API Security: When Failure looks like Success

API Security: When Failure looks like Success

In the last decade, APIs have become fundamental to our teams, partners, and customers. While we’d like to believe it all happened as a carefully executed plan, let’s be honest… there’s as much luck as foresight in the mix. Luckily, success drives success so we’ve seen things explode in great ways. Unfortunately, that very success has cost us too.

APIs are becoming a consistent and devastating attack vector for applications that store everything from financial records to passport information to what you’re looking for in a date. In this session, we’ll reconsider some our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.

23365b2ae97212e561fb82442857d8bb?s=128

Keith Casey

August 06, 2019
Tweet

Transcript

  1. When Failure Looks Like Success API Security D. Keith Casey,

    Jr. API Problem Solver
  2. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    2 Who Am I?
  3. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    3 Who Am I?
  4. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    4 Who Am I?
  5. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    5 Who Am I?
  6. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    6 Who Am I?
  7. So let’s talk about Failure

  8. You?

  9. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    9 API Journey: A Maturity Model 9 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1
  10. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    10 API Journey: A Maturity Model 10 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. The security issue was always there Phase 1
  11. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    Three Groups – Always at Odds Front End Developers Back End Developers Security Architects
  12. What is API Security?

  13. Aspect #1: We expose only the interfaces which we intend.

  14. Aspect #2: We share and accept only the data which

    we intend.
  15. Aspect #3: We grant access only to the people or

    systems we intend.
  16. Approach #1: Trust our End Users

  17. No, I’m kidding. Unqualified trust is not security. No, I’m

    kidding.
  18. Approach #2: Use an API Gateway

  19. None
  20. Wait.. We’re talking about tools. What if we have the

    wrong mindset?
  21. Aspect #0: Think like a Bad Guy.

  22. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Read the news, look at competitors • Talk to your legal/compliance teams • Talk to your developers about their horror stories • Write a Black Mirror episode How do I think like a Bad Guy?
  23. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  24. Be Smarter about Data

  25. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    Be Smarter about Data • Don’t collect it if you don’t have to • Secure it in flight (SSL/TLS) • Encrypt it at rest 25 Ref: https://www.bbc.com/news/technology-46401890
  26. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  27. Use the Right Tools

  28. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    28 Authentication vs Authorization API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 Developer or User 1. Developer makes request to API 2. API returns a 401 Not Authorized 3. Developer authenticates with Okta 4. Okta returns an Access Token and Refresh Token (optional) IdP
  29. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    29 Token Validation API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 6 5 Developer or User 1. Developer uses Access Token for request 2. Optional: API gateway validates token 3. Gateway relays request 4. Optional: API validates token 5. API returns the response/result to the gateway 6. API gateway relays response to user IdP
  30. Full Lifecycle API Management Lifecycle What state is it in?

    • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities
  31. Full Lifecycle API Management Lifecycle What state is it in?

    • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities
  32. Full Lifecycle API Management Lifecycle What state is it in?

    • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities
  33. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  34. Stick to the standards

  35. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    API Keys are Not Good Enough • Not consistent • Not scoped • Not revocable • Included poorly (url vs headers)
  36. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    A Bad Example • curl –X POST https://api.company.com/projects?key=abcdef012345 --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234?key=abcdef012345 36
  37. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    A Better Example • curl –X POST https://api.company.com/projects --header “Authorization: Bearer abcdef012345” --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234 --header “Authorization: Bearer abcdef012345” 37
  38. None
  39. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    OAuth 2.0 - Hotel key cards, but for apps
  40. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    40 • OpenID Connect Core 1.0 (spec) • Authorization Code, Implicit, and Hybrid flows • OpenID Provider Metadata (spec) • OAuth 2.0 (RFC 6749) • Authorization Code, Implicit, Resource Owner Password, Client Credentials • JSON Web Token (RFC 7519) • OAuth 2.0 Dynamic Client Registration (RFC 7591) • OAuth 2.0 Authorization Server Metadata (spec) • OAuth 2.0 Bearer Token Usage (RFC 6750) • OAuth 2.0 Multiple Response Types (spec) • OAuth 2.0 Form Response Mode (spec) • OAuth 2.0 Token Revocation (RFC 7009) • OAuth 2.0 Token Introspection (RFC 7662) • Proof Key for Code Exchange for OAuth Public Clients (RFC 7636) Common OAuth/OIDC Specifications
  41. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  42. Integrate into your existing processes

  43. None
  44. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?
  45. Closing Thoughts

  46. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    Questions to Ask • What is the worst thing someone can do with our API? • What happens if our competitors get our data? • What data do we need to collect & expose? • Who are your users now? In a year? • How are we monitoring for anomalies and bad behavior?
  47. D. Keith Casey, Jr. API Problem Solver @CaseySoftware When Failure

    Looks Like Success API Security