API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.
Project Based Learning (A.I).pptx detail explanation
Better API Security with Automation
1. The API Security Platform for the Enterprise
ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER
ISABELLE@42CRUNCH.COM
BETTER SECURITY
WITH AN AUTOMATED APPROACH
2. OWASP : FROM 2010 THROUGH 2017
2
TOP 10 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Top 10 2017
A1: Injection*
A2: Broken Authentication
A3: Sensitive Data Exposure*
A4: XML External Entities (XXE)*
A5: Broken Access Control*
A6: Security Misconfiguration*
A7: Cross-Site Scripting (XSS)*
A8: Insecure Deserialization*
A9: Using Components with Known Vulnerabilities*
A10: Insufficient Logging&Monitoring
*= API related
3. 3By 2022 APIs will become the most common attack vector - Gartner
10. VALIDATE AND
SANITIZE INPUT
10
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
Content-Type validation
✓ Don’t accept as-is!
Accept Header validation
✓ Don’t copy into Content-Type
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary
2
OPENAPI SPECIFICATION to the RESCUE !
11. VALIDATE JWT
TOKENS
11
Don’t trust the incoming token!
Validate algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.
3
OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
12. FINE-GRAIN
AUTHORIZATION
12
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
What can they do ?
Example: T-Mobile number
Scopes are often not enough !
✓ Need ABAC solution (XACML!)
4
18. 18
PROTECT YOUR
APIS
3
Protect all APIs ( public, private, SaaS)
AUTOMATICALLY deploy security measures
such as API Security Gateways/Firewalls
✓ Enforce Rate Limiting
• Brute force attacks (see N26!)
• DOS attacks
✓ Data Validation / JWT Validation / Auth / Azn
✓ Serves as Virtual Patching (as a WAF does for applications)
✓ Deploy at the edge and/or close to APIs (microservices
architecture)
19. Use Development ticketing system for
tracking issues
Analyse runtime behaviour and raise
issues automatically
19
MONITOR AND
ANALYZE
4
20. JOIN THE MAILING LIST !
APISECURITY.IO
NEWS AND TOOLS FOR BETTER API SECURITY
22. PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS
22
Monitor
Assess
Protect
Test
Develop Deploy
Monitor Security
Vulnerabilities and
runtime behavior
Continuous API hardening
including API fuzzing
Deploy to containerized
PEP
Configure and apply
security policies from
assessed risk
Assess API description
and evaluate risk level
Develop and document API
with OpenAPI/Swagger
23. CONTENT INJECTION: WORDPRESS API
23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
24. TITLE TEXT
Remote Command Execution (A1)
SQL Injection (A1)
JSON injection (A1)
Information Leakage (A3)
Broken Access Control (A5)
Check: https://blog.talosintelligence.com/2018/07/
samsung-smartthings-vulns.html
24