API Security

Transcript

1. API Security @maceip October 24th 2013 APIStrat

2. API Security Principals •  Traffic Monitoring •  Authentication •  Throttling/Quotas

   •  Encryption •  Sane Design

3. Real World •  Log Neglect •  Where’s the Authorization (AAA!)

   •  Surgical Theft •  I’m not in your TLS – But the NSA probably is •  Design once

4. Information Disclosure •  API Design? – Regardless of API Exposure • 

   Security Staff – Design involvement? – Hire people who relentlessly think like attackers

5. Example:

6. Endpoint Returns:

7. Your (virtual) appliances won’t save you [“mashery”,”apigee”,”3scale”,”fireeye”,”radware”,”f5”,”i mperva”,”trustwave”,”barracuda”,”cloudflare”,”qualys”, ”palo alto”,

   “fortinet”, “layer7”, “vordel”, “soa”, “sonicwall”, “mod_security”, “kona”, “whitehat”, “mulesoft”, “ciphercloud”, “skyhigh”]

8. Questions for Architects •  If your API codebase was public,

   would you be concerned? – Why? •  Have you done an API security audit?

9. Consumer Concerns •  Who has my KEY! – Build support for

   external encryption keys •  Inter-Provider communication transparency – Box <-> Salesforce – Programmatic log access should be a given

10. Looking Forward •  Hijacking Data – Fake/malicious third party applications • 

    W0rd app on dropbox is asking for permissions! •  API-centric Denial of Service •  Better user reputation systems (they all suck) •  More context around transactions

11. Break before you build! [email protected]