SlideShare une entreprise Scribd logo

Building a secure BFF at Postman

A
Ankit Muchhala

The document discusses building a secure backend for frontend (BFF) and outlines various security considerations and best practices. It notes that a BFF is a single point of failure and attack as a public-facing service. It recommends implementing validation, the principle of least privilege, request tagging, access control, content security, audits, and health checks to achieve confidentiality, integrity and availability. Some specific techniques mentioned include input validation, logging sensitive data, enforcing secure dependencies, and integrating security tests into the development lifecycle.

Technologie
1  sur  37
Télécharger pour lire hors ligne
Building a secure BFF Ankit Muchhala - Postman ankit_muchhala
MicroservicesMonolith
Backend For Frontend • BFF is an API Gateway designed for a specific UI to interact with microservices. • Abstracts away implementation details from client. • Reduces network chatter and improves performance.
Security concerns? • Single point of failure and attack. • Public facing service. • Handles user input. • How to quantify these for an API?
Security Parameters Confidentiality Integrity Availability Only authorised people can access appropriate data. Data delivered by your service is not tampered with. Content is available to authorised users to on demand.
Service Server side code which contains your business logic
Validation • BFF should not perform all validations. • It should perform ecosystem checks - auth, validate header. • Business logic specific checks are deferred to downstream services.
Critical Path • Services called before request reaches the business logic. • Critical path length is an indicator of the amount of validation done on BFF. • Good to have a short critical path and fallbacks.
function hasAccess (user, owner) { } Principle of Least Privilege • User only has access to minimum resources that are necessary. • Always assume user does not have access by default. • Allow only for specific conditions. if (user.isAdmin) { return true; } if (user.id === owner.id) { return true; } return false;
Sample BFF
Architecture • Make it harder to be insecure. • Separate business logic from access control and validation. • Stack installation with predefined security setup using yeoman. security-hook orm-hook auth-hook
Vulnerable Dependencies • Use strict versions for dependencies and lockfiles. • Check vulnerable dependencies in CI pipeline. • Tools - nsp, npm audit, snyk. $ snyk test ✗ Medium severity vulnerability Description: ReDoS Introduced through: something@0.9.1 Resolution: ... ✗ Medium severity vulnerability Description: TOCTOU Introduced through: package@1.2.0 Resolution: ...
Enforcing Security • Security linting. • System tests to catch configuration issues. • E2E tests using Postman collections integrated into the CI pipeline.
E2E tests in Newman
Inbound Interaction with downstream services
Handling Internal Auth • Abstracting away internal server details from developer. • Prevents server auth leak in response or logs. • Allows for secret rotation without server side code changes. user: async function (req, res) { let user = await internal({ service: 'auth', path: '/users/current', query: { populate: true } }); return user.toJSON(); }
Request tagging • Associate each incoming request with a user associated token. • Each service can utilize this token to fetch user meta and apply validations.
IDOR • Exposing internal object references along with incorrect access control. • All user initiated actions must have verifications based on user tokens.
Logging • Scrub logs for sensitive information and user data. • Use heuristics to prevent accidental logging. • Trace logs originating from BFF to track potential PII movement.
Outbound Content security while communicating with the client.
HTTPS / HSTS • Choose the certificate based on your need and the level of user trust required - DV, OV, EV • Ensure 3rd party calls and redirections are over HTTPS. • Implement HSTS (+ preload) once you have verified everything is over HTTPS. RFC 2818, 6797
CSP • Reduces the harm caused by malicious code injection. • Start by using report-only mode to prevent side effects. • Not ideal to prevent data exfiltration - hrefs not covered. Content-Security-Policy: connect-src: 'self' script-src: 'none' img-src: * default-src: 'none' report-uri: 'https://...' RFC 7762
Other Headers • CORS: Who can access your resource. • X-XSS: Detect and prevent XSS in some browsers. • X-Frame-Options: Permit or deny displaying the website within an iframe. • HPKP: Allows HTTPS websites to resist impersonation. • SRI: Verify 3rd party assets • Refer OWASP Security Headers Project for more.
Caveats • The support for all the headers is dependent on client browser. • Cannot be solely relied on for securing your BFF. • Not a replacement for deliberate input validation and output formatting.
Platform Security considerations and processes for infrastructure.
Audits & Automation • What to audit? • Developer access • Setup configuration • Creation of new resources • We use collection runs to create new resources reliably. • Postman Monitors to perform periodic audits of our services.
Audit with Collection
Health Check • Verify critical config based on environments. • Prevent deployment if there is something obviously wrong. Ex. leaking private keys. • This is a safety net and not a testing mechanism.
SDLC Processes involved to ensure security
Security KPIs • Vulnerability categorization by CVSS scores. • Vulnerability regression. • Time to resolve - SLA. • External security reports - user identified, Hacker One, etc.
VAPT • Post-development step to assess the security of a software release. • Black box and white box testing of services. • Automation of security processes.
Outro
Revisiting Security Parameters Confidentiality Integrity Availability • Validation • PoLP • Log scrubbing • Request tagging • Access control (IDOR) • Content security (HTTPS, SRI, CSP, etc.) • Short critical path • Platform audits • Healthcheck
Key Takeaways • Security considerations while building a BFF / public API. • Building a secure API is a gradual process. • Security is a part of development process.
Thank you
Assets https://github.com/ankit-m/talks/tree/master/jsfoo-2018

