Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Security: When Failure looks like Success

API Security: When Failure looks like Success

In the last decade, APIs have become fundamental to our teams, partners, and customers. While we’d like to believe it all happened as a carefully executed plan, let’s be honest… there’s as much luck as foresight in the mix. Luckily, success drives success so we’ve seen things explode in great ways. Unfortunately, that very success has cost us too.

APIs are becoming a consistent and devastating attack vector for applications that store everything from financial records to passport information to what you’re looking for in a date. In this session, we’ll reconsider some our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.

Keith Casey

August 06, 2019
Tweet

More Decks by Keith Casey

Other Decks in Technology

Transcript

  1. When Failure Looks Like Success
    API Security
    D. Keith Casey, Jr. API Problem Solver

    View full-size slide

  2. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    2
    Who Am I?

    View full-size slide

  3. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    3
    Who Am I?

    View full-size slide

  4. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    4
    Who Am I?

    View full-size slide

  5. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    5
    Who Am I?

    View full-size slide

  6. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    6
    Who Am I?

    View full-size slide

  7. So let’s talk about Failure

    View full-size slide

  8. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    9
    API Journey: A Maturity Model
    9
    Phase 0
    Integrate internal
    systems by
    introducing
    Private APIs
    Internal advocacy &
    collaboration for
    internal APIs and
    CoE/Governance
    Phase 2
    Limited API access
    to partners,
    resellers and
    suppliers
    Phase 3
    Grow these APIs as
    full fledged products
    with external
    developer access
    Either monetized directly or
    to reach new customers
    and enter new markets.
    Security Team evaluates use
    cases, interfaces, authentication,
    access management, etc, etc
    Phase 1

    View full-size slide

  9. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    10
    API Journey: A Maturity Model
    10
    Phase 0
    Integrate internal
    systems by
    introducing
    Private APIs
    Internal advocacy &
    collaboration for
    internal APIs and
    CoE/Governance
    Phase 2
    Limited API access
    to partners,
    resellers and
    suppliers
    Phase 3
    Grow these APIs as
    full fledged products
    with external
    developer access
    Either monetized directly or
    to reach new customers
    and enter new markets.
    The security issue was always there
    Phase 1

    View full-size slide

  10. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    Three Groups – Always at Odds
    Front End Developers Back End Developers
    Security Architects

    View full-size slide

  11. What is
    API Security?

    View full-size slide

  12. Aspect #1:
    We expose only the interfaces
    which we intend.

    View full-size slide

  13. Aspect #2:
    We share and accept only the
    data which we intend.

    View full-size slide

  14. Aspect #3:
    We grant access only to the
    people or systems we intend.

    View full-size slide

  15. Approach #1:
    Trust our
    End Users

    View full-size slide

  16. No, I’m kidding.
    Unqualified trust is not security.
    No, I’m kidding.

    View full-size slide

  17. Approach #2:
    Use an API
    Gateway

    View full-size slide

  18. Wait.. We’re talking about tools.
    What if we have the wrong mindset?

    View full-size slide

  19. Aspect #0:
    Think like a Bad Guy.

    View full-size slide

  20. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    • Read the news, look at competitors
    • Talk to your legal/compliance teams
    • Talk to your developers about their horror stories
    • Write a Black Mirror episode
    How do I think like a Bad Guy?

    View full-size slide

  21. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    • Valuable data
    • Accessible infrastructure
    • Simple or No authentication or authorization
    • Custom developed auth systems
    • To act undetected/unmonitored
    What does a Bad Guy want?

    View full-size slide

  22. Be Smarter
    about Data

    View full-size slide

  23. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    Be Smarter about Data
    • Don’t collect it if you don’t have to
    • Secure it in flight (SSL/TLS)
    • Encrypt it at rest
    25
    Ref: https://www.bbc.com/news/technology-46401890

    View full-size slide

  24. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    • Valuable data
    • Accessible infrastructure
    • Simple or No authentication or authorization
    • Custom developed auth systems
    • To act undetected/unmonitored
    What does a Bad Guy want?

    View full-size slide

  25. Use the
    Right Tools

    View full-size slide

  26. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    28
    Authentication vs Authorization
    API
    Management
    Dashboard
    Resource
    Server (RS)
    Identity
    Provider
    API Gateway
    1
    4 2
    3
    Developer
    or User
    1. Developer makes request to API
    2. API returns a 401 Not Authorized
    3. Developer authenticates with Okta
    4. Okta returns an Access Token and Refresh
    Token (optional)
    IdP

    View full-size slide

  27. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    29
    Token Validation
    API
    Management
    Dashboard
    Resource
    Server (RS)
    Identity
    Provider
    API Gateway
    1
    4
    2
    3
    6
    5
    Developer
    or User
    1. Developer uses Access Token for request
    2. Optional: API gateway validates token
    3. Gateway relays request
    4. Optional: API validates token
    5. API returns the response/result to the gateway
    6. API gateway relays response to user
    IdP

