Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing APIs

Andy March
November 12, 2019
Technology
0
31

Securing APIs

As our applications become increasing dependent on APIs to function we review the threats to your API security and how Okta and NGINX can help protect you and your data.

Andy March

November 12, 2019
Tweet

More Decks by Andy March

See All by Andy March
OAuth by Example - Workshop
andymarch
1
160
Customers in the Crosshairs
andymarch
1
190
TLDR - OAuth
andymarch
0
66
Identity as Code
andymarch
0
310

Other Decks in Technology

See All in Technology
(n=1の)テーブルデータコンペの取り組み方
makotu
2
1.3k
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
190
DDD e Team Topologies como estes conceitos podem te dar pistas de como montar seus times de engenharia!!!
claudioed
2
340
Advancing Equity and Inclusion for Deaf Students in Higher Education
3playmarketing
0
140
生成AIと著作権 〜生成AIによって生じる著作権関連の課題と対処
line_developers
PRO
2
710
開発生産性と組織 / Productivity and Organization
1000ch
0
350
GraphQLはどんな時に使うか
saboyutaka
20
6.4k
生活感のあるアーキテクチャ
pharma_x_tech
0
340
クラウドサイン事業本部 プロダクト組織 紹介資料
bengo4com
0
180
Create the DTO System of your Dreams: stateOptions + entityClass
weaverryan
1
480
知らなくていい、知っても役に立たないDNSの豆知識
th0x0472
0
420
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
260

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
688
190k
Embracing the Ebb and Flow
colly
77
3.8k
Agile that works and the tools we love
rasmusluckow
323
20k
Designing for Performance
lara
601
66k
Teambox: Starting and Learning
jrom
125
8.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
11k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Practical Orchestrator
shlominoach
179
9.3k
Automating Front-end Workflow
addyosmani
1354
200k
Mobile First: as difficult as doing things right
swwweet
214
8.2k
In The Pink: A Labor of Love
frogandcode
135
21k

Transcript

  1. Securing APIs
    Lunch and Learn London

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. OpenStreetMap Yelp Uber
    Get map data
    Get reviews
    Get a ride
    Find me 5 good
    pubs between
    Farringdon and
    Kings Cross
    BeerTour.io
    ThirstyWalker.net
    Find x good pubs between a and b
    BeerTour.api
    Find x good pubs between a and b

    View Slide

  4. User
    API Client

    View Slide

  5. Information wants to be free.
    Stewart Brand

    View Slide

  6. View Slide

  7. View Slide

  8. Information wants to be free.
    Information also wants to be expensive.
    Stewart Brand

    View Slide

  9. https://delivery/panerabread.com/foundation-api/users/uramp/738194
    August 2017

    View Slide

  10. https://delivery/panerabread.com/foundation-api/users/uramp/738194
    https://delivery/panerabread.com/foundation-api/users/uramp/738195
    https://delivery/panerabread.com/foundation-api/users/uramp/738196
    https://delivery/panerabread.com/foundation-api/users/uramp/738197
    https://delivery/panerabread.com/foundation-api/users/uramp/ …
    https://delivery/panerabread.com/foundation-api/users/uramp/ …
    https://delivery/panerabread.com/foundation-api/users/uramp/ …
    August 2017
    Username, First and last name, Email, Phone number, Birthday,
    CC last 4 digits, Home address,
    linked social accounts,
    saved preferences and dietary restrictions,
    gift cards

    View Slide

  11. Architecting for Security

    View Slide

  12. API Maturity Model
    Phase 0
    Integrate internal
    systems by private
    APIs
    Internal collaboration
    for internal
    applications
    Phase 2
    Limited API access
    to partners,
    resellers and
    suppliers
    Phase 3
    APIs as full fledged
    products with external
    developer access
    Security Team evaluates use cases,
    interfaces, authentication, access
    management, etc, etc
    Phase 1
    Application
    microservices
    Shared
    microservices
    Trusted
    partner
    APIs
    Public
    service APIs

    View Slide

  13. Think like a bad guy.
    Icon thenounproject.com/sultanm/

    View Slide

  14. View Slide

  15. API1: Broken Object Level Authorization
    GET /api/user/12345
    GET /api/user/12345
    GET /api/user/12346
    GET /api/user/12347
    GET /api/user/12348

