Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing APIs

Andy March
November 12, 2019

Securing APIs

As our applications become increasing dependent on APIs to function we review the threats to your API security and how Okta and NGINX can help protect you and your data.

Andy March

November 12, 2019
Tweet

More Decks by Andy March

Other Decks in Technology

Transcript

  1. Securing APIs
    Lunch and Learn London

    View full-size slide

  2. 10+ years working in secure systems
    Hi!
    Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View full-size slide

  3. OpenStreetMap Yelp Uber
    Get map data
    Get reviews
    Get a ride
    Find me 5 good
    pubs between
    Farringdon and
    Kings Cross
    BeerTour.io
    ThirstyWalker.net
    Find x good pubs between a and b
    BeerTour.api
    Find x good pubs between a and b

    View full-size slide

  4. User
    API Client

    View full-size slide

  5. Information wants to be free.
    Stewart Brand

    View full-size slide

  6. Information wants to be free.
    Information also wants to be expensive.
    Stewart Brand

    View full-size slide

  7. https://delivery/panerabread.com/foundation-api/users/uramp/738194
    August 2017

    View full-size slide

  8. https://delivery/panerabread.com/foundation-api/users/uramp/738194
    https://delivery/panerabread.com/foundation-api/users/uramp/738195
    https://delivery/panerabread.com/foundation-api/users/uramp/738196
    https://delivery/panerabread.com/foundation-api/users/uramp/738197
    https://delivery/panerabread.com/foundation-api/users/uramp/ …
    https://delivery/panerabread.com/foundation-api/users/uramp/ …
    https://delivery/panerabread.com/foundation-api/users/uramp/ …
    August 2017
    Username, First and last name, Email, Phone number, Birthday,
    CC last 4 digits, Home address,
    linked social accounts,
    saved preferences and dietary restrictions,
    gift cards

    View full-size slide

  9. Architecting for Security

    View full-size slide

  10. API Maturity Model
    Phase 0
    Integrate internal
    systems by private
    APIs
    Internal collaboration
    for internal
    applications
    Phase 2
    Limited API access
    to partners,
    resellers and
    suppliers
    Phase 3
    APIs as full fledged
    products with external
    developer access
    Security Team evaluates use cases,
    interfaces, authentication, access
    management, etc, etc
    Phase 1
    Application
    microservices
    Shared
    microservices
    Trusted
    partner
    APIs
    Public
    service APIs

    View full-size slide

  11. Think like a bad guy.
    Icon thenounproject.com/sultanm/

    View full-size slide

  12. API1: Broken Object Level Authorization
    GET /api/user/12345
    GET /api/user/12345
    GET /api/user/12346
    GET /api/user/12347
    GET /api/user/12348

    View full-size slide

  13. API2: Broken Authentication

    View full-size slide

  14. Don’t
    roll your own
    identity

    View full-size slide

  15. API3: Excessive Data Exposure
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street,
    cc: 1234
    }
    Hi test tester
    /api/user Portal app

    View full-size slide

  16. API3: Excessive Data Exposure
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    }
    Hi test tester
    /api/user Portal app
    {
    cc: 1234
    }
    Would you like to update
    your payment card ending
    1234
    /api/user/payment Portal app

    View full-size slide

  17. API4: Lack of Resources and rate limiting
    Icon thenounproject.com/sultanm/

    View full-size slide

  18. API5: Broken Function Level Authorization
    TourOrganiser
    TourAttendee
    /tour/info
    GET
    GET
    PUT
    PUT

    View full-size slide

  19. API6: Mass Assignment
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street
    }
    PUT /api/user
    {
    userid: 12345,
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street,
    role: user
    }
    {
    role: admin
    }
    PUT /api/user
    {
    userid: 12345,
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street,
    role: admin
    }

    View full-size slide

  20. API7: Security Misconfiguration

    View full-size slide

  21. API8: Injection
    Credit: https://xkcd.com/327/

    View full-size slide

  22. API8: Injection
    GET /api/user?id=12345
    {
    firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street
    }

    View full-size slide

  23. API8: Injection
    GET
    /api/user?id=12345%27%20union%20(select%20*%2
    0from%20users%3B)
    {Result: {[
    { firstName: test,
    lastName: tester,
    email: [email protected],
    homeAddress: 123 Fake Street},
    { firstName: example,
    lastName: users,
    email: [email protected],
    homeAddress: 987 Demo Road},
    { firstName: Ex,
    lastName: Ample,
    email: [email protected],
    homeAddress: Flat 1 Test Towers

    View full-size slide

  24. API9: Improper Assets Management
    /tour/info
    v1
    v1
    v1
    v2
    v2

    View full-size slide

  25. API10: Insufficient Logging & Monitoring
    Icon thenounproject.com/sultanm/

    View full-size slide

  26. API Access Management

    View full-size slide

  27. API Access Management (API AM)
    Lifecycle
    What state is it in?
    How was it designed?
    How was it built?
    Is it deployed?
    To which GWs?
    Is it live/available?
    Interface
    What does it expose?
    Which resources?
    Which methods?
    Which objects?
    Which fields?
    Access
    Who can use it?
    Which users/groups?
    How do they authenticate?
    Using which clients?
    In what contexts?
    Consumption
    How to succeed with it?
    API Documentation?
    Debugging/errors?
    Track usage?
    Examples/SDKs?
    Business
    How does it drive business
    goals?
    Partner CRM
    Monetization
    Marketing
    Business Analytics

    View full-size slide

  28. Delegated authorization with OAuth 2.0

    View full-size slide

  29. Who’s who of OAuth 2.0
    Resource Owner Client Authorization Server Resource Server
    Guest Hotel Room
    Reception Desk
    Hotel

    View full-size slide

  30. Authorization Server
    (The source of trust for the application)

    View full-size slide

  31. Scope
    (a requested permission)

    View full-size slide

  32. Register: redirect address
    ClientID, Client secret

    View full-size slide

  33. ClientId
    (a unique identifier of an application)

    View full-size slide

  34. ClientSecret
    (an authenticator for an application)

    View full-size slide

  35. client id, client secret, scopes
    Access Token
    Access Token

    View full-size slide

  36. Access Policy
    (control the behavior of the authz server for a given application)

    View full-size slide

  37. API Access Management (API AM)
    Lifecycle
    What state is it in?
    How was it designed?
    How was it built?
    Is it deployed?
    To which GWs?
    Is it live/available?
    Interface
    What does it expose?
    Which resources?
    Which methods?
    Which objects?
    Which fields?
    Access
    Who can use it?
    Which users/groups?
    How do they authenticate?
    Using which clients?
    In what contexts?
    Consumption
    How to succeed with it?
    API Documentation?
    Debugging/errors?
    Track usage?
    Examples/SDKs?
    Business
    How does it drive business
    goals?
    Partner CRM
    Monetization
    Marketing
    Business Analytics

    View full-size slide