Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing APIs

D7c78f8757327b65a637aece98939f01?s=47 Andy March
November 12, 2019

Securing APIs

As our applications become increasing dependent on APIs to function we review the threats to your API security and how Okta and NGINX can help protect you and your data.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

November 12, 2019
Tweet

Transcript

  1. Securing APIs Lunch and Learn London

  2. 10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  3. OpenStreetMap Yelp Uber Get map data Get reviews Get a

    ride Find me 5 good pubs between Farringdon and Kings Cross BeerTour.io ThirstyWalker.net Find x good pubs between a and b BeerTour.api Find x good pubs between a and b
  4. User API Client

  5. Information wants to be free. Stewart Brand

  6. None
  7. None
  8. Information wants to be free. Information also wants to be

    expensive. Stewart Brand
  9. https://delivery/panerabread.com/foundation-api/users/uramp/738194 August 2017

  10. https://delivery/panerabread.com/foundation-api/users/uramp/738194 https://delivery/panerabread.com/foundation-api/users/uramp/738195 https://delivery/panerabread.com/foundation-api/users/uramp/738196 https://delivery/panerabread.com/foundation-api/users/uramp/738197 https://delivery/panerabread.com/foundation-api/users/uramp/ … https://delivery/panerabread.com/foundation-api/users/uramp/ … https://delivery/panerabread.com/foundation-api/users/uramp/ …

    August 2017 Username, First and last name, Email, Phone number, Birthday, CC last 4 digits, Home address, linked social accounts, saved preferences and dietary restrictions, gift cards
  11. Architecting for Security

  12. API Maturity Model Phase 0 Integrate internal systems by private

    APIs Internal collaboration for internal applications Phase 2 Limited API access to partners, resellers and suppliers Phase 3 APIs as full fledged products with external developer access Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1 Application microservices Shared microservices Trusted partner APIs Public service APIs
  13. Think like a bad guy. Icon thenounproject.com/sultanm/

  14. None
  15. API1: Broken Object Level Authorization GET /api/user/12345 GET /api/user/12345 GET

    /api/user/12346 GET /api/user/12347 GET /api/user/12348
  16. API2: Broken Authentication

  17. Don’t roll your own identity

  18. None
  19. None
  20. API3: Excessive Data Exposure { firstName: test, lastName: tester, email:

    test@test.com, homeAddress: 123 Fake Street, cc: 1234 } Hi test tester /api/user Portal app
  21. API3: Excessive Data Exposure { firstName: test, lastName: tester, email:

    test@test.com, } Hi test tester /api/user Portal app { cc: 1234 } Would you like to update your payment card ending 1234 /api/user/payment Portal app
  22. API4: Lack of Resources and rate limiting Icon thenounproject.com/sultanm/

  23. API5: Broken Function Level Authorization TourOrganiser TourAttendee /tour/info GET GET

    PUT PUT
  24. API6: Mass Assignment { firstName: test, lastName: tester, email: test@test.com,

    homeAddress: 123 Fake Street } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: test@test.com, homeAddress: 123 Fake Street, role: user } { role: admin } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: test@test.com, homeAddress: 123 Fake Street, role: admin }
  25. API7: Security Misconfiguration

  26. API8: Injection Credit: https://xkcd.com/327/

  27. API8: Injection GET /api/user?id=12345 { firstName: test, lastName: tester, email:

    test@test.com, homeAddress: 123 Fake Street }
  28. API8: Injection GET /api/user?id=12345%27%20union%20(select%20*%2 0from%20users%3B) {Result: {[ { firstName: test,

    lastName: tester, email: test@test.com, homeAddress: 123 Fake Street}, { firstName: example, lastName: users, email: user@example.com, homeAddress: 987 Demo Road}, { firstName: Ex, lastName: Ample, email: ex@mple.com, homeAddress: Flat 1 Test Towers
  29. API9: Improper Assets Management /tour/info v1 v1 v1 v2 v2

  30. API10: Insufficient Logging & Monitoring Icon thenounproject.com/sultanm/

  31. API Access Management

  32. API Access Management (API AM) Lifecycle What state is it

    in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics
  33. None
  34. Delegated authorization with OAuth 2.0

  35. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel
  36. Authorization Server (The source of trust for the application)

  37. None
  38. None
  39. None
  40. Scope (a requested permission)

  41. None
  42. Register: redirect address ClientID, Client secret

  43. None
  44. None
  45. ClientId (a unique identifier of an application)

  46. ClientSecret (an authenticator for an application)

  47. None
  48. None
  49. client id, client secret, scopes Access Token Access Token

  50. Access Policy (control the behavior of the authz server for

    a given application)
  51. None
  52. None
  53. None
  54. None
  55. None
  56. API Access Management (API AM) Lifecycle What state is it

    in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics
  57. &