SlideShare a Scribd company logo

Building a secure BFF at Postman

A
Ankit Muchhala

The document discusses building a secure backend for frontend (BFF) and outlines various security considerations and best practices. It notes that a BFF is a single point of failure and attack as a public-facing service. It recommends implementing validation, the principle of least privilege, request tagging, access control, content security, audits, and health checks to achieve confidentiality, integrity and availability. Some specific techniques mentioned include input validation, logging sensitive data, enforcing secure dependencies, and integrating security tests into the development lifecycle.

Technology
1 of 37
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Building a secure BFF Ankit Muchhala - Postman ankit_muchhala
MicroservicesMonolith
Backend For Frontend • BFF is an API Gateway designed for a specific UI to interact with microservices. • Abstracts away implementation details from client. • Reduces network chatter and improves performance.
Security concerns? • Single point of failure and attack. • Public facing service. • Handles user input. • How to quantify these for an API?
Security Parameters Confidentiality Integrity Availability Only authorised people can access appropriate data. Data delivered by your service is not tampered with. Content is available to authorised users to on demand.
Building a secure BFF at Postman
Service Server side code which contains your business logic
Validation • BFF should not perform all validations. • It should perform ecosystem checks - auth, validate header. • Business logic specific checks are deferred to downstream services.
Critical Path • Services called before request reaches the business logic. • Critical path length is an indicator of the amount of validation done on BFF. • Good to have a short critical path and fallbacks.
function hasAccess (user, owner) { } Principle of Least Privilege • User only has access to minimum resources that are necessary. • Always assume user does not have access by default. • Allow only for specific conditions. if (user.isAdmin) { return true; } if (user.id === owner.id) { return true; } return false;
Sample BFF
Architecture • Make it harder to be insecure. • Separate business logic from access control and validation. • Stack installation with predefined security setup using yeoman. security-hook orm-hook auth-hook
Vulnerable Dependencies • Use strict versions for dependencies and lockfiles. • Check vulnerable dependencies in CI pipeline. • Tools - nsp, npm audit, snyk. $ snyk test ✗ Medium severity vulnerability Description: ReDoS Introduced through: something@0.9.1 Resolution: ... ✗ Medium severity vulnerability Description: TOCTOU Introduced through: package@1.2.0 Resolution: ...
Enforcing Security • Security linting. • System tests to catch configuration issues. • E2E tests using Postman collections integrated into the CI pipeline.
E2E tests in Newman
Inbound Interaction with downstream services
Handling Internal Auth • Abstracting away internal server details from developer. • Prevents server auth leak in response or logs. • Allows for secret rotation without server side code changes. user: async function (req, res) { let user = await internal({ service: 'auth', path: '/users/current', query: { populate: true } }); return user.toJSON(); }
Request tagging • Associate each incoming request with a user associated token. • Each service can utilize this token to fetch user meta and apply validations.
IDOR • Exposing internal object references along with incorrect access control. • All user initiated actions must have verifications based on user tokens.
Logging • Scrub logs for sensitive information and user data. • Use heuristics to prevent accidental logging. • Trace logs originating from BFF to track potential PII movement.
Outbound Content security while communicating with the client.
HTTPS / HSTS • Choose the certificate based on your need and the level of user trust required - DV, OV, EV • Ensure 3rd party calls and redirections are over HTTPS. • Implement HSTS (+ preload) once you have verified everything is over HTTPS. RFC 2818, 6797
CSP • Reduces the harm caused by malicious code injection. • Start by using report-only mode to prevent side effects. • Not ideal to prevent data exfiltration - hrefs not covered. Content-Security-Policy: connect-src: 'self' script-src: 'none' img-src: * default-src: 'none' report-uri: 'https://...' RFC 7762
Other Headers • CORS: Who can access your resource. • X-XSS: Detect and prevent XSS in some browsers. • X-Frame-Options: Permit or deny displaying the website within an iframe. • HPKP: Allows HTTPS websites to resist impersonation. • SRI: Verify 3rd party assets • Refer OWASP Security Headers Project for more.
Caveats • The support for all the headers is dependent on client browser. • Cannot be solely relied on for securing your BFF. • Not a replacement for deliberate input validation and output formatting.
Platform Security considerations and processes for infrastructure.
Audits & Automation • What to audit? • Developer access • Setup configuration • Creation of new resources • We use collection runs to create new resources reliably. • Postman Monitors to perform periodic audits of our services.
Audit with Collection
Health Check • Verify critical config based on environments. • Prevent deployment if there is something obviously wrong. Ex. leaking private keys. • This is a safety net and not a testing mechanism.
SDLC Processes involved to ensure security
Security KPIs • Vulnerability categorization by CVSS scores. • Vulnerability regression. • Time to resolve - SLA. • External security reports - user identified, Hacker One, etc.
VAPT • Post-development step to assess the security of a software release. • Black box and white box testing of services. • Automation of security processes.
Outro
Revisiting Security Parameters Confidentiality Integrity Availability • Validation • PoLP • Log scrubbing • Request tagging • Access control (IDOR) • Content security (HTTPS, SRI, CSP, etc.) • Short critical path • Platform audits • Healthcheck
Key Takeaways • Security considerations while building a BFF / public API. • Building a secure API is a gradual process. • Security is a part of development process.
Thank you
Assets https://github.com/ankit-m/talks/tree/master/jsfoo-2018

