Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing APIs

Andy March
November 12, 2019

Securing APIs

As our applications become increasing dependent on APIs to function we review the threats to your API security and how Okta and NGINX can help protect you and your data.

Andy March

November 12, 2019
Tweet

More Decks by Andy March

Other Decks in Technology

Transcript

  1. 10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  2. OpenStreetMap Yelp Uber Get map data Get reviews Get a

    ride Find me 5 good pubs between Farringdon and Kings Cross BeerTour.io ThirstyWalker.net Find x good pubs between a and b BeerTour.api Find x good pubs between a and b
  3. API Maturity Model Phase 0 Integrate internal systems by private

    APIs Internal collaboration for internal applications Phase 2 Limited API access to partners, resellers and suppliers Phase 3 APIs as full fledged products with external developer access Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1 Application microservices Shared microservices Trusted partner APIs Public service APIs
  4. API1: Broken Object Level Authorization GET /api/user/12345 GET /api/user/12345 GET

    /api/user/12346 GET /api/user/12347 GET /api/user/12348
  5. API3: Excessive Data Exposure { firstName: test, lastName: tester, email:

    [email protected], homeAddress: 123 Fake Street, cc: 1234 } Hi test tester /api/user Portal app
  6. API3: Excessive Data Exposure { firstName: test, lastName: tester, email:

    [email protected], } Hi test tester /api/user Portal app { cc: 1234 } Would you like to update your payment card ending 1234 /api/user/payment Portal app
  7. API6: Mass Assignment { firstName: test, lastName: tester, email: [email protected],

    homeAddress: 123 Fake Street } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, role: user } { role: admin } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, role: admin }
  8. API8: Injection GET /api/user?id=12345%27%20union%20(select%20*%2 0from%20users%3B) {Result: {[ { firstName: test,

    lastName: tester, email: [email protected], homeAddress: 123 Fake Street}, { firstName: example, lastName: users, email: [email protected], homeAddress: 987 Demo Road}, { firstName: Ex, lastName: Ample, email: [email protected], homeAddress: Flat 1 Test Towers
  9. API Access Management (API AM) Lifecycle What state is it

    in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics
  10. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel
  11. API Access Management (API AM) Lifecycle What state is it

    in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics
  12. &