    View full-size slide

  28. Full Lifecycle API Management
    Lifecycle
    What state is it in?
    • How was it
    designed?
    • How was it built?
    • Is it deployed?
    • To which GWs?
    • Is it live/available?
    Interface
    What does it
    expose?
    • Which resources?
    • Which methods?
    • Which objects?
    • Which fields?
    Access
    Who can use it?
    • Which users/groups?
    • How do they
    authenticate?
    • Using which clients?
    • In what contexts?
    Consumption
    How to succeed
    with it?
    • API Documentation?
    • Debugging/errors?
    • Track usage?
    • Examples/SDKs?
    Business
    How does it drive
    business goals?
    • Partner CRM
    • Monetization
    • Marketing
    • Business Analytics
    API Gateway Capabilities

    View full-size slide

  29. Full Lifecycle API Management
    Lifecycle
    What state is it in?
    • How was it
    designed?
    • How was it built?
    • Is it deployed?
    • To which GWs?
    • Is it live/available?
    Interface
    What does it
    expose?
    • Which resources?
    • Which methods?
    • Which objects?
    • Which fields?
    Access
    Who can use it?
    • Which users/groups?
    • How do they
    authenticate?
    • Using which clients?
    • In what contexts?
    Consumption
    How to succeed
    with it?
    • API Documentation?
    • Debugging/errors?
    • Track usage?
    • Examples/SDKs?
    Business
    How does it drive
    business goals?
    • Partner CRM
    • Monetization
    • Marketing
    • Business Analytics
    API Gateway Capabilities

    View full-size slide

  30. Full Lifecycle API Management
    Lifecycle
    What state is it in?
    • How was it
    designed?
    • How was it built?
    • Is it deployed?
    • To which GWs?
    • Is it live/available?
    Interface
    What does it
    expose?
    • Which resources?
    • Which methods?
    • Which objects?
    • Which fields?
    Access
    Who can use it?
    • Which users/groups?
    • How do they
    authenticate?
    • Using which clients?
    • In what contexts?
    Consumption
    How to succeed
    with it?
    • API Documentation?
    • Debugging/errors?
    • Track usage?
    • Examples/SDKs?
    Business
    How does it drive
    business goals?
    • Partner CRM
    • Monetization
    • Marketing
    • Business Analytics
    API Gateway Capabilities

    View full-size slide

  31. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    • Valuable data
    • Accessible infrastructure
    • Simple or No authentication or authorization
    • Custom developed auth systems
    • To act undetected/unmonitored
    What does a Bad Guy want?

    View full-size slide

  32. Stick to the
    standards

    View full-size slide

  33. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    API Keys are Not Good Enough
    • Not consistent
    • Not scoped
    • Not revocable
    • Included poorly (url vs headers)

    View full-size slide

  34. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    A Bad Example
    • curl –X POST https://api.company.com/projects?key=abcdef012345
    --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’
    • curl –X DELETE
    https://api.company.com/projects/1234?key=abcdef012345
    36

    View full-size slide

  35. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    A Better Example
    • curl –X POST https://api.company.com/projects
    --header “Authorization: Bearer abcdef012345”
    --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’
    • curl –X DELETE https://api.company.com/projects/1234
    --header “Authorization: Bearer abcdef012345”
    37

    View full-size slide

  36. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    OAuth 2.0 - Hotel key cards, but for apps

    View full-size slide

  37. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    40
    • OpenID Connect Core 1.0 (spec)
    • Authorization Code, Implicit, and Hybrid flows
    • OpenID Provider Metadata (spec)
    • OAuth 2.0 (RFC 6749)
    • Authorization Code, Implicit, Resource Owner Password, Client Credentials
    • JSON Web Token (RFC 7519)
    • OAuth 2.0 Dynamic Client Registration (RFC 7591)
    • OAuth 2.0 Authorization Server Metadata (spec)
    • OAuth 2.0 Bearer Token Usage (RFC 6750)
    • OAuth 2.0 Multiple Response Types (spec)
    • OAuth 2.0 Form Response Mode (spec)
    • OAuth 2.0 Token Revocation (RFC 7009)
    • OAuth 2.0 Token Introspection (RFC 7662)
    • Proof Key for Code Exchange for OAuth Public Clients (RFC 7636)
    Common OAuth/OIDC Specifications

    View full-size slide

  38. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    • Valuable data
    • Accessible infrastructure
    • Simple or No authentication or authorization
    • Custom developed auth systems
    • To act undetected/unmonitored
    What does a Bad Guy want?

    View full-size slide

  39. Integrate into
    your existing
    processes

    View full-size slide

  40. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    • Valuable data
    • Accessible infrastructure
    • Simple or No authentication or authorization
    • Custom developed auth systems
    • To act undetected/unmonitored
    What does a Bad Guy want?

    View full-size slide

  41. Closing
    Thoughts

    View full-size slide

  42. © Okta and/or its affiliates. All rights reserved. Okta
    Confidential
    Questions to Ask
    • What is the worst thing someone can do with our API?
    • What happens if our competitors get our data?
    • What data do we need to collect & expose?
    • Who are your users now? In a year?
    • How are we monitoring for anomalies and bad behavior?

    View full-size slide

  43. D. Keith Casey, Jr. API Problem Solver @CaseySoftware
    When Failure Looks Like Success
    API Security

    View full-size slide