Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Virtual Meetup - API Security Best Practices
1. Calgary MuleSoft Meetup Group
API Security
November 2020
Speakers:
Mandy Wong - API & Integration Specialist, Suncor Energy
Usha Krishnamoorthy - Lead Integration Developer, Incepta Solutions
Andrew Lie - Marketing Manager, Incepta Solutions
Facilitator:
Jimmy Attia - Senior Strategic Advisor, MuleSoft
2. Safe harbor statement
The information in this presentation is confidential and proprietary to MuleSoft and may not be disclosed without the
permission of MuleSoft. This presentation is not subject to your license agreement or any other service or
subscription agreement with MuleSoft. MuleSoft has no obligation to pursue any course of business outlined in this
document or any related presentation, or to develop or release any functionality mentioned therein. This document,
or any related presentation and MuleSoft's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by MuleSoft at any time for any reason
without notice. The information on this document is not a commitment, promise or legal obligation to deliver any
material, code or functionality. This document is provided without a warranty of any kind, either express or implied,
including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or
non-infringement. This document is for informational purposes and may not be incorporated into a contract.
MuleSoft assumes no responsibility for errors or omissions in this document, except if such damages were caused by
MuleSoft intentionally or grossly negligent.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
3
3. Agenda
1. Jimmy
a. Introduction
b. Meeting Logistics
2. Mandy
a. A Customer’s Journey on the Road to Security
b. What Worked and What Didn’t
3. Usha
a. Background
b. API Threats
c. API Security Solutions
d. API Security Best Practices
e. Securing Through Mulesoft
f. API Security Achieved
g. Key Takeaways
4. Q&A
5. Wrap up and Announcement of Trivia Winners
4
5. Customer’s Perspective on Security
● As a customer, how do we follow API-led connectivity while securing our
API assets?
● There are 3 different architectures for deployment:
> On-Prem, Hybrid, and CloudHub
● Are the security practices for each type of deployment different?
● What are the fundamental principles of securing APIs?
● How and when do we use the numerous APIs policies available to us in
MuleSoft?
6
6. Customer’s Perspective on Security
● Depending on how many external vendors we work with, there are
different levels of API exposure
○ Expose our API endpoint(s) to just one partner
○ Expose our API endpoint(s) to multiple vendors and partners
○ Make our API endpoint(s) open to the entire public just like
what Amazon and Google does
● What security protocols do we use to protect our API assets from
data breaches and attacks in each of them?
7
7. Why API Security Matters
● With the recent increase of API development driving IoT (which plays
a central role in digital transformation), API security needs to
become a top priority
● Gartner’s report on “How to Build an Effective API Security Strategy”
predicts that API abuses will be the leading cause of enterprise web
applications data breaches
● It recommends a continuous approach by incorporating security into
the API lifecycle, with security designed and implemented directly in
APIs
8
8. What API Security Entails
● API security is about focussing on securing any APIs you expose,
whether directly or indirectly
● We categorize security as we know it into 3 categories:
Access Control, Rate Limiting, and Content Validation
● Access Control includes OAuth, access rules definition and enforcement
● Rate Limiting includes limiting the number of requests; quotas; and
spike control so API’s do not get overwhelmed
● Content Validation includes validating the input/output content
9
9. Form of Security: API Proxies
● API proxies can act as a form of security, acting as a “facade” so external
apps do not call your API directly
● They play a role in rate-limiting and quotas, preventing distributed
denial-of-service (DDOS) attacks by providing Transport Layer Security
(TLS)
● They control the flow of traffic and access to microservices
● They can also encrypt the data sent by the app
● They are quick and cost-effective
10
10. Form of Security: API Gateways
● API gateways are a more robust form of security
● They use more advanced security features such as OAuth and OpenID to
authenticate users
● They also perform traffic routing, throttling, orchestration, and load
balancing
● They act as a reverse proxy to restrict which kinds of microservices
external apps can use
● Configuration can be complex resulting in slow and poor performance
11
11. API Gateways and Proxies in MuleSoft
● MuleSoft’s API manager leverages the runtime capabilities of API
Gateway
● Mule runtime engine has an embedded API gateway
○ Essentially we use the Mule runtime as an API gateway
● API Manager automatically generates a proxy app when you select the
option to configure the API as an “endpoint with a proxy”
12
13. Background of APIs
● Brief history of APIs – Quick timeline
○ 1950s – 1970s: Subroutines, Libraries, FORTRAN, IBM instruction set, C Standard libraries
○ 1980s – 1990s: Interface between HWs and OS, BIOS, Printers, CLIs, etc.