More Related Content

PPT
Vb introduction.
sagaroceanic11
 
ZIP
Blood bank-data-abstract-php-project
narii
 
PPTX
Asp.net controls
baabtra.com - No. 1 supplier of quality freshers
 
PDF
Full report on blood bank management system
Jawhar Ali
 
PDF
Book management system
SHARDA SHARAN
 
PPTX
Hospital management
Smit Patel
 
PDF
Billing project
Sophia girl's Collge,Ajmer
 
PPTX
Implicit and explicit sequence control with exception handling
VIKASH MAINANWAL
 
Vb introduction.
sagaroceanic11
 
Blood bank-data-abstract-php-project
narii
 
Asp.net controls
baabtra.com - No. 1 supplier of quality freshers
 
Full report on blood bank management system
Jawhar Ali
 
Book management system
SHARDA SHARAN
 
Hospital management
Smit Patel
 
Billing project
Sophia girl's Collge,Ajmer
 
Implicit and explicit sequence control with exception handling
VIKASH MAINANWAL
 

What's hot (20)

DOCX
E-commerce documentation
Sohel Parvez
 
PPTX
Blood Donation Database
Zahidul Islam Razu
 
PPT
Bank management system with java
Neha Bhagat
 
DOCX
Java Exception handling
Garuda Trainings
 
DOCX
Ans.tutorial#2
Anandpudur
 
PPTX
Web development ppt
KBK Business Solutions
 
DOCX
A Software Engineering Project on Cyber cafe management
svrohith 9
 
PDF
Flipkart Software requirements specification SRS
Aman Goel
 
PPT
Project proposal presentation(blood bank management system)
Ikhtiar Khan Sohan
 
PPTX
Ajax ppt
OECLIB Odisha Electronics Control Library
 
DOCX
farming assistant web service
Surbhi Sharma
 
DOCX
Online bus ticket booking
Gaurav kumar rai - student
 
DOCX
CoffeeShop Management
Praveen Shetty
 
PPTX
E-BOOK MANAGEMENT SYSTEM PowerPoint Presentation
gurunggurungaman9
 
DOC
Synopsis on billing system
Alok Sharma
 
PPTX
Fake Note Detection of Bangladesh
TanvirAhammed22
 
PDF
blockchain technology -unit-3-notes.pdf for engineering students
imranakhtar83
 
