apidays Australia 2023 - The Swiss Cheese Model of Layered API Security, Leon Andrews, Terem

Transcript

1. The Swiss Cheese Model of Layered API Security apidays Australia

   11 October 2023

2. 1996 - MSc Information Systems & Technology + Perl 1997

   - NetChannel UK - WebTV startup 1998 - jobnet.com.au - Australia’s first commercial web services? 2001 - RecuitASP & HRX - Disruptive SaaS recruitment and HR 2012 onwards - Consulting in digital, mobility, integration, APIs, platform engineering… Currently heading up Terem's API and Platform Engineering business in ANZ About me

3. Terem Terem is a product development and strategy firm that

   works for enterprises, tech companies and Government. We’re most valuable when we run strategy and product development iteratively, working towards a commercial outcome. We’re based across Australia and New Zealand.

4. Terem Australia & NZ API Survey 2023

5. The model depicts a system as a stack of slices

   of Swiss cheese, with each slice representing a barrier or safeguard against failure. • Developed by James Reason, a British Psychologist in the 1990s, as a metaphor for how complex systems can fail. • Holes in the cheese represent weaknesses in the barriers. • The holes are randomly distributed, so that they don’t always align. • When the holes in the slices align, a hazard can pass through all of the barriers and cause a failure. The Swiss Cheese Model

6. The Swiss Cheese Model Based on the idea that incidents

   are usually the result of a combination of factors • Human errors • Bad actors • System failures • Environmental conditions Can also be used to identify the different layers of protection in a system and to assess the effectiveness of those layers.

7. Wikipedia has this diagram as their example Notice there are

   two types of cheese, and we’ll borrow that idea. Each layer has holes, and some layers are even slightly broken Multiple layers improve the chance of protection from the virus Wikipedia’s example

8. Applying this to API Security Our layers of Swiss cheese

   have to cover a lot: • We’re protecting against a wide range threats: ◦ Mostly from “bad actors” with specific intent • But also dealing with: ◦ Human traits such as… ▪ Skill levels / intelligence ▪ Motivation / Energy ▪ Boredom / Interest / Laziness ▪ Appreciation / Appetite for risk ◦ Mistakes - poor execution ◦ Time - rushed execution ◦ Exploitable bugs in software platforms ◦ Unknown unknowns

9. The OWASP 10 API risks… It’s tempting to think that

   because these are “API security risks”, the focus needs to be on “the APIs” The Swiss Cheese Model helps us think about this differently Many of these risks are not particularly API-specific, they apply more broadly.

10. • Technology Swiss Cheese ◦ Hardware and software systems ◦

    Frameworks that operate on these systems Our two cheese types • Human Swiss Cheese ◦ Business drivers ◦ Mindset and motivation

11. • Technology Swiss Cheese ◦ Network layer Technology Swiss Cheese

12. • DNS / IP configuration • Web Application Firewall (WAF)

    • Load Balancing • Cloud-specific environment configuration Network Layer

13. Technology Swiss Cheese • Technology Swiss Cheese ◦ Network layer

    ◦ Auth layer

14. • Authentication & Authorisation across every OSI Layer 1-7 •

    How well is this baked into your API request & response flow? • From basic HTTP authentication to Mutual TLS and everything in-between • Affects access to run APIs, but also for APIs to call other resources, internal and external developers to access platforms, and admins to run the platforms Auth Layer

15. Technology Swiss Cheese • Technology Swiss Cheese ◦ Network layer

    ◦ Auth layer ◦ Protocol layer

16. • The protocols in place to determine access to APIs,

    and how well they are used. • API Specifications and their contents • Ensuring APIs are succinctly described and precise in their scope • This may be where some obfuscation can be used • Acting as an initial barrier to entry Protocol Layer

17. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer Technology Swiss Cheese

18. • The actual server that’s processing the API requests •

    API proxy, appraising requests, triggering service calls, returning responses. • Following rules about how traffic can flow • Does a lot of the heavy lifting • Can also provide clues to an attacker Gateway Layer

19. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer Technology Swiss Cheese

20. • Monitoring and alerting when issues arise • Needs to

    be well focused - may need to cover 1000s of scenarios • Some platforms now feature AI tools to help detect issues • API platforms typically provide analytics engines to read the data Monitoring Layer

21. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer Technology Swiss Cheese

