Securing APIs

Transcript

1. Securing APIs Lunch and Learn London

2. 10+ years working in secure systems Hi! Platform Specialist at

   Okta Software Developer (.NET / Java / JS) @andymarch

3. OpenStreetMap Yelp Uber Get map data Get reviews Get a

   ride Find me 5 good pubs between Farringdon and Kings Cross BeerTour.io ThirstyWalker.net Find x good pubs between a and b BeerTour.api Find x good pubs between a and b

4. User API Client

5. Information wants to be free. Stewart Brand

6. None
7. None

8. Information wants to be free. Information also wants to be

   expensive. Stewart Brand

9. https://delivery/panerabread.com/foundation-api/users/uramp/738194 August 2017

10. https://delivery/panerabread.com/foundation-api/users/uramp/738194 https://delivery/panerabread.com/foundation-api/users/uramp/738195 https://delivery/panerabread.com/foundation-api/users/uramp/738196 https://delivery/panerabread.com/foundation-api/users/uramp/738197 https://delivery/panerabread.com/foundation-api/users/uramp/ … https://delivery/panerabread.com/foundation-api/users/uramp/ … https://delivery/panerabread.com/foundation-api/users/uramp/ …

    August 2017 Username, First and last name, Email, Phone number, Birthday, CC last 4 digits, Home address, linked social accounts, saved preferences and dietary restrictions, gift cards

11. Architecting for Security

12. API Maturity Model Phase 0 Integrate internal systems by private

    APIs Internal collaboration for internal applications Phase 2 Limited API access to partners, resellers and suppliers Phase 3 APIs as full fledged products with external developer access Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1 Application microservices Shared microservices Trusted partner APIs Public service APIs

13. Think like a bad guy. Icon thenounproject.com/sultanm/

14. None

15. API1: Broken Object Level Authorization GET /api/user/12345 GET /api/user/12345 GET

    /api/user/12346 GET /api/user/12347 GET /api/user/12348

16. API2: Broken Authentication

17. Don’t roll your own identity

18. None
19. None

20. API3: Excessive Data Exposure { firstName: test, lastName: tester, email:

    [email protected], homeAddress: 123 Fake Street, cc: 1234 } Hi test tester /api/user Portal app

21. API3: Excessive Data Exposure { firstName: test, lastName: tester, email:

    [email protected], } Hi test tester /api/user Portal app { cc: 1234 } Would you like to update your payment card ending 1234 /api/user/payment Portal app

22. API4: Lack of Resources and rate limiting Icon thenounproject.com/sultanm/

23. API5: Broken Function Level Authorization TourOrganiser TourAttendee /tour/info GET GET

    PUT PUT

24. API6: Mass Assignment { firstName: test, lastName: tester, email: [email protected],

    homeAddress: 123 Fake Street } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, role: user } { role: admin } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, role: admin }

25. API7: Security Misconfiguration

26. API8: Injection Credit: https://xkcd.com/327/

27. API8: Injection GET /api/user?id=12345 { firstName: test, lastName: tester, email:

    [email protected], homeAddress: 123 Fake Street }

28. API8: Injection GET /api/user?id=12345%27%20union%20(select%20*%2 0from%20users%3B) {Result: {[ { firstName: test,

    lastName: tester, email: [email protected], homeAddress: 123 Fake Street}, { firstName: example, lastName: users, email: [email protected], homeAddress: 987 Demo Road}, { firstName: Ex, lastName: Ample, email: [email protected], homeAddress: Flat 1 Test Towers

29. API9: Improper Assets Management /tour/info v1 v1 v1 v2 v2

30. API10: Insufficient Logging & Monitoring Icon thenounproject.com/sultanm/

31. API Access Management

32. API Access Management (API AM) Lifecycle What state is it

    in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics
33. None

34. Delegated authorization with OAuth 2.0

35. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel

36. Authorization Server (The source of trust for the application)

37. None
38. None
39. None

40. Scope (a requested permission)

41. None

42. Register: redirect address ClientID, Client secret

43. None
44. None

45. ClientId (a unique identifier of an application)

46. ClientSecret (an authenticator for an application)

47. None
48. None

49. client id, client secret, scopes Access Token Access Token

50. Access Policy (control the behavior of the authz server for

    a given application)
51. None
52. None
53. None
54. None
55. None

56. API Access Management (API AM) Lifecycle What state is it

    in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics

57. &