As the pace at which APIs are created, proper security requires automation. This presentation introduces top OWASP issues which are occurring today and a series of steps to better protect our APIs.
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
SecDevOps for API Security
1. The API Security Platform for the Enterprise
ISABELLE MAUNY - CTO & CO-FOUNDER
ISABELLE@42CRUNCH.COM
SEC-DEV-OPS
AN AUTOMATED APPROACH TO API SECURITY
2. OWASP : FROM 2010 THROUGH 2017
2
For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are:
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards
•
For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are:
• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
•
• Top 10 2017
• A1:2017-Injection
• A2:2017-Broken Authentication
• A3:2017-Sensitive Data Exposure
• A4:2017-XML External Entities (XXE)
• A5:2017-Broken Access Control
• A6:2017-Security Misconfiguration
• A7:2017-Cross-Site Scripting (XSS)
• A8:2017-Insecure Deserialization
• A9:2017-Using Components with Known Vulnerabilities
• A10:2017-Insufficient Logging&Monitoring
19. VALIDATE AND
SANITIZE INPUT
19
URL validation
Verb validation
✓ Reject if not valid
✓ Reject if user not-authorized
Query params validation
✓ Min / Max / Pattern-based matching
Content-Type validation
✓ Don’t accept as-is!
Accept Header validation
✓ Don’t copy into Content-Type
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary
2
OPEN API to the RESCUE !
20. VALIDATE JWT
TOKENS
20
Don’t trust the incoming token!
Validate algorithm (the one you chose!)
✓ HS256 ?
✓ RS256 (recommended)
Reject None
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims
Add your own claims
3
OPEN API to the RESCUE !
22. FINE-GRAIN
AUTHORIZATION
22
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
What can they do ?
Example: T-Mobile number
Scopes are often not enough !
✓ Need ABAC solution
✓ SAML !
4
28. 28
PROTECT YOUR
APIS
1
Deploy security measures such as API
Security Gateways/Firewalls
✓ Introduce Rate Limiting
• Brute force attacks (see N26!)
• DOS attacks
✓ Security Policies automatically applied and enforced
✓ Serves as Virtual Patching for protection
✓ Deploy at the edge and/or close to APIs
(microservices architecture)
29. Use Development ticketing system for
tracking issues
Analyse runtime behaviour and raise
issues automatically
29
MONITOR AND
ANALYZE
2
30. 42CRUNCH DEV-SEC-OPS CYCLE FOR APIS
30
Monitor
Assess
Protect
Test
Develop Deploy
Monitor Security
Vulnerabilities and
runtime behavior
Continuous API hardening
including API fuzzing
Deploy to containerized
PEP
Configure and apply
security policies from
assessed risk
Assess API description
and evaluate risk level
Develop and document API
with OpenAPI/Swagger