22. • Build and Test Automation • Ensuring APIs are well

    formed • Critical testing layer that implements policy and ensures adherence • Automated code generation • Automated resource provisioning CI/CD Layer

23. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer ◦ API Platform layer Technology Swiss Cheese

24. • Configuration Tools ◦ Rate Limiting / quotas / throttling

    ◦ Input parsing & transformation ◦ Authorisation ◦ Flows ◦ Policies ◦ Products ◦ Payments ◦ Versioning • Developer Tools / IDE • Developer Portal API Platform Layer

25. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer ◦ API Platform layer ◦ Service Layer Technology Swiss Cheese

26. • Applications • Databases • Microservices • Integrated SOA Services

    • SaaS Componentry • Third Party systems Service Layer

27. • Technology Swiss Cheese ◦ Network layer ◦ Auth layer

    ◦ Protocol layer ◦ Gateway layer ◦ Monitoring layer ◦ CI/CD layer ◦ API Platform layer ◦ Service Layer Technology Swiss Cheese

28. • Technology Swiss Cheese Network layer, Auth layer, Protocol layer,

    Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation layer

29. • API development guidelines • How-tos, FAQs and knowledge bases

    • Well-written API specs Developer Documentation Layer

30. Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation

    layer ◦ Operating Model layer • Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer

31. • How the business manages its API Program • How

    it facilitates the API lifecycle from ideation through to implementation and operations • APIs as Products • How the business empowers and manages its engineers • How the business uses API analytics to inform its decision-making Operating Model Layer

32. Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation

    layer ◦ Operating Model layer ◦ Business Mindset layer • Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer

33. • How the business promotes API security internally • How

    it demonstrates its understanding of security • How the culture of IT security is embedded from the top down Business Mindset Layer

34. Human Swiss Cheese • Human Swiss Cheese ◦ Developer Documentation

    layer ◦ Operating Model layer ◦ Business Mindset layer ◦ Bonus layer - Community • Technology Swiss Cheese Network layer, Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer

35. • The API community! • White hats • Bug bounties

    • Bloggers • Researchers • Evangelists Bonus Layer - Community

36. Building up the layers • Technology Swiss Cheese Network layer,

    Auth layer, Protocol layer, Gateway layer, Monitoring layer, CI/CD layer, API Platform layer, Service Layer • Human Swiss Cheese Developer Documentation layer, Operating Model layer, Business Mindset Layer, Bonus layer - Community

37. Just another API-based system Assumptions: 1. The APIs are meant

    to be called by an app that’s running on a device, but are easy enough to discover 2. Traffic is load balanced and passes a firewall 3. Requests are authenticated and authorisation is sought for data access 4. There may be a few versions of the API in production, to support legacy apps 5. The API endpoint is hosted in the public cloud. 6. Its proxy has been deployed using a SaaS API gateway that resides inside any number of virtualized groups.

38. Swiss Cheese In Action Let’s focus on three examples that

    are covered in OWASP 10, and how the Swiss Cheese Model gives us a different way to think about them… 1. An attacker trying to gain unauthorised access to run APIs 2. An Attacker trying to exploit obvious patterns in IDs and codes through an enumeration attack 3. Attacker trying to insert SQL into your API to trick a database to perform an action: SQL injection attack

39. Attack 1: Gaining unauthorized access • An attacker is attempting

    to gain access to information that their identity should not allow them to see • The request might look legitimate enough, they may already have an account • Or the attacker may be trying to brute-force IDs or passwords to log in to different accounts

40. Attack 1: Gaining unauthorized access • Technology Swiss Cheese ◦

    Network layer - WAF does nothing - the request looks normal ◦ Auth layer - Detects unauthorized access attempt ◦ Protocol layer - Defines the tightness of the auth requirements ◦ Gateway layer - Blocks unauthorized access attempt ◦ Monitoring layer - Detects unusual params, traffic patterns, auth attempts ◦ CI/CD layer - Prevents code without necessary auth being deployed ◦ API Platform layer - Provides tools to implement the auth model ◦ Service Layer - Provides deeper auth checks on apps and services • Human Swiss Cheese ◦ Developer Documentation layer - Educates developers on auth policy ◦ Operating Model layer - Ensures auth best practices are in place ◦ Business Mindset layer - Inspires adoption of auth best practices ◦ Community layer - Educates and innovates API auth

41. Attack 2: Enumeration • An attacker already has access to

    the system • They’re trying to manipulate API calls by guessing identifiers in the request • Or they may be trying to harvest data to look for patterns in identifiers

