More Related Content Similar to What Hackers Don’t Want You To Know: How to Maximize Your API Security (20) More from AaronLieberman5 (15) What Hackers Don’t Want You To Know: How to Maximize Your API Security1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO
MAXIMIZE YOUR API SECURITY
March 4, 2020
Dallas MuleSoft Meetup Group
2. All contents © MuleSoft Inc.
Agenda
2
• 6:00PM – Doors open
• 6:00PM - 6:30PM – Network, Eat, and Socialize
• 6:30PM - 6:35PM – Introductions
• 6:35PM - 7:30PM – Presentation/Demo
• 7:30PM - 7:45PM – Q&A
• 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and
Speakers
3. All contents © MuleSoft Inc.
Introductions
3
• About the presenters:
– Big Compass
– Aaron Lieberman
– Ping Identity
– Francois Lascelles
4. • MuleSoft API Lifecycle
• MuleSoft API Management
• Securing a MuleSoft API
• PingIntelligence with MuleSoft APIs
MuleSoft API Management
and Security
5. All contents © MuleSoft Inc.
API Lifecycle
5
• Design
• Build
• Test
• Deploy
• Manage
7. With MuleSoft API Manager security policies, what
is the difference between rate limiting and
request throttling?
Giveaway!
8. All contents © MuleSoft Inc.
MuleSoft API Management
8
• API Manager
– Creating an API
– SLA Tiers
– Contracts
– Alerts
– Policies
• Out of the box policies
• Custom Policy from API Manager
• Develop Custom Policy in Anypoint
Studio
• Secure your APIs!
– Monitoring
9. All contents © MuleSoft Inc.
Securing APIs in MuleSoft With API Manager
9
• Specific to one API
– New feature of automated policies
to apply same set of policies to
many APIs
• Common Policies in API
Manager
– Basic authentication
– IP whitelist/blacklist
– Client ID Enforcement
– OAuth 2.0
– SLA based rate limiting and
throttling
11. All contents © MuleSoft Inc.
MuleSoft Anypoint Security
11
• Secure all applications deployed
to your Runtime Fabric with Edge
Policies
• Implement a Web Application
Firewall (WAF)
• Other policies
– IP whitelist
– Denial of service
– HTTP limits
12. All contents © MuleSoft Inc.
MuleSoft + WAF Security
12
• Protects against many common
attacks
– SQL Injection
– Cross Site Scripting
– Body scanning
– OWASP Top 10 attacks
– These are known vulnerabilities!
13. All contents © MuleSoft Inc.
Security Policies + WAF Protection
13
• What do security policies + WAF
actually protect against?
– Basic attacks (authentication, rate
limiting, SQL injection, etc.)
• What are the vulnerabilities?
– Advanced API attacks from
authenticated hackers
– No way to detect authenticated
attacks
• Google took 2.5 years to detect a breach
• How do we protect against these
vulnerabilities?
14. All contents © MuleSoft Inc.
MuleSoft + WAF Security Demo Architecture
14
16. How long did it take Google to detect an ongoing
breach on their API?
A.0-6 Months
B.6-12 Months
C.12-24 Months
D.2+ Years
Giveaway!
17. All contents © MuleSoft Inc.
Current API Landscape
17
• APIs steadily increasing
• Attacks steadily increasing
18. All contents © MuleSoft Inc.
Complementary Visibility
18
API Management
API Traffic Analysis
“Effective” APIs
API Catalogue
Gartner: “Discover your APIs before attackers discover them”
20. All contents © MuleSoft Inc.
Why are API breaches persisting?