Recommandé

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Testmartinvoelk
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 

Recommandé

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Testmartinvoelk
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Ch 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsCh 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsSam Bowne
 
Fundamental Aspects of Security Testing
Fundamental Aspects of Security TestingFundamental Aspects of Security Testing
Fundamental Aspects of Security Testingbquriousindia
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesSathyanarayana Panduranga
 
System analyst
System analystSystem analyst
System analystreturnasap
 
application security basics
application security basicsapplication security basics
application security basicsAravindan A
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...Inspirisys Solutions Limited
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test FrameworkSachin-QA
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtAsaf Hecht
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 

Contenu connexe

Tendances

Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Ch 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsCh 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsSam Bowne
 
Fundamental Aspects of Security Testing
Fundamental Aspects of Security TestingFundamental Aspects of Security Testing
Fundamental Aspects of Security Testingbquriousindia
 
System analyst
System analystSystem analyst
System analystreturnasap
 
application security basics
application security basicsapplication security basics
application security basicsAravindan A
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...Inspirisys Solutions Limited
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test FrameworkSachin-QA
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtAsaf Hecht
 

Tendances (20)

Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Ch 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsCh 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side Controls
 
Fundamental Aspects of Security Testing
Fundamental Aspects of Security TestingFundamental Aspects of Security Testing
Fundamental Aspects of Security Testing
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
System analyst
System analystSystem analyst
System analyst
 
application security basics
application security basicsapplication security basics
application security basics
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test Framework
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application Security
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
 

Similaire à Building a secure BFF at Postman

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Webinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTWebinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTAPPSeCONNECT
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and MonitoringMelissa Benua
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 

Similaire à Building a secure BFF at Postman (20)

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Security testing
Security testingSecurity testing
Security testing
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Webinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTWebinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECT
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewall
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 

Dernier

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Dernier (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Building a secure BFF at Postman

