Upgrade to Pro — share decks privately, control downloads, hide ads and more …

¿API primero? Seguridad primero: lo que necesit...

Fernando Perales
July 02, 2015
Programming
0
140

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

API First? Security first: what you need to know in order to create secure APIs

Several tools and frameworks such Angular, Ember, React and Flight among others as well as mobile development depend on an API to communicate with your application back-end.

In this talk, we'll anayize common errors in both creation and consumption of APIs and how to mitigate those failures as well as exploring the anatomy of a secure API

Talk presented during Software Guru Conference and Expo in Mexico City, Mexico

http://sg.com.mx/sgce

Fernando Perales

July 02, 2015
Tweet

More Decks by Fernando Perales

See All by Fernando Perales
Anonimización de bases de datos con PostgreSQL - nerdearla
ferperales
0
6
Let's give REST a rest: exploring the state of gRPC in Ruby
ferperales
0
73
Guía Práctica para Convertirse en Contribuidor de Open Source en 10 Años (o más)
ferperales
0
30
¿Es convertirte en manager tan malo como todo mundo dice?
ferperales
0
21
Guía práctica para convertirse en contribuidor de open source en 10 años o más
ferperales
0
9
Anonimización de bases de datos con PostgreSQL
ferperales
0
23
Guía Práctica para Convertirse en Contribuidor de Open Source en 10 Años (o más)
ferperales
0
25
Guía práctica para convertirse en Senior Engineer en 10 años
ferperales
0
120
Consultoría y Open Source: buscando el balance entre beneficio y la diversión
ferperales
0
30

Other Decks in Programming

See All in Programming
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
Arm移行タイムアタック
qnighy
0
310
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
310
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
520

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Being A Developer After 40
akosma
86
590k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Fireside Chat
paigeccino
34
3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840

Transcript

  1. Enlighten your software ¿API primero? Seguridad primero: lo que necesitas

    saber para crear APIs seguras Fernando Perales

  2. <me>

  3. Fernando Perales Software Engineer @ Crowd Interactive FLOSS Advocate /(.*)

    metal and lover/ Passionate about web development and lean startup

  4.  FerPeralesM

  5.  FerPerales

  6. </me>

  7. Why an API?

  8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

  9. API first

  10. When to not API first

  11. Extracted from monolithic

  12. Going mobile

  13. Public API

  14. Decisions

  15. Technology

  16. SOAP vs REST

  17. XML vs JSON

  18. Let's go for...

  19. REST + JSON

  20. REST

  21. Roy Fielding

  22. “REST's client–server separation of concerns simplifies component implementation, reduces the

    complexity of connector semantics, improves the effectiveness of performance tuning, and increases the scalability of pure server components.”

  23. Architectural constraints

  24. Client-server

  25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

  26. Stateless

  27. Cacheable

  28. Layered system

  29. Code on demand (optional)

  30. Uniform interface

  31. None
  32. None

  33. REST is an architectural style, not an standard

  34. Considerations for APIs (and pretty much, every system)

  35. Correctness

  36. Performance

  37. Reliability

  38. Robustness

  39. Scalability

  40. Security

  41. Security

  42. Security

  43. None
  44. None
  45. None
  46. None
  47. None

  48. Why should I care?

  49. Common misperceptions

  50. I'm not a big company

  51. Nobody will care about my data

  52. My API is not public

  53. I didn't know

  54. Ignorantia juris non excusat

  55. owasp.org

  56. Let's start

  57. Know what you are fighting

  58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

  59. OWASP WASC Web Hacking Incidents Database Project

  60. None
  61. None
  62. None
  63. None

  64. Denial of Service

  65. An attempt to make a machine or network resource unavailable

    to its intended users. https://en.wikipedia.org/wiki/Denial-of-service_attack
  66. None

  67. Can be from malicious users

  68. Or legit users trying to take advantage

  69. None

  70. How to deal With?

  71. Throttle / limit request

  72. None

  73. Rack::Attack

  74.  kickstarter/rack-attack

  75. None
  76. None

  77. Return: HTTP code 429

  78. None

  79. How to test?

  80. Apache Benchmark

  81. httpd.apache.org/docs/ 2.2/programs/ab.html

  82. ab -c 5 -n 100 http://127.0.0.1:3000/login

  83. SQL injections

  84. SQL injection is a code injection technique, used to attack

    data- driven applications, in which malicious SQL statements are inserted into an entry field for execution https://en.wikipedia.org/wiki/SQL_injection

  85. http://example.com/ api/v1/user/123

  86. “SELECT * FROM users WHERE userID='” + user_id +”‘”;

  87. “SELECT * FROM users WHERE usetID = ‘123’”

  88. Consider this:

  89. http://example.com/ api/v1/user/’%20or %20’1’=’1

  90. SELECT * FROM users WHERE userID = ‘’ or ‘1’

    = ‘1’

  91. Predictable Resource location

  92. An attack technique used to uncover hidden web site content

    and functionality. By making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing. http://www.infosecpro.com/applicationsecurity/a54.htm

  93. example.com/v1/users/1

  94. example.com/v1/users/1

  95. UUID

  96. example.com/v1/users/1

  97. example.com/v1/users/ de305d54-75b4-431b- adb2-eb6b9e546014

  98. Who does this?

  99. None

  100. Charges: ch_16KD5K2eZvKYlo2 Cm5vtG9HJ

  101. Cards: card_16KD5F2eZvKYlo 2CzRqSKsIR

  102. Transactions: txn_16Hn2s2eZvKYlo2 CSKkdbSPq

  103. Unintended disclosure of information

  104. Letting unauthorized users to access information they shouldn't

  105. It has happened to

  106. me

  107. and many others

  108. How to deal with this?

  109. Apply authentication to your API as well

  110. And respond with the minimal information needed

  111. Protip:

  112. API interactions from client to server are still user input

  113. This happened to

  114. None

  115. Several times...

  116. None

  117. NOTE: Does not work anymore

  118. None

  119. Meet Charles

  120. None
  121. None

  122. Charles can be used as a man-in- the-middle HTTPS proxy,

    enabling you to view in plain text the communication between web browser and SSL web server.
  123. None
  124. None

  125. (._. U)

  126. Wrapping up

  127. Requirements

  128. Knowledge

  129. Prevention

  130. Monitoring

  131. Awareness

  132. Questions?

  133. Thanks!  [email protected]  FerPeralesM