PDF
Student result management system project using angular.pdf
AbhilashBanki1
 
PPTX
Library Management System Project in C
codewithc
 
PDF
Backend for Frontend in Microservices
IRJET Journal
 
E-commerce documentation
Sohel Parvez
 
Blood Donation Database
Zahidul Islam Razu
 
Bank management system with java
Neha Bhagat
 
Java Exception handling
Garuda Trainings
 
Ans.tutorial#2
Anandpudur
 
Web development ppt
KBK Business Solutions
 
A Software Engineering Project on Cyber cafe management
svrohith 9
 
Flipkart Software requirements specification SRS
Aman Goel
 
Project proposal presentation(blood bank management system)
Ikhtiar Khan Sohan
 
Ajax ppt
OECLIB Odisha Electronics Control Library
 
farming assistant web service
Surbhi Sharma
 
Online bus ticket booking
Gaurav kumar rai - student
 
CoffeeShop Management
Praveen Shetty
 
E-BOOK MANAGEMENT SYSTEM PowerPoint Presentation
gurunggurungaman9
 
Synopsis on billing system
Alok Sharma
 
Fake Note Detection of Bangladesh
TanvirAhammed22
 
blockchain technology -unit-3-notes.pdf for engineering students
imranakhtar83
 
Student result management system project using angular.pdf
AbhilashBanki1
 
Library Management System Project in C
codewithc
 
Backend for Frontend in Microservices
IRJET Journal
 
Ad

Similar to Building a secure BFF at Postman (20)

PDF
SecDevOps for API Security
42Crunch
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
42crunch-API-security-workshop
42Crunch
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
PDF
APIDays Paris Security Workshop
42Crunch
 
PPTX
How to Build a Fortress with the Security of a Tent - Jacob Ideskog, Curity
Nordic APIs
 
PDF
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
PPTX
Building Secure By Default Nodejs Applications
Yolonda Smith
 
PPTX
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
PDF
Serverless Security Guy Podjarny Liran Tal
xenikwit30
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PDF
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Adar Weidman
 
PDF
Better API Security with Automation
42Crunch
 
PDF
Better API Security With A SecDevOps Approach
Nordic APIs
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
PDF
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
SecDevOps for API Security
42Crunch
 
Api security-testing
n|u - The Open Security Community
 
42crunch-API-security-workshop
42Crunch
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
APIDays Paris Security Workshop
42Crunch
 
How to Build a Fortress with the Security of a Tent - Jacob Ideskog, Curity
Nordic APIs
 
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
Building Secure By Default Nodejs Applications
Yolonda Smith
 
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Serverless Security Guy Podjarny Liran Tal
xenikwit30
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
API SECURITY
Tubagus Rizky Dharmawan
 
Checkmarx meetup API Security - Solving security at scale - Ante Gulam
Adar Weidman
 
Better API Security with Automation
42Crunch
 
Better API Security With A SecDevOps Approach
Nordic APIs
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
Ad

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Encapsulation theory and applications.pdf
gurumoop
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Approach and Philosophy of On baking technology
30anthuong17
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
KodekX | Application Modernization Development
KodekX
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 