  • 1. Building a secure BFF Ankit Muchhala - Postman ankit_muchhala
  • 3. Backend For Frontend • BFF is an API Gateway designed for a specific UI to interact with microservices. • Abstracts away implementation details from client. • Reduces network chatter and improves performance.
  • 4. Security concerns? • Single point of failure and attack. • Public facing service. • Handles user input. • How to quantify these for an API?
  • 5. Security Parameters Confidentiality Integrity Availability Only authorised people can access appropriate data. Data delivered by your service is not tampered with. Content is available to authorised users to on demand.
  • 6.
  • 7. Service Server side code which contains your business logic
  • 8. Validation • BFF should not perform all validations. • It should perform ecosystem checks - auth, validate header. • Business logic specific checks are deferred to downstream services.
  • 9. Critical Path • Services called before request reaches the business logic. • Critical path length is an indicator of the amount of validation done on BFF. • Good to have a short critical path and fallbacks.
  • 10. function hasAccess (user, owner) { } Principle of Least Privilege • User only has access to minimum resources that are necessary. • Always assume user does not have access by default. • Allow only for specific conditions. if (user.isAdmin) { return true; } if (user.id === owner.id) { return true; } return false;
  • 12. Architecture • Make it harder to be insecure. • Separate business logic from access control and validation. • Stack installation with predefined security setup using yeoman. security-hook orm-hook auth-hook
  • 13. Vulnerable Dependencies • Use strict versions for dependencies and lockfiles. • Check vulnerable dependencies in CI pipeline. • Tools - nsp, npm audit, snyk. $ snyk test ✗ Medium severity vulnerability Description: ReDoS Introduced through: something@0.9.1 Resolution: ... ✗ Medium severity vulnerability Description: TOCTOU Introduced through: package@1.2.0 Resolution: ...
  • 14. Enforcing Security • Security linting. • System tests to catch configuration issues. • E2E tests using Postman collections integrated into the CI pipeline.
  • 15. E2E tests in Newman
  • 17. Handling Internal Auth • Abstracting away internal server details from developer. • Prevents server auth leak in response or logs. • Allows for secret rotation without server side code changes. user: async function (req, res) { let user = await internal({ service: 'auth', path: '/users/current', query: { populate: true } }); return user.toJSON(); }
  • 18. Request tagging • Associate each incoming request with a user associated token. • Each service can utilize this token to fetch user meta and apply validations.
  • 19. IDOR • Exposing internal object references along with incorrect access control. • All user initiated actions must have verifications based on user tokens.
  • 20. Logging • Scrub logs for sensitive information and user data. • Use heuristics to prevent accidental logging. • Trace logs originating from BFF to track potential PII movement.
  • 22. HTTPS / HSTS • Choose the certificate based on your need and the level of user trust required - DV, OV, EV • Ensure 3rd party calls and redirections are over HTTPS. • Implement HSTS (+ preload) once you have verified everything is over HTTPS. RFC 2818, 6797
  • 23. CSP • Reduces the harm caused by malicious code injection. • Start by using report-only mode to prevent side effects. • Not ideal to prevent data exfiltration - hrefs not covered. Content-Security-Policy: connect-src: 'self' script-src: 'none' img-src: * default-src: 'none' report-uri: 'https://...' RFC 7762
  • 24. Other Headers • CORS: Who can access your resource. • X-XSS: Detect and prevent XSS in some browsers. • X-Frame-Options: Permit or deny displaying the website within an iframe. • HPKP: Allows HTTPS websites to resist impersonation. • SRI: Verify 3rd party assets • Refer OWASP Security Headers Project for more.
  • 25. Caveats • The support for all the headers is dependent on client browser. • Cannot be solely relied on for securing your BFF. • Not a replacement for deliberate input validation and output formatting.
  • 27. Audits & Automation • What to audit? • Developer access • Setup configuration • Creation of new resources • We use collection runs to create new resources reliably. • Postman Monitors to perform periodic audits of our services.
  • 29. Health Check • Verify critical config based on environments. • Prevent deployment if there is something obviously wrong. Ex. leaking private keys. • This is a safety net and not a testing mechanism.
  • 30. SDLC Processes involved to ensure security
  • 31. Security KPIs • Vulnerability categorization by CVSS scores. • Vulnerability regression. • Time to resolve - SLA. • External security reports - user identified, Hacker One, etc.
  • 32. VAPT • Post-development step to assess the security of a software release. • Black box and white box testing of services. • Automation of security processes.
  • 33. Outro
  • 34. Revisiting Security Parameters Confidentiality Integrity Availability • Validation • PoLP • Log scrubbing • Request tagging • Access control (IDOR) • Content security (HTTPS, SRI, CSP, etc.) • Short critical path • Platform audits • Healthcheck
  • 35. Key Takeaways • Security considerations while building a BFF / public API. • Building a secure API is a gradual process. • Security is a part of development process.