20
Unexpected ”outside-the-app”
scenarios
Deficit of available expertise
Real-time security focus
Downstream vulnerabilities
Users (phish, password reuse,
insider threat)
Clients that can’t keep secrets
Bearer tokens
Foundational API security
blindspots
External Vulnerabilities
21. All contents © MuleSoft Inc.
Augmenting API Security with Machine Learning
21
MODEL
• Learn from API
traffic
• Build models: APIs
traffic from legit
apps
DETECT
• Inspect runtime
traffic
• Look for deviations
from model
BLOCK
• Block compromised
tokens
• Notify/alert
22. All contents © MuleSoft Inc.
Outcomes of applying ML to API security
22
Result: Automated Attack Detection and Blocking
• No policy authoring needed (anomaly detection)
• Secondary layer of defense to catch persisting gaps
• Get notified of attack through existing SIEM and specialized
tooling
• Block requester by blacklisting API client
• Block by token
• Block by API key
• Block by identity
• Block by IP address
• Block by cookie
• …
23. All contents © MuleSoft Inc.
API Decoys
1. Hacker touches decoy APIs
2. Instant flagging of malicious requesters
3. Blocks access to real APIs
/finance
/query/date
/account
/query/name
Leverage Hacking Behaviors Against Attackers
200 OK
24. All contents © MuleSoft Inc.
PingIntelligence For APIs
PingIntelligence for APIs ®
App
Servers
API Discovery Attack Blocking Deep Reporting
APIs APIs APIs
• Deep API Visibility
– Dynamically discover APIs across all API silos
– Analyze API activity, apply identity correlation
• Automated threat detection and blocking
– Detect and stop attacks that are not caught by
foundational API security
– Use API decoys to flag hackers before attacks
start
• Self Learning
– Use AI to build models automatically
– Eliminate the need to write and manage policies
and update API attack signatures
25. All contents © MuleSoft Inc.
Comprehensive Security: MuleSoft + PingIntelligence
Foundational API Security
Content Injection
JSON, XML, SQL injection protection, XSS
Flow Control
Throttling, Metering, Quota Management, Circuit-
breakers
Access Control
AuthN, AuthZ, Token Management, Microgateway
AI-Powered Cyberattacks Detection
Automated Cyber Attack Blocking
Blocks stolen tokens/cookies, Bad IP’s & API keys
API Deception & Decoys
Instant hacking detection and blocking
Deep API Traffic Visibility & Reporting
Monitor & report on all API activity
Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs
PingIntelligence
for APIs
26. All contents © MuleSoft Inc.
MuleSoft + WAF + PingIntelligence Architecture
Full Lifecycle API Mgmt.
Design, Create, Publish APIs
Content Inspection
Content Validation
Session Management
Policy Based Security enforcement
Rate Limiting
API Visibility & Protection
Deep Visibility & Reporting
Unique API Behavioral models
Automated Attack Blocking
API Discovery
API Deception
Self Learning – no rules or
Policies
Web Application Security
WAF Positive Security Model
OWASP Top 10 Protection
DDoS Prevention
RASP
Content Filtering
Rate Limiting
Signature Based Detection
28. All contents © MuleSoft Inc.
References and Documentation
28
• OWASP
– https://www.owasp.org/index.php/Main_Page
• PingIntelligence + MuleSoft Integration
– https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi
ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html
• PingIntelligence
– https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_
Guide_pingintel_32/page/pingintelligence_product_deployment.html
• Undisturbed REST
– https://www.mulesoft.com/lp/ebook/api/restbook
• API Security
– Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper
• https://www.pingidentity.com/en/resources/client-library/white-
papers/2018/evolving-api-security-landscape.html
29. All contents © MuleSoft Inc.
References and Documentation
29
• MuleSoft Documentation
– API Manager
• https://docs.mulesoft.com/api-manager/2.x/
– Anypoint Security
• https://docs.mulesoft.com/anypoint-security/
31. All contents © MuleSoft Inc.
What’s Next?
31
• Share:
– Tweet your pictures with the hashtag #MuleMeetup
– Invite your network to join: https://meetups.mulesoft.com/denver/
• Feedback:
– Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com
to suggest topics
– Contact MuleSoft at meetup@mulesoft.com for ways to improve the program
• Our next meetup:
– Date: August 2019
– Location: TBD
– Topic: TBD
32. See you next time
Please send topic suggestions to the organizer