Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your API ain't as secure as you think

Your API ain't as secure as you think

The Bad News:

Last year OWASP published a new top 10, with some surprising changes. Broken access control rocketed from #5 to #1, and cryptographic failures moved up from #3 to #2.

Data breaches are costing organisations more than ever. According to IBM, the average cost of a data breach has climbed 12.7% since 2020.

APIs are at the centre of many of these attacks. Either through misuse or exploitation by attackers.

The Good News:

There are architectural approaches that give you new techniques to manage data security risk. These help you separate concerns, divide risk, and defend smaller attack surfaces.

There are also old techniques getting new life due to new breakthroughs in adjacent technologies.

In this talk, attendees will learn:

🪤 What the hidden security traps are when handling data in your APIs
🗺 What architectural approaches you can start iterating towards, to prepare you for the next 10 years
🏃What techniques you can use today to improve data security in your APIs

Presented at Apidays Australia, September 2022

Appendix — Links

◦ Cost of a Data Breach Report 2022 — IBM
◦ Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill — Wired
◦ Federal Bureau of Investigation Internet Crime Report 2021
◦ 2022 Costa Rican ransomware attack
◦ OWASP Top 10:2021
◦ How Unsecure gRPC Implementations Can Compromise APIs — Trend Micro
◦ Four different authorization models to map users to the correct permission — Auth0
◦ twitchtv/twirp: A simple RPC framework with protobuf service definitions
◦ GRPC Server Reflection Protocol
◦ neex/http2smugl: detect and exploit HTTP request smuggling
◦ aquasecurity/tfsec: Security scanner for your Terraform code
◦ returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code

Lindsay Holmwood

September 14, 2022
Tweet

More Decks by Lindsay Holmwood

Other Decks in Technology

Transcript

  1. Your API ain’t as secure as you think Lindsay Holmwood

    @auxesis Chief Product Officer @ CipherStash
  2. None
  3. 👋 I’m Lindsay cipherstash.com/lindsay @auxesis CipherStash helps you protect sensitive

    data while still enabling safe access across your org.
  4. The bad news

  5. USD 4.35 million Global average total cost of a data

    breach Source: IBM Cost of a Data Breach Report 2022
  6. Data breach costs are increasing

  7. The landscape is changing ◦ Compliance requirements (e.g., GDPR, CCPA)

    are becoming more stringent ◦ Ransomware cost $20B globally in 2021, $6.9B in USA alone ◦ Attackers are becoming more sophisticated (exploiting supply chains, brokering access) and are moving faster Notable breaches this year August: Twilio 󰑔 125 customers accessed July: Shanghai Police 󰎩 1 billion citizens exposed July: Twitter 󰑔 5.4 million user accounts exposed May: Costa Rican government 󰎫 $30M in losses per day May: NIC e-Hospital 󰏝 250 million patients exposed
  8. Compliance requirements (e.g., GDPR, CCPA) are becoming more stringent. USA

    regulations in the wings. The landscape is changing
  9. Ransomware cost $20B globally — $6.9B in 󰑔 alone —

    in 2021 The landscape is changing Source: FBI IC3 Crime Report 2021
  10. Ransomware costs in 2021: ◦ $20B globally ◦ $6.9B in

    USA alone Attackers are becoming more sophisticated (exploiting supply chains, brokering access) and are moving faster The landscape is changing
  11. May: NIC e-Hospital 󰏝 250 million patients exposed May: Costa

    Rican government 󰎫 $30M in losses per day July: Shanghai Police 󰎩 1 billion citizens exposed July: Twitter 󰑔 5.4 million user accounts exposed August: Twilio 󰑔 125 customers accessed Notable breaches in the last 6 months
  12. Source: ibm.com/security/data-breach

  13. APIs are at the center of many of these incidents.

  14. None
  15. #5 => #1 Broken Access Control Based on volume of

    weaknesses
  16. #3 => #2 Cryptographic Failures Based on volume of weaknesses

  17. #1 => #3 Injection Based on volume of weaknesses

  18. 💨 ⇒ #4 Insecure design Based on volume of weaknesses

  19. The good news:

  20. There are technical solutions: • New tech that are safe

    bets. • Old architecture techniques getting new life.
  21. Most attacks are not on core systems. They are on

    people who have access to core systems. Source: OAIC Feb 2022
  22. Cheaper to invest now than after you get breached or

    regulated
  23. You succeed by doing the basics well

  24. What architectures and techniques should you be iterating towards?

  25. 1. Third party identity providers

  26. 3rd party IDPs for APIs — before Authentication: • Challenge–Response

    authentication • Secure Remote Password protocol • Client certificate authentication Authorisation: • ???
  27. Authentication: • OAuth2 + JWT • SAML • Self managed

    identity via Google Workspace, O365 3rd party IDPs — now
  28. 3rd party IDPs for APIs Don’t roll your own auth

