Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing and Testing APIs for stability and pea...

Securing and Testing APIs for stability and peace of mind

Mark O’Neill: VP Innovation @ Axway
Session: Security and Testing
API Strategy & Practice Conference, Amsterdam 2014

More Decks by API Strategy & Practice Conference

Other Decks in Technology

Transcript

  1. © 2014 Axway | Confidential 1 Securing and Testing APIs

    for stability and peace of mind. Mark O’Neill VP Innovation, Axway #APIStrat 2014 Amsterdam
  2. © 2014 Axway | Confidential 5 Buffer – What Went

    Wrong consumer_secret appsecret_proof GitHub password Not Used! Stored in the clear in source code! access token access token Unencrypted Storage! token database
  3. © 2014 Axway | Confidential 6 A new meaning to

    Side-channel attacks • “The consumer_secret is mandatory (kudos to Twitter) but hackers broke into the Buffer’s GitHub database (where the string was hard coded in the source code) and took it!” http://security-architect.blogspot.com/2013/11/oauth- protected-access-at-facebook-and.html
  4. © 2014 Axway | Confidential 8 Thinking more broadly about

    security • Identity – Authentication – Delegation – Authorization (Who can do what to which API?) • Attack prevention – Content-level threats – DoS / DDoS • Privacy – PII (Personally identifiable information) • Side Channel Attacks
  5. © 2014 Axway | Confidential 9 Who are the security

    stakeholders? App Developer • Client (application) keys, identifiers • Integrity of access and refresh tokens • Application and Developer reputation Service Provider • Access control violations (data protection) • Availability (scale, responsiveness) • Identity management (life cycle) Apps (Service Consumers) • Credential protection (stored passwords) • Phishing • Reputation
  6. © 2014 Axway | Confidential 10 Web Threats—REST Edition •

    Injection attacks (XSS, SQL, Xpath, Xquery) • Buffer Overflow • (D)DoS attacks • XML attacks • JSON attacks • Session attacks / CSRF
  7. © 2014 Axway | Confidential 11 Blacklist – Negative Security

    Model • Define what is disallowed • The Anti-Virus/IDS model
  8. © 2014 Axway | Confidential 12 Whitelist – Positive Security

    Model • Define what is allowed • Block everything else • This is better
  9. © 2014 Axway | Confidential 14 Protection: The “API Mullet”

    Pattern • API Gateway enables you to: – Reduce your attack surface – Bridge to more “messy” internal systems
  10. © 2014 Axway | Confidential 15 Case Study • Blackhawk

    Network eNetwork API A P I Payment Services API Gateway
  11. © 2014 Axway | Confidential 17 Apps Web API Access

    Enforcement API Versioning OAuth Token Roaming GeoIP Filtering Car API Security 11Y7pXE5FwLtUnOQRpy yxRn9h4p4ctvOuNkVyr EsvtO6vnAdrkXlEczS4 OAuth 2.0 Token scopes[] Grants access Issued for application Identifies user OAuth 2.0 in Action
  12. © 2014 Axway | Confidential 18 API Workshop – Utrecht,

    April 3 Simon Redfern, Open Bank Project "Bank as a platform, transparency as an asset. How the Open Bank Project enables an innovation ecosystem". Menno Abbink, Essent “Powering the Hybrid Cloud – How APIs enable Cloud to Ground IT Integration” Register at benelux.axway.com OAuth 2.0, WebSockets, SAML, API Keys