apidays Australia 2022 - Practical API Security and the role of API Management, Ahmed Elharouny, Telstra Health

Transcript

1. TELSTRA HEALTH INTERNAL Practical API Security and the role of

   API Management Ahmed Elharouny Technology Platform Manager, Telstra Health

2. 2022 SERIES OF EVENTS New York JULY (HYBRID) Australia SEPTEMBER

   (HYBRID) Singapore APRIL (VIRTUAL) Helsinki & North MARCH (VIRTUAL) Paris DECEMBER (HYBRID) London OCTOBER (HYBRID) Hong Kong AUGUST (VIRTUAL) JUNE (VIRTUAL) India MAY (VIRTUAL) APRIL (VIRTUAL) Dubai & Middle East JUNE (VIRTUAL) Check out our API Conferences www.a pida ys .globa l Want to talk at one of our conferences? apidays.typeform.com/to/ILJeAaV8

3. TELSTRA HEALTH INTERNAL OWASP Top 10 OWASP is a non-profit,

   collaborative online community behind the OWASP Top 10. The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

4. TELSTRA HEALTH INTERNAL What is API Management?

5. TELSTRA HEALTH INTERNAL Authorize clients in API Gateway • Use

   Validate JWT policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. • Decouple front-end access control from backend access control. • Protect existing systems with legacy or weak authorization methods without code changes. A01 - Broken Access Control

6. TELSTRA HEALTH INTERNAL Deploy API Gateway in a private network

   • API gateway should be deployed into a peered/connected private network. • Backend services must only allow access from API Gateway. • Support internal only APIs. A01 - Broken Access Control

7. TELSTRA HEALTH INTERNAL Deploy API Gateway in a private network

   • Deploying API gateway in private network allows Service Endpoints to secure access to services outside private network. • Backend services should apply access restrictions to only allow traffic from APIM subnet. Broken Access Control

8. TELSTRA HEALTH INTERNAL CORS handling in API Gateway policies •

   Handling CORS in API Gateway free up services from handling browser-related requirements. A01 - Broken Access Control

9. TELSTRA HEALTH INTERNAL Configure safe protocols and ciphers • Disable

   legacy protocols like TLS 1.0 1.1 and SSL 3.0 • Understand where client TLS handshake is happening. • TLS termination or end-to-end encryption? A02 - Cryptographic Failures

10. TELSTRA HEALTH INTERNAL Enforce encrypted protocols A02 - Cryptographic Failures

    • Enforce encryption rules via Policy As Code

11. TELSTRA HEALTH INTERNAL Security transformation in API Gateway global policy

    • Add security headers globally (i.e., Strict-Transport-Security, X-Content-Type-Options) • Remove informative headers globally (i.e., Server, X-Powered-By) A05 - Security Misconfiguration

12. TELSTRA HEALTH INTERNAL Secure access to API definitions via Developer

    Portal • Reduce risk of exposure of API definitions, documentation and sensitive data in unstructured/ungoverned tools. A05 - Security Misconfiguration

13. TELSTRA HEALTH INTERNAL API Gateway as secret store / outbound

    proxy A05 - Security Misconfiguration

14. TELSTRA HEALTH INTERNAL API Gateway as secret store / outbound

    proxy A05 - Security Misconfiguration • Single-page applications. • Unattended scenarios such as an Azure function using a timer trigger. • Enterprise Applications using service-to-service authorization can use client credentials grant against backend APIs that uses Authorization Code

15. TELSTRA HEALTH INTERNAL Set max request size globally in API

    Gateway • Set max request size and file upload limits globally. • Set max request timeout globally. • More sensitive services can have more strict limits, however a baseline is important. API4 - Lack of resources and rate limiting

16. TELSTRA HEALTH INTERNAL Set API rate limits and quotas in

    API Gateway • Every API must have a rate limit, no exceptions. • Apply a global rate limit as a baseline and allow each API to apply its own. API4 - Lack of resources and rate limiting

17. TELSTRA HEALTH INTERNAL Add caching policies to protect backends •

    Optimize performance with API gateway caching, thus reducing the consumption of CPU, memory, and networking resources for certain operations in backend services. API4 - Lack of resources and rate limiting

18. TELSTRA HEALTH INTERNAL Use response schema validation in API Gateway

    • Validate size or content of response body against one or more API schemas. • Validate response content type is specified in API definition. • Prevent additional properties. API3 - Excessive data exposure

19. TELSTRA HEALTH INTERNAL • Validate the size or content of

    a request body against one or more API schemas. • Validate request content type is specified in API definition. • Prevent additional properties. Use request schema validation in API Gateway API3 - Excessive data exposure

20. TELSTRA HEALTH INTERNAL Use a WAF in or in front

    of API Gateway • Modern WAF policies cover many common injection vulnerabilities. • Make sure your API Gateway is acting as a WAF or deploy a WAF in front. • Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. API8 - Injection

21. TELSTRA HEALTH INTERNAL Use a WAF in (or in front

    of) API Gateway • Make sure WAF rules are configured, reviewed and maintained correctly. • Make sure you have sufficient monitoring in place for block and warn actions. API8 - Injection

22. TELSTRA HEALTH INTERNAL Thank you! Q&A Image credits: apisecurity.io owasp.org

    MSDN infolob.com Follow me: linkedin.com/in/harouny/