    — use third party identity provider: • Auth0, Ping, Okta Untrusted clients, trusted servers: • Client authenticates to IDP • IDP sets up session with API • API is ignorant of users — only knows if IDP gives an OK
  29. Why you should care • Less code, lower ongoing maintenance

    costs • Better threat detection than what you can build • Your APIs become integrated with broader organisational IAM controls • Access and behaviour tied back to identity 3rd party IDPs for APIs
  30. Limit impact of attacks Attack vector Frequency Compromised credentials ~20%

    Cloud misconfiguration ~15% Phishing ~15% Malicious insider ~11% Source: IBM Cost of a Data Breach Report 2022
  31. Identification and authentication failures • Cred stuffing and spraying —

    automated blocking and alerting • Cred recovery abuse — reduce and narrow recovery paths Broken access controls • Check bypass — implement standard controls across all endpoints • Allow by default — invert to deny by default Defend against:
  32. We’re so focused on building auth that we forget about

    auth
  33. Authorization • RBAC: static permissions assigned to users via roles

    • ABAC: dynamic policies based on user attrs + request context Stronger authentication methods • Passwordless • FIDO2 Frees you up to work impactful problems
  34. 2. RPC + standardised serialisation formats

  35. Use code generation to handle: • Routes • Serialisation •

    HTTP methods, request/response headers • Errors RPC
  36. RPC Examples gRPC Twirp Origin Google Twitch Payloads protobufs Binary

    or JSON HTTP HTTP/2 HTTP 1.1 only Streaming Bidirectional None Honorable mention: GraphQL
  37. Strongly typed communication for: • Network transport • Storage Reduces

    attack surface, to mitigate attacks like: • Injection Serialisation
  38. Example: Protocol Buffers Binary representation of data structures: 1. Describe

    data structure using built in types 2. Compile bindings for languages 3. Encode/decode data structure in efficient binary format Supports basic backwards compatibility via tags. service SearchService { rpc Search(SearchRequest) returns (SearchResponse); } message SearchRequest { required string query = 1; optional int32 page_number = 2; optional int32 result_per_page = 3; } message SearchResponse { repeated Result results = 1; } message Result { string url = 1; string title = 2; repeated string snippets = 3; }
  39. Reduce attack surface: • To only what the endpoint explicitly

    exposes • Stop enumeration Build secure clients, faster: • Automatically generate clients for different languages • Automatically generate documentation • Backwards compatibility baked in RPC + serialisation formats for APIs
  40. Limit impact of attacks Attack vector Frequency Vulnerability in third-party

    software ~13% System Error ~7% Source: IBM Cost of a Data Breach Report 2022
  41. Deserialization attacks • Injection — data injection, only support primitive

    data types • Privilege escalation — gaining RCE through object deserialisation Denial of Service • Resource Exhaustion — drop and log deserialization failures Defend against:
  42. Defence in depth: • Use strongly typed languages to stop

    injection attacks propagating from client to server • WASM, to more tightly control the client side gRPC reflection: • Enumerates gRPC services • Exposes protobufs in human readable format (arguments, fields) Also consider:
  43. “New” attacks like request smuggling SSRF WASM Also consider:

  44. 3. Application Level Encryption

  45. Encrypt data before it hits your database

  46. ID Name Email Medicare DOB Last Visit 1 Bob Alice

    [email protected] 1234-1679 1985-04-13 2021-11-12 2 Ada Lovelace [email protected] 7811-8900 1815-12-18 2021-03-01 3 Ron Rivest [email protected] 1111-7777 1947-05-06 2020-08–17 ID Name Email Medicare DOB Last Visit 1 FaEZff3jxBo Ooi9EGk9AHY kFUXefymauo AIaq/7zh8Bg 8E7bW/piQdc 2 /+P5vR/Y6c8 l9pjVGliPpY coOsKQoqMGs v65rNTAOLbc Jrh2cWxZQFI 3 GzSs7yV+om8 rnm2X1+f8pw lKWK7jdaUBk 1dPr3mM/nzY MysZlt3F6FE Application-Level Encryption is the best defence against data breaches But adoption is low.
  47. Why? Queries are impossible! ID Name Email Medicare DOB Last

    Visit 1 FaEZff3jxBo Ooi9EGk9AHY kFUXefymauo AIaq/7zh8Bg 8E7bW/piQdc 2 /+P5vR/Y6c8 l9pjVGliPpY coOsKQoqMGs v65rNTAOLbc Jrh2cWxZQFI 3 GzSs7yV+om8 rnm2X1+f8pw lKWK7jdaUBk 1dPr3mM/nzY MysZlt3F6FE 4 8LDcY5j8as0 o4+DZioP8Y8 jUxr2zGw0UQ TwaxYXYaLzA kBhGkhRZh2s 5 7KkpjDE39ng hm1dbQpe/iA dqMY09YeG8s zcIxZM7sVVw rLqsko3LmW8 Medicare number = “1234-1567” ?
  48. Wide range of App Level Encryption plugins for most languages

