With the number of APIs increasing constantly right along with the number of cyber attacks, API security has never been so important to success in an enterprise. This MuleSoft Meetup was a co-presentation from Big Compass and PingIntelligence by Ping Identity. We looked at how API security works with MuleSoft including the API development lifecycle and implementing security policies on a live API from Anypoint Platform API Manager. We also displayed the monitoring capabilities from API Manager and what a policy violation might look like. Then, we had some fun by simulating hacks on our own API. We simulated some common attacks and how API Manager and/or a WAF can block these common attacks. From there, we dove even deeper by simulating very advanced attacks like OAuth token hijacking, data theft, and DoS attacks that fly under the SLA radar. This is where we implemented PingIntelligence’s Anypoint integration custom API policy, showed how a MuleSoft API can connect with PingIntelligence, and how PingIntelligence uses AI to discover and model normal behavior and learn about your APIs to prevent and report on advanced attacks and instruct Anypoint Platform to stop these requesters.

1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO
MAXIMIZE YOUR API SECURITY
June 20, 2019
Denver MuleSoft Meetup Group

2. All contents © MuleSoft Inc.
Agenda
2
• 6:00PM – Doors open
• 6:00PM - 6:30PM – Network, Eat, and Socialize
• 6:30PM - 6:35PM – Introductions
• 6:35PM - 7:30PM – Presentation/Demo
• 7:30PM - 7:45PM – Q&A
• 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and
Speakers

3. All contents © MuleSoft Inc.
Introductions
3
• About the organizer:
– Big Compass
• About the presenters:
– Aaron Lieberman
– Tyler Reynolds

4. • MuleSoft API Lifecycle
• MuleSoft API Management
• Securing a MuleSoft API
• PingIntelligence with MuleSoft APIs
MuleSoft API Management
and Security

5. All contents © MuleSoft Inc.
API Lifecycle
5
• Design
• Build
• Test
• Deploy
• Manage

6. Demo
API Lifecycle

7. With MuleSoft API Manager security policies, what
is the difference between rate limiting and
request throttling?
Giveaway!

8. All contents © MuleSoft Inc.
MuleSoft API Management
8
• API Manager
– Creating an API
– SLA Tiers
– Contracts
– Alerts
– Policies
• Out of the box policies
• Custom Policy from API Manager
• Develop Custom Policy in Anypoint
Studio
• Secure your APIs!
– Monitoring

9. All contents © MuleSoft Inc.
Securing APIs in MuleSoft With API Manager
9
• Specific to one API
– New feature of automated policies
to apply same set of policies to
many APIs
• Common Policies in API
Manager
– Basic authentication
– IP whitelist/blacklist
– Client ID Enforcement
– OAuth 2.0
– SLA based rate limiting and
throttling

10. Demo
MuleSoft API Management/Security and Attacking a
MuleSoft API

11. All contents © MuleSoft Inc.
MuleSoft Anypoint Security
11
• Secure all applications deployed
to your Runtime Fabric with Edge
Policies
• Implement a Web Application
Firewall (WAF)
• Other policies
– IP whitelist
– Denial of service
– HTTP limits

12. All contents © MuleSoft Inc.
MuleSoft + WAF Security
12
• Protects against many common
attacks
– SQL Injection
– Cross Site Scripting
– Body scanning
– OWASP Top 10 attacks
– These are known vulnerabilities!

13. All contents © MuleSoft Inc.
Security Policies + WAF Protection
13
• What do security policies + WAF
actually protect against?
– Basic attacks (authentication, rate
limiting, SQL injection, etc.)
• What are the vulnerabilities?
– Advanced API attacks from
authenticated hackers
– No way to detect authenticated
attacks
• Google took 2.5 years to detect a breach
• How do we protect against these
vulnerabilities?

14. All contents © MuleSoft Inc.
MuleSoft + WAF Security Demo Architecture
14

15. Demo
MuleSoft API + WAF Security and Attacking an API Behind a
WAF

16. How long did it take Google to detect an ongoing
breach on their API?
A.0-6 Months
B.6-12 Months
C.12-24 Months
D.2+ Years
Giveaway!

17. All contents © MuleSoft Inc.
Current API Landscape
17
• APIs steadily increasing
• Attacks steadily increasing

18. All contents © MuleSoft Inc.
Current API Security Landscape
18
Reactive -> Proactive
Average Time to Detect First Breach
2018 Verizon DBIR
• 45% not confident in ability to detect malicious API access
• 51% not confident in security team’s awareness of all APIs
API Security Survey:

19. All contents © MuleSoft Inc.
API Security – A Difficult Problem!
19
IP
Geolocation Time /Day
Session Length
...
API 1
API 2
API 3
API 4
• High number of sessions across
many APIs
• High velocity connections
• Large mix of inbound client types
and activity
– Legitimate clients
– High velocity attackers disrupt
services, access content, etc.
– Hackers with valid credentials blend in
while maliciously accessing API
services
• Looking for a needle in a haystack

20. All contents © MuleSoft Inc. 20
API Login and API DDoS Attacks
•Brute force login attacks
•Stolen identifiers: cookies and tokens
•API specific DoS and API DDoS attacks
Compromised Account / Insider Attacks
•Account take over
•Data theft
•Application control
Hackers using Machine Learning
•Every attack looks different
•Every blocked attack leads to a new attack …
How vulnerable are APIs to attacks?

