Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your API ain't as secure as you think

Your API ain't as secure as you think

The Bad News:

Last year OWASP published a new top 10, with some surprising changes. Broken access control rocketed from #5 to #1, and cryptographic failures moved up from #3 to #2.

Data breaches are costing organisations more than ever. According to IBM, the average cost of a data breach has climbed 12.7% since 2020.

APIs are at the centre of many of these attacks. Either through misuse or exploitation by attackers.

The Good News:

There are architectural approaches that give you new techniques to manage data security risk. These help you separate concerns, divide risk, and defend smaller attack surfaces.

There are also old techniques getting new life due to new breakthroughs in adjacent technologies.

In this talk, attendees will learn:

🪤 What the hidden security traps are when handling data in your APIs
🗺 What architectural approaches you can start iterating towards, to prepare you for the next 10 years
🏃What techniques you can use today to improve data security in your APIs

Presented at Apidays Australia, September 2022

Appendix — Links

◦ Cost of a Data Breach Report 2022 — IBM
◦ Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill — Wired
◦ Federal Bureau of Investigation Internet Crime Report 2021
◦ 2022 Costa Rican ransomware attack
◦ OWASP Top 10:2021
◦ How Unsecure gRPC Implementations Can Compromise APIs — Trend Micro
◦ Four different authorization models to map users to the correct permission — Auth0
◦ twitchtv/twirp: A simple RPC framework with protobuf service definitions
◦ GRPC Server Reflection Protocol
◦ neex/http2smugl: detect and exploit HTTP request smuggling
◦ aquasecurity/tfsec: Security scanner for your Terraform code
◦ returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code

Lindsay Holmwood

September 14, 2022
Tweet

More Decks by Lindsay Holmwood

Other Decks in Technology

Transcript

  1. Your API ain’t as secure
    as you think
    Lindsay Holmwood
    @auxesis
    Chief Product Officer @ CipherStash

    View Slide

  2. View Slide

  3. 👋 I’m Lindsay
    cipherstash.com/lindsay
    @auxesis
    CipherStash helps you
    protect sensitive data while
    still enabling safe access
    across your org.

    View Slide

  4. The bad news

    View Slide

  5. USD 4.35 million
    Global average total cost of a data breach
    Source: IBM Cost of a Data Breach Report 2022

    View Slide

  6. Data breach costs are increasing

    View Slide

  7. The landscape is changing
    ○ Compliance requirements (e.g.,
    GDPR, CCPA) are becoming
    more stringent
    ○ Ransomware cost $20B globally
    in 2021, $6.9B in USA alone
    ○ Attackers are becoming more
    sophisticated (exploiting supply
    chains, brokering access) and
    are moving faster
    Notable breaches this year
    August: Twilio 󰑔
    125 customers accessed
    July: Shanghai Police 󰎩
    1 billion citizens exposed
    July: Twitter 󰑔
    5.4 million user accounts exposed
    May: Costa Rican government 󰎫
    $30M in losses per day
    May: NIC e-Hospital 󰏝
    250 million patients exposed

    View Slide

  8. Compliance requirements
    (e.g., GDPR, CCPA) are
    becoming more stringent.
    USA regulations in the
    wings.
    The landscape
    is changing

    View Slide

  9. Ransomware cost
    $20B globally —
    $6.9B in 󰑔 alone
    — in 2021
    The landscape
    is changing
    Source: FBI IC3 Crime Report 2021

    View Slide

  10. Ransomware costs in 2021:
    ○ $20B globally
    ○ $6.9B in USA alone
    Attackers are becoming more sophisticated (exploiting supply chains,
    brokering access) and are moving faster
    The landscape is changing

    View Slide

  11. May: NIC e-Hospital 󰏝
    250 million patients exposed
    May: Costa Rican government 󰎫
    $30M in losses per day
    July: Shanghai Police 󰎩
    1 billion citizens exposed
    July: Twitter 󰑔
    5.4 million user accounts exposed
    August: Twilio 󰑔
    125 customers accessed
    Notable breaches in the last 6 months

    View Slide

  12. Source: ibm.com/security/data-breach

    View Slide

  13. APIs are at the center of many of
    these incidents.

    View Slide

  14. View Slide

  15. #5 => #1
    Broken Access Control
    Based on volume of weaknesses

    View Slide

  16. #3 => #2
    Cryptographic Failures
    Based on volume of weaknesses

    View Slide

  17. #1 => #3
    Injection
    Based on volume of weaknesses

    View Slide

  18. 💨 ⇒ #4
    Insecure design
    Based on volume of weaknesses

    View Slide

  19. The good news:

    View Slide

  20. There are technical solutions:
    ● New tech that are safe bets.
    ● Old architecture techniques
    getting new life.

