more explicit parameterization – The full power of RESTful design: GET, POST, PUT, DELETE (And don’t stop there… what about effects of HEAD, etc)? This creates a greater potential attack surface – Injection, bounds, correlation, and so on
- 22. 22 Attack Vector: Identity We had it surprisingly good in the Web world – Browser session usually tied to human – Dealing with one identity is not so tough Security tokens abound, but solutions are mature – Username/pass, multi-factor, SAML, etc APIs rapidly becoming more difficult – Non-human entities – Multiple layers of relevant identities Me, my attributes, my phone, my developer, my provider…
- 23. 23 API keys “An application programing interface key (API key) is a code generated by websites that allow users to access their application programming interface. API keys are used to track how the API is being used in order to prevent malicious use or abuse of the terms of service. Many applications publishing APIs require clients to use an API key to access to their functionality (Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
- 25. 25 How Should You Secure Your APIs? 25
- 26. Five Simple Mitigation StrategiesThat Will Allow an Organization to More Securely Publish APIs
- 27. 27 Strategy 1: Validate Parameters Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Rigorous validation of consumer supplied inputs – and API output • Use schema validation
- 28. 28 Strategy 2: Apply Explicit Threat Detection Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Blacklist dangerous tags like <SCRIPT> • Virus scanning of attachments • Very large messages can all be effective denial-of-service attacks
- 29. 29 Strategy 3: Turn on SSL Everywhere Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions
- 30. 30 Strategy 4: Apply Rigorous Authentication and Authorization Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Multiple identity profile (Roles, Geo location,IP,User agent,Time of day...) • OAuth for people
- 31. 31 Strategy 5: Use Proven Solutions Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Separate out API implementation and API security into distinct tiers • API Gateway ( Access control, Threat detection, Confidentiality and integrity, Audit management)
- 32. Conclusion APIs represent a great opportunity for the enterprise to integrate applications quickly and easily. But APIs can be a double-edged sword: promising agility, while at the same time increasing risk. But if an organization can address API security as an architectural challenge long before any development takes place, it can reap the rewards of this technological breakthrough safely and securely.
- 33. 33 Q & A