    + frameworks: All have the same caveat: You do this, you lose search JavaScript objection-encryption, sequelize-encrypted, mongoose-encryption, typeorm-encrypted, typeorm-encrypted-model, prisma-field-encryption, bookshelf-encrypt-columns, mongoose-field-encryption, Ruby ActiveRecord Encryption, Lockbox, attr_encrypted, strongbox, crypt_keeper, active_record_encryption, mongoid-encrypted-fields, mongoid-encrypted, symmetric-encryption Python django-fernet-fields, django-encrypted-model-fields, django-cryptographic-fields, django-cryptography, sqlalchemy_utils EncryptedType C# EntityFrameworkCore.DataEncryption, EntityFrameworkCore.EncryptColumn, EntityEncryption PHP EloquentEncryption, eloquent-aes, ambta/DoctrineEncryptBundle, absolute-quantum/DoctrineEncryptBundle, EncryptBundle, elgibor-solution/laravel-database-encryption
  49. What’s changed? Searchable Symmetric Encryption Index encrypted records and search

    them Searchable encrypted index
  50. Emerging tools: Old pattern, new applications JavaScript objection-encryption, sequelize-encrypted, mongoose-encryption,

    typeorm-encrypted, typeorm-encrypted-model, prisma-field-encryption, bookshelf-encrypt-columns, mongoose-field-encryption, Ruby ActiveRecord Encryption, Lockbox, attr_encrypted, strongbox, crypt_keeper, active_record_encryption, mongoid-encrypted-fields, mongoid-encrypted, symmetric-encryption Python django-fernet-fields, django-encrypted-model-fields, django-cryptographic-fields, django-cryptography, sqlalchemy_utils EncryptedType C# EntityFrameworkCore.DataEncryption, EntityFrameworkCore.EncryptColumn, EntityEncryption PHP EloquentEncryption, eloquent-aes, ambta/DoctrineEncryptBundle, absolute-quantum/DoctrineEncryptBundle, EncryptBundle, elgibor-solution/laravel-database-encryption +
  51. Limit impact of attacks Attack vector Frequency Compromised credentials ~20%

    Cloud misconfiguration ~15% Vulnerability in 3rd party software ~12% Malicious insider ~11% Physical Security Compromise ~9% Source: IBM Cost of a Data Breach Report 2022
  52. Most attacks are not on core systems. They are on

    people who have access to core systems. Source: OAIC Feb 2022
  53. Broken access controls • Check bypass — multiple factors required

    to decrypt data Security misconfiguration • Unauthorised access — even if authenticated, data still encrypted Insecure design • Incomplete threat model — last line of defense Defend against:
  54. 4. Security static analysis

  55. Analyse code and infracode for known vulnerabilities. Well established tools:

    • semgrep • tfsec Integrate into CI, catch insecurity before it’s shipped to production. Security static analysis
  56. • Finds insecure defaults and configurations • Hundreds of checks

    across major and minor clouds • Drop into CI pipelines Example: tfsec
  57. • Supports 25+ languages • Thousands of rules out of

    the box • Easy to write new rules Example: semgrep
  58. Limit impact of attacks Attack vector Frequency Cloud misconfiguration ~15%

    Physical security compromise ~9% System error ~7% Source: IBM Cost of a Data Breach Report 2022
  59. Security misconfiguration • Default accounts & features — reduce attack

    surface • Implementation exposure — disable debugging output Insecure design • Missed controls — catch design errors early in build Defend against:
  60. Use security static analysis to identify and enforce secure code

    standards: 🚧 authorisation access controls 🔒 app level encryption ☎ RPC + serialisation formats
  61. Recap: These techniques should be on your radar:

  62. A01:2021 Broken Access Control A02:2021 Cryptographic Failures A03:2021 Injection A04:2021

    Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery Third party identity providers
  63. Standardised serialisation formats + RPC A01:2021 Broken Access Control A02:2021

    Cryptographic Failures A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery
  64. Application Level Encryption A01:2021 Broken Access Control A02:2021 Cryptographic Failures

    A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery
  65. Security Static Analysis A01:2021 Broken Access Control A02:2021 Cryptographic Failures

    A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery
  66. Most attacks are not on core systems. They are on

    people who have access to core systems. Source: OAIC Feb 2022
  67. Cheaper to invest now than after you get breached or

    regulated
  68. You succeed by doing the basics well

  69. Thank you! 🙋 What questions do you have? 💖 the

    talk? Let @auxesis know on Twitter. Appendix + sources at cipherstash.com/lindsay
  70. 📒 Appendix — Links ◦ Cost of a Data Breach

    Report 2022 — IBM ◦ Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill — Wired ◦ Federal Bureau of Investigation Internet Crime Report 2021 ◦ 2022 Costa Rican ransomware attack ◦ OWASP Top 10:2021 ◦ How Unsecure gRPC Implementations Can Compromise APIs — Trend Micro ◦ Four different authorization models to map users to the correct permission — Auth0 ◦ twitchtv/twirp: A simple RPC framework with protobuf service definitions ◦ GRPC Server Reflection Protocol ◦ neex/http2smugl: detect and exploit HTTP request smuggling ◦ aquasecurity/tfsec: Security scanner for your Terraform code ◦ returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code