    View Slide

  21. Most attacks are
    not on core systems.
    They are on
    people who have access
    to core systems.
    Source: OAIC Feb 2022

    View Slide

  22. Cheaper to invest now
    than after you get
    breached or regulated

    View Slide

  23. You succeed by
    doing the basics well

    View Slide

  24. What architectures and
    techniques should you be
    iterating towards?

    View Slide

  25. 1. Third party
    identity providers

    View Slide

  26. 3rd party IDPs for APIs — before
    Authentication:
    ● Challenge–Response authentication
    ● Secure Remote Password protocol
    ● Client certificate authentication
    Authorisation:
    ● ???

    View Slide

  27. Authentication:
    ● OAuth2 + JWT
    ● SAML
    ● Self managed identity via Google Workspace, O365
    3rd party IDPs — now

    View Slide

  28. 3rd party IDPs for APIs
    Don’t roll your own auth — use third party identity provider:
    ● Auth0, Ping, Okta
    Untrusted clients, trusted servers:
    ● Client authenticates to IDP
    ● IDP sets up session with API
    ● API is ignorant of users — only knows if IDP gives an OK

    View Slide

  29. Why you should care
    ● Less code, lower ongoing maintenance costs
    ● Better threat detection than what you can build
    ● Your APIs become integrated with broader organisational IAM controls
    ● Access and behaviour tied back to identity
    3rd party IDPs for APIs

    View Slide

  30. Limit impact of attacks
    Attack vector Frequency
    Compromised credentials ~20%
    Cloud misconfiguration ~15%
    Phishing ~15%
    Malicious insider ~11%
    Source: IBM Cost of a Data Breach Report 2022

    View Slide

  31. Identification and authentication failures
    ● Cred stuffing and spraying — automated blocking and alerting
    ● Cred recovery abuse — reduce and narrow recovery paths
    Broken access controls
    ● Check bypass — implement standard controls across all endpoints
    ● Allow by default — invert to deny by default
    Defend against:

    View Slide

  32. We’re so focused on building auth
    that we forget about auth

    View Slide

  33. Authorization
    ● RBAC: static permissions assigned to users via roles
    ● ABAC: dynamic policies based on user attrs + request context
    Stronger authentication methods
    ● Passwordless
    ● FIDO2
    Frees you up to work impactful problems

    View Slide

  34. 2. RPC +
    standardised
    serialisation
    formats

    View Slide

  35. Use code generation to handle:
    ● Routes
    ● Serialisation
    ● HTTP methods, request/response headers
    ● Errors
    RPC

    View Slide

  36. RPC Examples
    gRPC Twirp
    Origin Google Twitch
    Payloads protobufs Binary or JSON
    HTTP HTTP/2 HTTP 1.1 only
    Streaming Bidirectional None
    Honorable mention: GraphQL

    View Slide

  37. Strongly typed communication for:
    ● Network transport
    ● Storage
    Reduces attack surface, to mitigate attacks like:
    ● Injection
    Serialisation

    View Slide

  38. Example: Protocol Buffers
    Binary representation of data
    structures:
    1. Describe data structure using
    built in types
    2. Compile bindings for languages
    3. Encode/decode data structure in
    efficient binary format
    Supports basic backwards
    compatibility via tags.
    service SearchService {
    rpc Search(SearchRequest) returns (SearchResponse);
    }
    message SearchRequest {
    required string query = 1;
    optional int32 page_number = 2;
    optional int32 result_per_page = 3;
    }
    message SearchResponse {
    repeated Result results = 1;
    }
    message Result {
    string url = 1;
    string title = 2;
    repeated string snippets = 3;
    }

    View Slide

  39. Reduce attack surface:
    ● To only what the endpoint explicitly exposes
    ● Stop enumeration
    Build secure clients, faster:
    ● Automatically generate clients for different languages
    ● Automatically generate documentation
    ● Backwards compatibility baked in
    RPC + serialisation formats for APIs

    View Slide

  40. Limit impact of attacks
    Attack vector Frequency
    Vulnerability in third-party software ~13%
    System Error ~7%
    Source: IBM Cost of a Data Breach Report 2022

    View Slide

  41. Deserialization attacks
    ● Injection — data injection, only support primitive data types
    ● Privilege escalation — gaining RCE through object deserialisation
    Denial of Service
    ● Resource Exhaustion — drop and log deserialization failures
    Defend against:

    View Slide

  42. Defence in depth:
    ● Use strongly typed languages to stop injection attacks propagating from
    client to server
    ● WASM, to more tightly control the client side
    gRPC reflection:
    ● Enumerates gRPC services
    ● Exposes protobufs in human readable format (arguments, fields)
    Also consider:

    View Slide

  43. “New” attacks like request smuggling
    SSRF
    WASM
    Also consider:

