Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Five Simple Strategies
for Securing APIs
Tran Minh Tri
Security bootcamp 2018
Product manager
tritm@mi2.com.vn
Tran Minh Tri
@tridalat
Slideshare.net/tridalat
Linkedin.com/tridalat
https://api.mi2.vn
3
Contents
WHAT ARE APIS ?
ARE THEY WORTH THE RISK ?
THE THREE ATTACK VECTORS TO WATCH OUT FOR
FIVE SIMPLE MITIGATION STRA...
WHAT ARE APIS ?
APIs are like windows into an application
5
APIs are the building blocks of digital transformation
IOT Devices
Cloud
Mobile
Partners/External
Divisions
External
Dev...
6
7
Digital transformation as a maturity model
Low digital maturity High digital maturity
Offline/In-Person Web Mobile Omnic...
8
Digital Transformation in Retail
Low digital maturity High digital maturity
 RETAIL STORE
 CATALOG & CALL CENTER
 WEB...
9Low digital maturity High digital maturity
Offline / In-Person Web Mobile Omnichannel Ecosystem
 DEALER
 SERVICE CENTER...
10Low digital maturity High digital maturity
 DROPOFF / PICKUP CENTER
 COURIER
 WEB RESEARCH
 WEB SCHEDULING
 WEB TRA...
11Low digital maturity High digital maturity
 PRACTITIONER OFFICE
 OFFLINE HEALTH RECORDS
 CALL CENTER
 ONLINE RESEARC...
12Low digital maturity High digital maturity
 RETAIL BANKING  ONLINE BANKING  LOCATION & SERVICE APIs
 ACCOUNT APIs
 ...
13Low digital maturity High digital maturity
 BROADCAST MEDIA
 PROPRIETARY STB
 ONLINE PURCHASE
 GUIDE & METADATA
 ST...
14Low digital maturity High digital maturity
 BROADCAST SPORTS
 DISCONNECTED DEVICES
 SCORES & STATS
 ONLINE CONTENT
...
15Low digital maturity High digital maturity
 PROPRIETARY RESERVATIONS
 TRAVEL AGENT
 FARES & SCHEDULES
 ONLINE BOOKIN...
16
17
Prominent API Breaches
18
Niantic's API for Pokemon Go Cracked
 API functions as the access
point for accessing DB and
algorithm
 3rd parties f...
The Three Attack
Vectors to Watch
Out For
20
Outside the Enterprise
Internet of Things
Mobile
SaaS/Cloud Solutions
AWS, Google, SFDC …
Partner Ecosystems
External D...
21
Attack Vector: Parameters
 API functions as the access point for accessing DB and algorithm
– In the traditional web w...
22
Attack Vector: Identity
 We had it surprisingly good in the Web world
– Browser session usually tied to human
– Dealin...
23
API keys
“An application programing interface key (API key) is a code
generated by websites that allow users to access ...
24
Man-in-the-middle
25
How Should You Secure Your APIs?
25
Five Simple
Mitigation
StrategiesThat Will Allow an Organization
to More Securely Publish APIs
27
Strategy 1:
Validate Parameters
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:
...
28
Strategy 2:
Apply Explicit
Threat Detection
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
...
29
Strategy 3:
Turn on SSL Everywhere
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy ...
30
Strategy 4:
Apply Rigorous
Authentication and
Authorization
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit ...
31
Strategy 5:
Use Proven Solutions
Strategy 1:
Validate Parameters
Strategy 2:
Apply Explicit Threat Detetion
Strategy 3:...
Conclusion
APIs represent a great opportunity for the enterprise to
integrate applications quickly and easily. But APIs ca...
33
Q & A
Vous avez terminé ce document.
Télécharger et lire hors ligne.
Prochain SlideShare
What to Upload to SlideShare
Suivant
Prochain SlideShare
What to Upload to SlideShare
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

