Shield your backend from outside attacks with API managers

Transcript

1. @bantera13 / 2024 with API Managers Shield your backend from

   outside attacks

2. The problem (we’re ok… but) Defense in Depth (the onion

   strategy) Let it grow… (layer up!) Wrap-up (make them cry) Q&A Time! 01 02 03 04 05

3. Whoami? Meet Barbara Teruggi > Security Architect @bantera13 barbara-teruggi

4. 01 (we’re ok… but) The problem

5. Benefits of using APIs (application programming interfaces) Simplify application development

   and are essential for modern distributed applications. Enable systems to communicate using a common language for requests and formatting. Accessible to diverse client applications, expanding business capabilities beyond monolithic systems. Smoother transitions when migrating from legacy technology or between protocols. But… nothing is perfect…

6. OWASP Top 10 API security risks (2023) API1:2023 Broken Object

   Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs

7. When API security isn’t addressed from the start The Zero-Day

   loop of hell... Feature deployments get delayed due to the security team's thorough security checks, making continuous delivery impossible. Security teams feel the pressure of being a bottleneck to scalability. New security threats arise every other day. Technical debt keeps piling up making applications unsafe and obsolete very rapidly.

8. Defense in Depth 02 (the onion strategy)

9. None

10. But… What is a Web Application Firewall (WAF)? The TL;DR

    Specialized firewall for web applications, acting as a primary shield between a web application and the internet. Located at the outer edge of the network, at the application layer (layer 7 of the OSI model). Protects web servers by filtering, monitoring, and blocking malicious HTTP and HTTPS traffic. When properly configured, it helps preventing attacks like SQL injection, cross-site scripting (XSS), and HTTP protocol violations. As a bonus, WAFs often come with out-of-the-box OWASP Top 10 mitigation capabilities. WAF extended info About the OSI model

11. Why just having a WAF is not enough? When it

    comes to granularity… Rate limit and consumer quota requirements do not follow a "one size fits all" approach. Authentication & pre-authorization processes are best determined at the API level. The payload should be examined based on the expected input. Attribute-based allow-lists for requests can be managed in bulk, but they require fine-tuning to suit various use cases. The open/close settings of WAFs can either leave APIs unprotected or completely stop production.

12. API Management Platforms Centralized entry point that manages, routes, and

    secures API traffic Set of rules and protocols to protect APIs from unauthorized access and misuse Interface for developers to discover, explore, and consume APIs, often including documentation and testing tools Monitoring and analysis of API usage, performance, and trends for optimization and decision-making End-to-end management of APIs from design and creation to retirement, including versioning, testing, and deployment. Some API management platforms

13. Let it grow… 03 (layer up!)

14. Watch out: What's coming up is a blend of real-life

    stuff with a touch of fiction

15. OWASP Top 10 API security risks (2023) API1:2023 Broken Object

    Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs

16. We’re all the same…Third-Parties

17. API2:2023 Broken authentication Lanes Identify a consumer or group of

    consumers, according to the presented consumer API keys (not a credential). Front Desk API Gateway controls to handle authentication process. Additionally, traffic management to prevent brute-force. Registration Authentication and Authorization resources the API Gateway interacts with. Credentials would be a client-certificate (mutual TLS), an OAuth Token or other methods. Control Room Analyzing traffic helps to identify and alert about any unusual activities during the authentication and authorization process. Note = Curious about SPA integrations?

18. API5:2023 Broken function level authorization Badge Represents the consumer API

    Key. > Constitutes the 1st level of pre-authorization > Can be used to classify consumer application groups. > Should not be used as credentials (They are fixed values and are manually rotated) > Should not be stored in the code base nor in browser storage. > Also useful for tracking and managing access to applications by applying additional security policies, namely: consumer quota, spike arrest, throttling, request headers validations, etc.

19. API5:2023 Broken function level authorization Locations API proxies to which

    the client application will have access to. > The 2nd level of pre-authorization. > Configured by defining an API Product and including target API proxies to the product’s bundle. > The API proxies expose a variety of endpoints or resources from a backend application. > They can also include input/output validation, parameters handling and message transformation policies.

20. API5:2023 Broken function level authorization Allowed Actions List of resources

    and methods that a determined client would be enabled to access to. > The 3rd of pre-authorization. > Independent from both, object / object property level authorization, which is best determined at application level. > Protected resources will require specific authorization, usually in the form of an access_token.

21. API5:2023 Broken function level authorization 1st Level: What am I?

    2nd Level: Where can I go? 3rd Level: What can I do?

22. API10:2023 Unsafe consumption of APIs

23. API10:2023 Unsafe consumption of APIs

24. API10:2023 Unsafe consumption of APIs

25. API10:2023 Unsafe consumption of APIs Validate and sanitize response data

    • Content-Type validation: Expected format • RegExp protection: Avoid code injection (SQL, Javascript, shell commands, etc) • JSON/XML threat protection: Expected schema, size, elements, depth, contents. In short, a parseable non-corrupted response Other controls • Avoid blindly following redirections: Intercept redirect responses and keep an allowlist of well-known locations • Time-out & re-connection attempts controls: Prevent increasing total execution time of a transaction • Rate limit controls for outbound connections: Third-party APIs often involve with pay-per-use costs

26. Wrap-Up 04 (make them cry

27. Best practices to prevent API Risks Authentication & Authorization >

    Design, implement and review authentication and authorization processes on every level of the architecture. API Governance > Define API standards, information model approach, security policies and keep a proper inventory and documentation of the API ecosystem. Threat Modeling > Consider threat modeling early in product definition to proactively identify and address security risks Infrastructure security > Protect critical systems and assets against cyber threats such as Server-side request forgery (SSRF) or elevation of privileges. Third party risk management > Apply third-party security assessment (TPSA), to ensure safe interactions with third-parties in any direction. Security Champions Program > Educating and spreading the word about security is always a win!

28. Q&A 05 Time!