42. Attack 2: Enumeration • Technology Swiss Cheese ◦ Network layer

    - Does nothing - request looks normal ◦ Auth layer - Does nothing - request looks normal ◦ Protocol layer - Helps define sensible API taxonomy ◦ Gateway layer - Does nothing - request looks normal ◦ Monitoring layer - Detects unusual request parameters or traffic patterns ◦ CI/CD layer - Prevents code with sequential IDs being deployed ◦ API Platform layer - Provides tools to translate vulnerable IDs ◦ Service Layer - Provides tools to translate or use alternative ID schemes • Human Swiss Cheese ◦ Developer Documentation layer - Educates developers on ID policy ◦ Operating Model layer - Ensures ID best practices are in place ◦ Business Mindset layer - Inspires adoption of ID best practices ◦ Community layer - Educates and innovates API security

43. Attack 3: SQL Injection • An attacker already has access

    to the system • They know that down the line, services are interacting with legacy RDBMS • They know of 100s of ways to try and exploit vulnerabilities

44. Attack 3: SQL Injection • Technology Swiss Cheese ◦ Network

    layer - Does nothing - request looks normal ◦ Auth layer - Does nothing - request looks normal ◦ Protocol layer - Helps define sensible API taxonomy ◦ Gateway layer - Filters out SQL in request parameters ◦ Monitoring layer - Alerted to SQL injection attempt ◦ CI/CD layer - Prevents code with SQL vulnerability being deployed ◦ API Platform layer - Provides tools to parse for SQL injection ◦ Service Layer - Provides tools to prevent execution of dynamic SQL • Human Swiss Cheese ◦ Developer Documentation layer - Educates devs on use of dynamic SQL ◦ Operating Model layer - Ensures dynamic SQL best practices are in place ◦ Business Mindset layer - Inspires adoption of SQL best practices ◦ Community layer - Educates and innovates API security

45. What we see happening… Without thinking about layers • Security

    is often done at the wrong point • Assumptions are made about who’s job this is • The technical and human pieces don’t line up • There’s no holistic API operating model • Human behaviour is vastly under-considered “Block everything with the WAF!” CEO has taken the finest security course available “Another team owns these legacy services” “People and Culture have provided you with a training budget” “Just get it done quickly on this under-configured API gateway” “The docs are in Confluence!”

46. What we see happening… • Technology Swiss Cheese ◦ Network

    layer - Trying to detect everything at the WAF ◦ Auth layer - Basic auth, shared accounts, broad permissions ◦ Protocol layer - API taxonomy not tightly defined ◦ Gateway layer - Configured for throughput, not security ◦ Monitoring layer - Focused on system warnings not security events ◦ CI/CD layer - Basic Linting / warnings but nothing enforced ◦ API Platform layer - Capabilities applied sparsely and inconsistently ◦ Service Layer - Legacy / third party services executed without question • Human Swiss Cheese ◦ Developer Documentation layer - Scant guidelines, inconsistent style ◦ Operating Model layer - No genuine end-to-end view of API Program ◦ Business Mindset layer - Security is a technical IT problem ◦ Community layer - Reactive search over active participation

47. What should be happening… Thinking about layers Accepting you can’t

    detect every attack with one tool Allowing each layer to do its job Spending the time to unite your teams to instill security at every layer Making use of everything that your API platform and other tools provide Making sure engineers and the business have the time to focus on each layer

48. What a good stack of cheese looks like • Technology

    Swiss Cheese - constantly iterating and evolving ◦ Network layer - WAF detecting unusual traffic patterns and alerting you ◦ Auth layer - A modern framework with real-time control ◦ Protocol layer - Taxonomy specifying APIs succinctly and giving nothing away ◦ Gateway layer - Configured to use every provided security tool ◦ Monitoring layer - Extensive coverage across every layer, proactive alerting ◦ CI/CD layer - Rigid, extensive test automation against mandatory criteria ◦ API Platform layer - Security framework applied universally from top down ◦ Service Layer - Services executed with extreme caution • Human Swiss Cheese - staying in front of the curve ◦ Developer Documentation layer - Full API dev guidelines, made easy to follow ◦ Operating Model layer - Governance across the whole API lifecycle ◦ Business Mindset layer - Instilling a security-first mindset ◦ Community layer - Active participation in the community!

49. Terem Australia & NZ API Survey 2023

50. None