21. All contents © MuleSoft Inc.
Answer: Leverage AI
MODEL
• Learn from API traffic
• Build model for legit
apps
DETECT
• Inspect runtime
traffic
• Look for deviations
from model
BLOCK
• Block compromised
tokens
• Notify/alert

22. All contents © MuleSoft Inc.
PingIntelligence For APIs
PingIntelligence for APIs ®
App
Servers
API Discovery Attack Blocking Deep Reporting
APIs APIs APIs
• Deep API Visibility
– Dynamically discover APIs across all
environments
– Monitor all API activity including every command
and method used throughout a session
• Automated threat detection and blocking
– Detect and stop attacks that use APIs to
compromise data and applications
– Use API honeypots to instantly detect probing
hackers and prevent access to production APIs
• Self Learning
– Use AI to discover expected behavior for each
API in API gateway and app server environment
– Eliminate the need to write and manage policies
and update API attack signatures

23. All contents © MuleSoft Inc.
• You can’t fully trust your own tokens!
• Bearer tokens are vulnerable (but necessary)
• Vulnerabilities at other vectors are exploited at API level
– Client app, user, 3rd party identities
Phishing
+token
Stolen token
User data
<api>
>collections
_
GitHub leaking client
secrets
Password
reuse
Zero Trust

24. All contents © MuleSoft Inc.
Comprehensive Security: MuleSoft + PingIntelligence
Foundational API Security
Content Injection
JSON, XML, SQL injection protection, XSS
Flow Control
Throttling, Metering, Quota Management, Circuit-
breakers
Access Control
AuthN, AuthZ, Token Management, Microgateway
AI-Powered Cyberattacks Detection
Automated Cyber Attack Blocking
Blocks stolen tokens/cookies, Bad IP’s & API keys
API Deception & Honeypot
Instant hacking detection and blocking
Deep API Traffic Visibility & Reporting
Monitor & report on all API activity
Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs
PingIntelligence
for APIs

25. All contents © MuleSoft Inc.
PingIntelligence Augments API Security
Web Application FirewallsPingIntelligence for APIsAPI Gateways
Complementary to API Gateways and WAFs
OWASP Top 10 Protection
+ +
Authenticated users
Advanced attacks
API Management
Security Policies

26. All contents © MuleSoft Inc. 26
Hacker Deception

27. All contents © MuleSoft Inc.
• API Breaches go undetected for months or
years
• Enterprises need incorporate zero-trust for API
Strategy
• Gartner: “by 2022, API abuses will be the
most frequent attack vector that result in
breaches”
• Many attacks can’t be detected with traditional
API security
• Help is here from MuleSoft and PingIntelligence
your
customer
your
org
Attack Landscape Summary

28. All contents © MuleSoft Inc.
MuleSoft + WAF + PingIntelligence Architecture
Full Lifecycle API Mgmt.
Design, Create, Publish APIs
Content Inspection
Content Validation
Session Management
Policy Based Security enforcement
Rate Limiting
API Visibility & Protection
Deep Visibility & Reporting
Unique API Behavioral models
Automated Attack Blocking
API Discovery
API Deception
Self Learning – no rules or
Policies
Web Application Security
WAF Positive Security Model
OWASP Top 10 Protection
DDoS Prevention
RASP
Content Filtering
Rate Limiting
Signature Based Detection

29. Demo
Attacking a MuleSoft Security+ WAF + PingIntelligence
Protected API

30. All contents © MuleSoft Inc.
References and Documentation
30
• OWASP
– https://www.owasp.org/index.php/Main_Page
• PingIntelligence + MuleSoft Integration
– https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi
ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html
• PingIntelligence
– https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_
Guide_pingintel_32/page/pingintelligence_product_deployment.html
• Undisturbed REST
– https://www.mulesoft.com/lp/ebook/api/restbook
• API Security
– Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper
• https://www.pingidentity.com/en/resources/client-library/white-
papers/2018/evolving-api-security-landscape.html

31. All contents © MuleSoft Inc.
References and Documentation
31
• MuleSoft Documentation
– API Manager
• https://docs.mulesoft.com/api-manager/2.x/
– Anypoint Security
• https://docs.mulesoft.com/anypoint-security/

32. Questions?

33. All contents © MuleSoft Inc.
What’s Next?
33
• Share:
– Tweet your pictures with the hashtag #MuleMeetup
– Invite your network to join: https://meetups.mulesoft.com/denver/
• Feedback:
– Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com
to suggest topics
– Contact MuleSoft at meetup@mulesoft.com for ways to improve the program
• Our next meetup:
– Date: August 2019
– Location: TBD
– Topic: TBD

34. See you next time
Please send topic suggestions to the organizer