○ 1990s – 2000s: Windows OS APIs, UNIX, Java class libraries and functions, Delicious web APIs
● Rise of API based IT solutions (2000s and onwards)
○ CRM – Salesforce officially launched its API on February 7, 2000
○ eBay – On November 20, 2000, eBay launched the eBay Application Program Interface (API)
along with the eBay Developers Program
○ Amazon – On July 16, 2002, Amazon launched Amazon.com Web Services
● The present and the possible future
○ Social media boom – FB, Flickr, Twitter, etc.
○ Mobile apps of every business – Banks, Retail, Travel, etc.
○ Smart devices – IoTs, AIs and assistants
14
14. Overall Security Areas
● Infrastructure
○ Architecture
○ Networking & VPCs
○ Load balancing
○ Firewalls
● Solutions
○ Design and structure
○ Data handling
○ Connectivity
● Data
○ Storage and management
○ Access control
15
19. REST API Security Threats
● Injection Attacks – A malicious untrusted data, usually a query or a script, is embedded into an
unsecured software program
● Man-In-The-Middle-Attack (MITM) – An unauthorized third party secretly relays and possibly
alters the communications between two parties
● CSRF Attack – Cross-Site Request Forgery (CSRF) force logged-in users to silently open URLs that
perform actions unintentionally
20
20. REST API Security Threats
● Broken Access Control – An attacker can bypass or
control authentication into web applications
compromising web tokens, API keys, passwords,
account recovery options, password reset methods, etc.
● Distributed Denial of Services – Most common type
of attack where a malicious attempt is made to disrupt
normal traffic
● Web Parameter Tampering – Based on the
manipulation of parameters exchanged between client
and server
● Sensitive Data Exposure – When sensitive data isn’t
encrypted in transit or at rest it could lead to abuse of
this information 21
25. API Security Best Practices
● API Design
○ Resistant to attacks
○ Limited/restricted access to end systems
○ Share minimum and only required data
● Framework Design
○ Audit access to sensitive data
○ Log and monitor for usage, performance, and activity
○ Integrate security testing
○ Use gateways and proxies instead of whitelists
○ Object stores – do not store sensitive information in memory
● Transport Level Secure Communications
○ Enable TLS 1.2 or subsequent versions, in accordance with CSE guidance
28
26. API Security Best Practices
● Identity and Access Management
○ Authenticate and authorize before any operation
■ User and app authentication
■ API and server authentication
■ User and app authorization
○ Use open standards such as OpenID Connect and
Open Authorization 2.0 (OAuth 2.0)
○ Single Sign-on
○ MFA
29
27. API Security Best Practices
● Data Security and Principles
○ Treat all submitted data as untrusted
and validate before processing
○ Avoid including sensitive data in request URLs
○ Audit trail of access to sensitive data
○ Avoid temporary storage of business data
○ Data masking, encryptions for sensitive data, etc.
○ Message Integrity
■ Digital Signatures
○ Message Confidentiality
■ Public Key Cryptography
■ Digital Certificates
■ TLS (HTTPS)
30
30. How to Secure CloudHub Architecture
● API Manager
● Secret Manager
● Access Manager
● Monitoring Dashboards
● Alerting Mechanism
● Ability to externalize logs for
analysis
34
31. MuleSoft API Manager
● API Manager Policy types
○ Default Policies
○ Automated Policies
○ Custom Policies
● Policy classification
○ Security
○ Compliance
○ Transformation
○ Troubleshooting
○ Quality of Service
35
32. MuleSoft Provided API Policies
● Security
○ Basic Authentication – LDAP - Authenticates the LDAP credentials (Lightweight directory access
protocol, Active Directory)
○ Basic Authentication – Simple - Authenticates a single user password
○ IP Blacklist – Blocks a range of IP addresses
○ IP Whitelist – Allows access from only a preapproved range of IP addresses
○ JSON Threat Protection – Protects against a malicious JSON structure in API requests
○ XML Threat Protection – Protects against malicious XML elements in API requests
○ Client ID Enforcement – Allows access to client applications with a valid client credentials
○ JWT – Validates a JWT token
36
33. MuleSoft Provided API Policies
● Security
○ OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy – Enforces token access
using the MuleSoft OAuth Provider policy
○ OpenAM Access Token Enforcement – Restricts access to a protected resource using an Open AM
authentication server
○ PingFederate Access Token Enforcement – Restricts access to a protected resource using the
PingFederate authentication server
○ Tokenization – Transforms sensitive data into non-sensitive equivalent tokens
○ Detokenization – Transforms a tokenized value back to the original data
37
34. MuleSoft Provided API Policies
● Compliance
○ Client ID Enforcement – Allows access to client applications with a valid client credentials
○ CORS – Enables calls executed in a web page to interact with resources from different domains
● Quality of Service
○ HTTP Caching – Stores HTTP responses from an API implementation
○ Rate Limiting – Enables imposing a limit on the number of requests that an API can accept within a
specified time.