Partager

Api security-present

Télécharger pour lire hors ligne

Nguyễn Minh Trí

  • Soyez le premier à aimer ceci

Api security-present

  1. 1. Five Simple Strategies for Securing APIs Tran Minh Tri Security bootcamp 2018
  2. 2. Product manager tritm@mi2.com.vn Tran Minh Tri @tridalat Slideshare.net/tridalat Linkedin.com/tridalat https://api.mi2.vn
  3. 3. 3 Contents WHAT ARE APIS ? ARE THEY WORTH THE RISK ? THE THREE ATTACK VECTORS TO WATCH OUT FOR FIVE SIMPLE MITIGATION STRATEGIES YOU MIGHT HAVE OVERLOOKED CONCLUSION
  4. 4. WHAT ARE APIS ? APIs are like windows into an application
  5. 5. 5 APIs are the building blocks of digital transformation IOT Devices Cloud Mobile Partners/External Divisions External Developers Data Your Digital Business
  6. 6. 6
  7. 7. 7 Digital transformation as a maturity model Low digital maturity High digital maturity Offline/In-Person Web Mobile Omnichannel Ecosystem How Do APIs Increase an Organization’s Risk?
  8. 8. 8 Digital Transformation in Retail Low digital maturity High digital maturity  RETAIL STORE  CATALOG & CALL CENTER  WEB STOREFRONT  AFFILIATE CHANNELS  MOBILE STOREFRONT  SHOPPER PROFILE APIs  PRODUCT CATALOG APIs  PERSISTENT CART APIs  IN-STORE/PROXIMITY APIs  INVENTORY/LOGISTICS APIs  PERSONALIZED PROFILE APIs  ADVANCED PAYMENT APIs  LOYALTY PARTNER APIs  MARKETPLACE APIs  SMART PRODUCT APIs Offline / In-Person Web Mobile Omnichannel Ecosystem
  9. 9. 9Low digital maturity High digital maturity Offline / In-Person Web Mobile Omnichannel Ecosystem  DEALER  SERVICE CENTER/MECHANIC  BRAND CONTENT  ONLINE PRODUCT DATA  RATINGS & REVIEWS  DEALER APIs  PRODUCT DATA APIs  DRIVER PROFILE APIs  DIAGNOSTIC APIs  VEHICLE FEATURE APIs  HISTORY/MAINTENANCE APIs  OTA UPDATE APIs  UBI APIs  LOCATION & CONTEXT APIs  INSURANCE APIs  VEHICLE SHARE APIs Digital Transformation in Automotive
  10. 10. 10Low digital maturity High digital maturity  DROPOFF / PICKUP CENTER  COURIER  WEB RESEARCH  WEB SCHEDULING  WEB TRACKING  RATE AND SLA APIs  SERVICE APIs  TRACKING APIs  FLEET TRACKING APIs  SUPPLY CHAIN APIs  TRAFFIC MANAGEMENT APIs  ENROUTE REDIRECT APIs  PROOF OF DELIVERY APIs  TRAFFIC DATA APIs  3PL SERVICES APIs  3P PICKUP/DROPOFF APIs Digital Transformation in Transportation & Logistics Offline / In-Person Web Mobile Omnichannel Ecosystem
  11. 11. 11Low digital maturity High digital maturity  PRACTITIONER OFFICE  OFFLINE HEALTH RECORDS  CALL CENTER  ONLINE RESEARCH  CLAIMS & HISTORY  APPOINTMENT APIs  PLAN SELECION APIs  INSURER INTEGRATON APIs  TELEHEALTH APIs  BIOTELEMETRY APIs  EHR APIs  MONITORING DEVICE APIs  CARE ANALYTICS APIs  PARTNER SERVICES APIs Digital Transformation in Healthcare Offline / In-Person Web Mobile Omnichannel Ecosystem
  12. 12. 12Low digital maturity High digital maturity  RETAIL BANKING  ONLINE BANKING  LOCATION & SERVICE APIs  ACCOUNT APIs  ALERT/MONITORING APIs  MOBILE PAYMENT APIs  DIRECT DEPOSIT APIs  INVESTMENT APIs  P2P MOBILE PAYMENT APIs  LOYALTY PARTNER APIs  P2P LENDING APIs  WEALTH MANAGEMENT APIs Digital Transformation in Financial Services Offline / In-Person Web Mobile Omnichannel Ecosystem
  13. 13. 13Low digital maturity High digital maturity  BROADCAST MEDIA  PROPRIETARY STB  ONLINE PURCHASE  GUIDE & METADATA  STREAMING MEDIA APIs  METADATA APIs  ENTITLEMENT APIs  VIEWER PROFILE APIs  QUAD-PLAY APIs  SERVICE DASHBOARD APIs  WALLET/PAYMENT APIs  PARTNER ENTITLEMENT APIs  CONTENT-KEYED APIs  AD NETWORK APIs  EVENT APIs Digital Transformation in Media & Entertainment Offline / In-Person Web Mobile Omnichannel Ecosystem
  14. 14. 14Low digital maturity High digital maturity  BROADCAST SPORTS  DISCONNECTED DEVICES  SCORES & STATS  ONLINE CONTENT  SCORES & STATS APIs  TRACK & MONITOR APIs  FITNESS PROFILE APIs  REAL-TIME 2ND SCREEN APIs  MULTI-DEVICE PROFILE APIs  FITNESS PLATFORM APIs  HEALTH CONNECTIVITY APIs  DATA SUBSCRIPTION APIs Digital Transformation in Sports & Fitness Offline / In-Person Web Mobile Omnichannel Ecosystem
  15. 15. 15Low digital maturity High digital maturity  PROPRIETARY RESERVATIONS  TRAVEL AGENT  FARES & SCHEDULES  ONLINE BOOKING  ONLINE CHANNELS  FARE & SCHEDULE APIs  STATUS & ALERT APIs  TRAVELER PROFILE APIs  IDENTITY & ACCESS APIs  LOCATION-AWARE APIs  ENROUTE SERVICES APIs  LOYALTY PARTNER APIs  MULTI-MODE TRAVEL APIs Digital Transformation in Travel & Hospitality Offline / In-Person Web Mobile Omnichannel Ecosystem
  16. 16. 16
  17. 17. 17 Prominent API Breaches