Building a secure BFF at Postman

  • 1. Building a secure BFF Ankit Muchhala - Postman ankit_muchhala
  • 3. Backend For Frontend • BFF is an API Gateway designed for a specific UI to interact with microservices. • Abstracts away implementation details from client. • Reduces network chatter and improves performance.
  • 4. Security concerns? • Single point of failure and attack. • Public facing service. • Handles user input. • How to quantify these for an API?
  • 5. Security Parameters Confidentiality Integrity Availability Only authorised people can access appropriate data. Data delivered by your service is not tampered with. Content is available to authorised users to on demand.
  • 7. Service Server side code which contains your business logic
  • 8. Validation • BFF should not perform all validations. • It should perform ecosystem checks - auth, validate header. • Business logic specific checks are deferred to downstream services.
  • 9. Critical Path • Services called before request reaches the business logic. • Critical path length is an indicator of the amount of validation done on BFF. • Good to have a short critical path and fallbacks.
  • 10. function hasAccess (user, owner) { } Principle of Least Privilege • User only has access to minimum resources that are necessary. • Always assume user does not have access by default. • Allow only for specific conditions. if (user.isAdmin) { return true; } if (user.id === owner.id) { return true; } return false;
  • 12. Architecture • Make it harder to be insecure. • Separate business logic from access control and validation. • Stack installation with predefined security setup using yeoman. security-hook orm-hook auth-hook
  • 13. Vulnerable Dependencies • Use strict versions for dependencies and lockfiles. • Check vulnerable dependencies in CI pipeline. • Tools - nsp, npm audit, snyk. $ snyk test ✗ Medium severity vulnerability Description: ReDoS Introduced through: something@0.9.1 Resolution: ... ✗ Medium severity vulnerability Description: TOCTOU Introduced through: package@1.2.0 Resolution: ...
  • 14. Enforcing Security • Security linting. • System tests to catch configuration issues. • E2E tests using Postman collections integrated into the CI pipeline.
  • 15. E2E tests in Newman
  • 17. Handling Internal Auth • Abstracting away internal server details from developer. • Prevents server auth leak in response or logs. • Allows for secret rotation without server side code changes. user: async function (req, res) { let user = await internal({ service: 'auth', path: '/users/current', query: { populate: true } }); return user.toJSON(); }
  • 18. Request tagging • Associate each incoming request with a user associated token. • Each service can utilize this token to fetch user meta and apply validations.
  • 19. IDOR • Exposing internal object references along with incorrect access control. • All user initiated actions must have verifications based on user tokens.
  • 20. Logging • Scrub logs for sensitive information and user data. • Use heuristics to prevent accidental logging. • Trace logs originating from BFF to track potential PII movement.
  • 22. HTTPS / HSTS • Choose the certificate based on your need and the level of user trust required - DV, OV, EV • Ensure 3rd party calls and redirections are over HTTPS. • Implement HSTS (+ preload) once you have verified everything is over HTTPS. RFC 2818, 6797
  • 23. CSP • Reduces the harm caused by malicious code injection. • Start by using report-only mode to prevent side effects. • Not ideal to prevent data exfiltration - hrefs not covered. Content-Security-Policy: connect-src: 'self' script-src: 'none' img-src: * default-src: 'none' report-uri: 'https://...' RFC 7762
  • 24. Other Headers • CORS: Who can access your resource. • X-XSS: Detect and prevent XSS in some browsers. • X-Frame-Options: Permit or deny displaying the website within an iframe. • HPKP: Allows HTTPS websites to resist impersonation. • SRI: Verify 3rd party assets • Refer OWASP Security Headers Project for more.
  • 25. Caveats • The support for all the headers is dependent on client browser. • Cannot be solely relied on for securing your BFF. • Not a replacement for deliberate input validation and output formatting.
  • 27. Audits & Automation • What to audit? • Developer access • Setup configuration • Creation of new resources • We use collection runs to create new resources reliably. • Postman Monitors to perform periodic audits of our services.
  • 29. Health Check • Verify critical config based on environments. • Prevent deployment if there is something obviously wrong. Ex. leaking private keys. • This is a safety net and not a testing mechanism.
  • 30. SDLC Processes involved to ensure security
  • 31. Security KPIs • Vulnerability categorization by CVSS scores. • Vulnerability regression. • Time to resolve - SLA. • External security reports - user identified, Hacker One, etc.
  • 32. VAPT • Post-development step to assess the security of a software release. • Black box and white box testing of services. • Automation of security processes.
  • 33. Outro
  • 34. Revisiting Security Parameters Confidentiality Integrity Availability • Validation • PoLP • Log scrubbing • Request tagging • Access control (IDOR) • Content security (HTTPS, SRI, CSP, etc.) • Short critical path • Platform audits • Healthcheck
  • 35. Key Takeaways • Security considerations while building a BFF / public API. • Building a secure API is a gradual process. • Security is a part of development process.