    View Slide

  16. API2: Broken Authentication

    View Slide

  17. Don’t
    roll your own
    identity

    View Slide

  18. View Slide

  19. View Slide

  20. API3: Excessive Data Exposure
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street,
    cc: 1234
    }
    Hi test tester
    /api/user Portal app

    View Slide

  21. API3: Excessive Data Exposure
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    }
    Hi test tester
    /api/user Portal app
    {
    cc: 1234
    }
    Would you like to update
    your payment card ending
    1234
    /api/user/payment Portal app

    View Slide

  22. API4: Lack of Resources and rate limiting
    Icon thenounproject.com/sultanm/

    View Slide

  23. API5: Broken Function Level Authorization
    TourOrganiser
    TourAttendee
    /tour/info
    GET
    GET
    PUT
    PUT

    View Slide

  24. API6: Mass Assignment
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street
    }
    PUT /api/user
    {
    userid: 12345,
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street,
    role: user
    }
    {
    role: admin
    }
    PUT /api/user
    {
    userid: 12345,
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street,
    role: admin
    }

    View Slide

  25. API7: Security Misconfiguration

    View Slide

  26. API8: Injection
    Credit: https://xkcd.com/327/

    View Slide

  27. API8: Injection
    GET /api/user?id=12345
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street
    }

    View Slide

  28. API8: Injection
    GET
    /api/user?id=12345%27%20union%20(select%20*%2
    0from%20users%3B)
    {Result: {[
    { firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street},
    { firstName: example,
    lastName: users,
    email: [email protected],
    homeAddress: 987 Demo Road},
    { firstName: Ex,
    lastName: Ample,
    email: [email protected],
    homeAddress: Flat 1 Test Towers

    View Slide

  29. API9: Improper Assets Management
    /tour/info
    v1
    v1
    v1
    v2
    v2

    View Slide

  30. API10: Insufficient Logging & Monitoring
    Icon thenounproject.com/sultanm/

    View Slide

  31. API Access Management

    View Slide

  32. API Access Management (API AM)
    Lifecycle
    What state is it in?
    How was it designed?
    How was it built?
    Is it deployed?
    To which GWs?
    Is it live/available?
    Interface
    What does it expose?
    Which resources?
    Which methods?
    Which objects?
    Which fields?
    Access
    Who can use it?
    Which users/groups?
    How do they authenticate?
    Using which clients?
    In what contexts?
    Consumption
    How to succeed with it?
    API Documentation?
    Debugging/errors?
    Track usage?
    Examples/SDKs?
    Business
    How does it drive business
    goals?
    Partner CRM
    Monetization
    Marketing
    Business Analytics

    View Slide

  33. View Slide

  34. Delegated authorization with OAuth 2.0

    View Slide

  35. Who’s who of OAuth 2.0
    Resource Owner Client Authorization Server Resource Server
    Guest Hotel Room
    Reception Desk
    Hotel

    View Slide

  36. Authorization Server
    (The source of trust for the application)

    View Slide

  37. View Slide

  38. View Slide

  39. View Slide

  40. Scope
    (a requested permission)

    View Slide

  41. View Slide

  42. Register: redirect address
    ClientID, Client secret

    View Slide

  43. View Slide

  44. View Slide

  45. ClientId
    (a unique identifier of an application)

    View Slide

  46. ClientSecret
    (an authenticator for an application)

    View Slide

  47. View Slide

  48. View Slide

  49. client id, client secret, scopes
    Access Token
    Access Token

    View Slide

  50. Access Policy
    (control the behavior of the authz server for a given application)

    View Slide

  51. View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. View Slide

  56. API Access Management (API AM)
    Lifecycle
    What state is it in?
    How was it designed?
    How was it built?
    Is it deployed?
    To which GWs?
    Is it live/available?
    Interface
    What does it expose?
    Which resources?
    Which methods?
    Which objects?
    Which fields?
    Access
    Who can use it?
    Which users/groups?
    How do they authenticate?
    Using which clients?
    In what contexts?
    Consumption
    How to succeed with it?
    API Documentation?
    Debugging/errors?
    Track usage?
    Examples/SDKs?
    Business
    How does it drive business
    goals?
    Partner CRM
    Monetization
    Marketing
    Business Analytics

    View Slide

  57. &

    View Slide