  18. 18. 18 Niantic's API for Pokemon Go Cracked  API functions as the access point for accessing DB and algorithm  3rd parties found the API and created apps that aid in the capture  Server side issues (including downtime) increased as a result Pokevision FastPokeMap
  19. 19. The Three Attack Vectors to Watch Out For
  20. 20. 20 Outside the Enterprise Internet of Things Mobile SaaS/Cloud Solutions AWS, Google, SFDC … Partner Ecosystems External Developers Within the Enterprise Secure Data Application Portfolio ID/Authentication Reporting & Analytics Internal Teams The Three Attack Vectors to Watch Out For Many API developers come directly from a web design background, and may bring with them some bad habits Identity  Identity attacks exploit flaws in authentication, authorization, and session tracking. In particular, many of these are the result of migrating bad practices from the web world into API development. Parameters  Parameter attacks exploit the data sent into an API, including URL, query parameters, HTTP headers, and/or post content Main-in-the-middle  Simplify These attacks intercept legitimate transactions and exploit unsigned and/or unencrypted data being sent between the client and the server. They can reveal confdential information (such as personal data), alter a transaction in flight, or even replay legitimate transactions.
  21. 21. 21 Attack Vector: Parameters  API functions as the access point for accessing DB and algorithm – In the traditional web world, parameterization was limited and indirect – Subject to the capabilities of URLs and forms  APIs in contrast and offer much more explicit parameterization – The full power of RESTful design: GET, POST, PUT, DELETE  (And don’t stop there… what about effects of HEAD, etc)?  This creates a greater potential attack surface – Injection, bounds, correlation, and so on
  22. 22. 22 Attack Vector: Identity  We had it surprisingly good in the Web world – Browser session usually tied to human – Dealing with one identity is not so tough  Security tokens abound, but solutions are mature – Username/pass, multi-factor, SAML, etc  APIs rapidly becoming more difficult – Non-human entities – Multiple layers of relevant identities  Me, my attributes, my phone, my developer, my provider…
  23. 23. 23 API keys “An application programing interface key (API key) is a code generated by websites that allow users to access their application programming interface. API keys are used to track how the API is being used in order to prevent malicious use or abuse of the terms of service. Many applications publishing APIs require clients to use an API key to access to their functionality (Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )
  24. 24. 24 Man-in-the-middle
  25. 25. 25 How Should You Secure Your APIs? 25
  26. 26. Five Simple Mitigation StrategiesThat Will Allow an Organization to More Securely Publish APIs
  27. 27. 27 Strategy 1: Validate Parameters Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Rigorous validation of consumer supplied inputs – and API output • Use schema validation
  28. 28. 28 Strategy 2: Apply Explicit Threat Detection Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Blacklist dangerous tags like <SCRIPT> • Virus scanning of attachments • Very large messages can all be effective denial-of-service attacks
  29. 29. 29 Strategy 3: Turn on SSL Everywhere Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions
  30. 30. 30 Strategy 4: Apply Rigorous Authentication and Authorization Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Multiple identity profile (Roles, Geo location,IP,User agent,Time of day...) • OAuth for people
  31. 31. 31 Strategy 5: Use Proven Solutions Strategy 1: Validate Parameters Strategy 2: Apply Explicit Threat Detetion Strategy 3: Turn on SSL Everywhere Strategy 4: Apply Rigorous Authentication and Authorization Strategy 5: Use Proven Solutions • Separate out API implementation and API security into distinct tiers • API Gateway ( Access control, Threat detection, Confidentiality and integrity, Audit management)
  32. 32. Conclusion APIs represent a great opportunity for the enterprise to integrate applications quickly and easily. But APIs can be a double-edged sword: promising agility, while at the same time increasing risk. But if an organization can address API security as an architectural challenge long before any development takes place, it can reap the rewards of this technological breakthrough safely and securely.
  33. 33. 33 Q & A

Nguyễn Minh Trí

Vues

Nombre de vues

860

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

747

Actions

Téléchargements

13

Partages

0

Commentaires

0

Mentions J'aime

0

×