○ Rate Limiting, SLA-Based – Enables imposing an API request limit based on SLA tiers.
○ Spike Control – Controls API traffic and provides queuing feature
● Message Logging – Logs a custom message when an API is invoked. 38
35. When and Where to Apply API Policies
39
API Layer Category Policy (Generally applied)
Experience
Compliance Client Id enforcement, CORS
Security Basic authentication, JSON/XML Threat protection,IP
Whitelisting (blacklisting), OAuth,
Tokenization/Detokenization,
Quality of Service RateLimit SLA, Spike, HTTP caching
Process
Compliance Client Id enforcement
Security Basic auth, Tokenization/Detokenization
QoS Rate limiting
System
Compliance Client Id enforcement
Security Basic auth, Tokenization/Detokenization
QoS Rate limiting, Spike control
37. API Manager Alerts
● An API alert is an alarm that flags
one of the following problems:
○ The API request violates a policy
Automated Policies
○ Requests received by the API exceed a
given number within a period of time
○ The API returns a specified
HTTP error code
○ The API response time exceeds
a certain amount
41
Runtime Manager Alerts
● Number of errors
○ The number of errors in one minute reaches
the specified limit
● Number of Mule messages
○ The number of Mule messages since the
application started reaches the specified limit
● Response time
○ The response time crosses the specified limit
● Use Runtime Manager to Export Data to External
Analytics Tools
○ Splunk and Elk plugins
38. A Secure CloudHub Architecture with VPC
● Connect resources behind
corporate firewall
● Dedicated subnet on CloudHub
to deploy organization’s
implementations
● Security is paramount
● Place system, process API in VPC
● Load Balancers – SLB (Shared),
DLB (Dedicated)
42
39. On-premise - Local
● Connect resources behind corporate firewall
● Security is paramount
● DMZ (Demilitarized Zone) – connects to the
internet
● Internal network – No access to Internet, hosts
org assets
● Place system, process API in internal network
● Place experience API in DMZ
43
40. Runtime Fabric
● Container service that automates
deployment and orchestration of Mule
applications and API gateways
● Install on multi-cloud env, data centers
● Features:
○ Application Isolation
○ Multiple Runtimes
○ High Availability
○ Supports horizontal and vertical scaling
● Security - Code, container, cluster, cloud
44
41. Customer Hosted Runtimes on Private Cloud
● Connect to resources in
organization’s private network
● Host runtimes on private cloud
such as Azure, AWS
● Place system API in private cloud to
access on-prem data via VPN gateway
● Experience API can be in DMZ zone
● Security will be applied across firewalls,
proxys, VPNs, and load balancers
45
43. Perform “Test Attacks” on APIs
● Try some attacks yourself
● Find some tools or apps to test policies
● Have the organization’s security department test the code and environment
● Have professionals attack and assess API security
● Regular Pen-tests (Security test as a Service embedded in SDLC)
48
44. Security Testing Areas
● Credentials
● Authentication
● Authorization
● Session
● Privacy
● Data
● Certificates
49
● Source
● System
● Files
● Logs
● Emails
● Services
● Cryptography
·
·
·
● Architecture
● Networks
● Virtualization
● Physical
● Mobile
● Social
46. Key Takeaways
● Know the big picture, the infrastructure, and the business
● Security comes at a cost
● There will be side-effects
● Only recommend what’s right and needed
● There’s no one way to do it
● Ensure it gets thoroughly tested for security
● Security is not a one-time activity
● Leverage proactive monitoring and implement policies
● Follow best practices and be as restrictive as possible in API design
● Discuss in the community, let MS know for additional support
51
50. ● Proud partner of MuleSoft for a number of years; first few partners in Canada during early stage
● Trusted IT partner for digital innovation, with a global presence
● Growth 2020 List: named one of Canada’s fastest-growing companies
● Our mission:
To provide business solutions to not only solve challenges, but to accelerate growth and customer success
● Our areas of expertise:
Digital Transformation, Integration, Data Management, Customer 360, Cloud Strategy, & Cybersecurity
● Our solution:
Cutting-edge integration and automation solutions with the latest technology
that transforms visions into realities
51. Stay connected on social
Incepta Solutions
@InceptaS
Incepta Solutions
@InceptaSolutions