    View Slide

  44. 3. Application
    Level
    Encryption

    View Slide

  45. Encrypt data before it
    hits your database

    View Slide

  46. ID Name Email Medicare DOB Last Visit
    1 Bob Alice [email protected] 1234-1679 1985-04-13 2021-11-12
    2 Ada Lovelace [email protected] 7811-8900 1815-12-18 2021-03-01
    3 Ron Rivest [email protected] 1111-7777 1947-05-06 2020-08–17
    ID Name Email Medicare DOB Last Visit
    1 FaEZff3jxBo Ooi9EGk9AHY kFUXefymauo AIaq/7zh8Bg 8E7bW/piQdc
    2 /+P5vR/Y6c8 l9pjVGliPpY coOsKQoqMGs v65rNTAOLbc Jrh2cWxZQFI
    3 GzSs7yV+om8 rnm2X1+f8pw lKWK7jdaUBk 1dPr3mM/nzY MysZlt3F6FE
    Application-Level Encryption is the best defence against data breaches
    But adoption is low.

    View Slide

  47. Why? Queries are impossible!
    ID Name Email Medicare DOB Last Visit
    1 FaEZff3jxBo Ooi9EGk9AHY kFUXefymauo AIaq/7zh8Bg 8E7bW/piQdc
    2 /+P5vR/Y6c8 l9pjVGliPpY coOsKQoqMGs v65rNTAOLbc Jrh2cWxZQFI
    3 GzSs7yV+om8 rnm2X1+f8pw lKWK7jdaUBk 1dPr3mM/nzY MysZlt3F6FE
    4 8LDcY5j8as0 o4+DZioP8Y8 jUxr2zGw0UQ TwaxYXYaLzA kBhGkhRZh2s
    5 7KkpjDE39ng hm1dbQpe/iA dqMY09YeG8s zcIxZM7sVVw rLqsko3LmW8
    Medicare number = “1234-1567” ?

    View Slide

  48. Wide range of App Level
    Encryption plugins for most
    languages + frameworks:
    All have the same caveat:
    You do this, you lose search
    JavaScript objection-encryption, sequelize-encrypted,
    mongoose-encryption, typeorm-encrypted,
    typeorm-encrypted-model, prisma-field-encryption,
    bookshelf-encrypt-columns, mongoose-field-encryption,
    Ruby ActiveRecord Encryption, Lockbox, attr_encrypted,
    strongbox, crypt_keeper, active_record_encryption,
    mongoid-encrypted-fields, mongoid-encrypted,
    symmetric-encryption
    Python django-fernet-fields, django-encrypted-model-fields,
    django-cryptographic-fields, django-cryptography,
    sqlalchemy_utils EncryptedType
    C# EntityFrameworkCore.DataEncryption,
    EntityFrameworkCore.EncryptColumn, EntityEncryption
    PHP EloquentEncryption, eloquent-aes,
    ambta/DoctrineEncryptBundle,
    absolute-quantum/DoctrineEncryptBundle,
    EncryptBundle,
    elgibor-solution/laravel-database-encryption

    View Slide

  49. What’s changed?
    Searchable
    Symmetric
    Encryption
    Index encrypted records
    and search them
    Searchable encrypted index

    View Slide

  50. Emerging tools:
    Old pattern, new applications
    JavaScript objection-encryption, sequelize-encrypted,
    mongoose-encryption, typeorm-encrypted,
    typeorm-encrypted-model, prisma-field-encryption,
    bookshelf-encrypt-columns, mongoose-field-encryption,
    Ruby ActiveRecord Encryption, Lockbox, attr_encrypted,
    strongbox, crypt_keeper, active_record_encryption,
    mongoid-encrypted-fields, mongoid-encrypted,
    symmetric-encryption
    Python django-fernet-fields, django-encrypted-model-fields,
    django-cryptographic-fields, django-cryptography,
    sqlalchemy_utils EncryptedType
    C# EntityFrameworkCore.DataEncryption,
    EntityFrameworkCore.EncryptColumn, EntityEncryption
    PHP EloquentEncryption, eloquent-aes,
    ambta/DoctrineEncryptBundle,
    absolute-quantum/DoctrineEncryptBundle,
    EncryptBundle,
    elgibor-solution/laravel-database-encryption
    +

    View Slide

  51. Limit impact of attacks
    Attack vector Frequency
    Compromised credentials ~20%
    Cloud misconfiguration ~15%
    Vulnerability in 3rd party software ~12%
    Malicious insider ~11%
    Physical Security Compromise ~9%
    Source: IBM Cost of a Data Breach Report 2022

    View Slide

  52. Most attacks are
    not on core systems.
    They are on
    people who have access
    to core systems.
    Source: OAIC Feb 2022

    View Slide

  53. Broken access controls
    ● Check bypass — multiple factors required to decrypt data
    Security misconfiguration
    ● Unauthorised access — even if authenticated, data still encrypted
    Insecure design
    ● Incomplete threat model — last line of defense
    Defend against:

    View Slide

  54. 4. Security static
    analysis

    View Slide

  55. Analyse code and infracode for known vulnerabilities.
    Well established tools:
    ● semgrep
    ● tfsec
    Integrate into CI, catch insecurity before it’s shipped to production.
    Security static analysis

    View Slide

  56. ● Finds insecure defaults and
    configurations
    ● Hundreds of checks across
    major and minor clouds
    ● Drop into CI pipelines
    Example: tfsec

    View Slide

  57. ● Supports 25+ languages
    ● Thousands of rules out of
    the box
    ● Easy to write new rules
    Example: semgrep

    View Slide

  58. Limit impact of attacks
    Attack vector Frequency
    Cloud misconfiguration ~15%
    Physical security compromise ~9%
    System error ~7%
    Source: IBM Cost of a Data Breach Report 2022

    View Slide

  59. Security misconfiguration
    ● Default accounts & features — reduce attack surface
    ● Implementation exposure — disable debugging output
    Insecure design
    ● Missed controls — catch design errors early in build
    Defend against:

    View Slide

  60. Use security static analysis to
    identify and enforce
    secure code standards:
    🚧 authorisation access controls
    🔒 app level encryption
    ☎ RPC + serialisation formats

    View Slide

  61. Recap:
    These techniques
    should be on your radar:

    View Slide

  62. A01:2021 Broken Access Control
    A02:2021 Cryptographic Failures
    A03:2021 Injection
    A04:2021 Insecure Design
    A05:2021 Security Misconfiguration
    A06:2021 Vulnerable and Outdated Components
    A07:2021 Identification and Authentication Failures
    A08:2021 Software and Data Integrity Failures
    A09:2021 Security Logging and Monitoring Failures
    A10:2021 Server-Side Request Forgery
    Third party
    identity providers

    View Slide

  63. Standardised
    serialisation
    formats +
    RPC
    A01:2021 Broken Access Control
    A02:2021 Cryptographic Failures
    A03:2021 Injection
    A04:2021 Insecure Design
    A05:2021 Security Misconfiguration
    A06:2021 Vulnerable and Outdated Components
    A07:2021 Identification and Authentication Failures
    A08:2021 Software and Data Integrity Failures
    A09:2021 Security Logging and Monitoring Failures
    A10:2021 Server-Side Request Forgery

    View Slide

  64. Application
    Level
    Encryption
    A01:2021 Broken Access Control
    A02:2021 Cryptographic Failures
    A03:2021 Injection
    A04:2021 Insecure Design
    A05:2021 Security Misconfiguration
    A06:2021 Vulnerable and Outdated Components
    A07:2021 Identification and Authentication Failures
    A08:2021 Software and Data Integrity Failures
    A09:2021 Security Logging and Monitoring Failures
    A10:2021 Server-Side Request Forgery

    View Slide

  65. Security
    Static
    Analysis
    A01:2021 Broken Access Control
    A02:2021 Cryptographic Failures
    A03:2021 Injection
    A04:2021 Insecure Design
    A05:2021 Security Misconfiguration
    A06:2021 Vulnerable and Outdated Components
    A07:2021 Identification and Authentication Failures
    A08:2021 Software and Data Integrity Failures
    A09:2021 Security Logging and Monitoring Failures
    A10:2021 Server-Side Request Forgery

    View Slide

  66. Most attacks are
    not on core systems.
    They are on
    people who have access
    to core systems.
    Source: OAIC Feb 2022

    View Slide

  67. Cheaper to invest now
    than after you get
    breached or regulated

    View Slide

  68. You succeed by
    doing the basics well

    View Slide

  69. Thank you!
    🙋 What questions do you have?
    💖 the talk? Let @auxesis know on Twitter.
    Appendix + sources at cipherstash.com/lindsay

    View Slide

  70. 📒 Appendix — Links
    ○ Cost of a Data Breach Report 2022 — IBM
    ○ Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill — Wired
    ○ Federal Bureau of Investigation Internet Crime Report 2021
    ○ 2022 Costa Rican ransomware attack
    ○ OWASP Top 10:2021
    ○ How Unsecure gRPC Implementations Can Compromise APIs — Trend Micro
    ○ Four different authorization models to map users to the correct permission — Auth0
    ○ twitchtv/twirp: A simple RPC framework with protobuf service definitions
    ○ GRPC Server Reflection Protocol
    ○ neex/http2smugl: detect and exploit HTTP request smuggling
    ○ aquasecurity/tfsec: Security scanner for your Terraform code
    ○ returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns
    that look like source code

    View Slide