¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

API First? Security first: what you need to know in order to create secure APIs

Several tools and frameworks such Angular, Ember, React and Flight among others as well as mobile development depend on an API to communicate with your application back-end.

In this talk, we'll anayize common errors in both creation and consumption of APIs and how to mitigate those failures as well as exploring the anatomy of a secure API

Talk presented during Software Guru Conference and Expo in Mexico City, Mexico

http://sg.com.mx/sgce

6c137ee3013821b517c4b9beed0145df?s=128

Fernando Perales

July 02, 2015
Tweet

Transcript

  1. Enlighten your software ¿API primero? Seguridad primero: lo que necesitas

    saber para crear APIs seguras Fernando Perales
  2. <me>

  3. Fernando Perales Software Engineer @ Crowd Interactive FLOSS Advocate /(.*)

    metal and lover/ Passionate about web development and lean startup
  4.  FerPeralesM

  5.  FerPerales

  6. </me>

  7. Why an API?

  8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

  9. API first

  10. When to not API first

  11. Extracted from monolithic

  12. Going mobile

  13. Public API

  14. Decisions

  15. Technology

  16. SOAP vs REST

  17. XML vs JSON

  18. Let's go for...

  19. REST + JSON

  20. REST

  21. Roy Fielding

  22. “REST's client–server separation of concerns simplifies component implementation, reduces the

    complexity of connector semantics, improves the effectiveness of performance tuning, and increases the scalability of pure server components.”
  23. Architectural constraints

  24. Client-server

  25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

  26. Stateless

  27. Cacheable

  28. Layered system

  29. Code on demand (optional)

  30. Uniform interface

  31. None
  32. None
  33. REST is an architectural style, not an standard

  34. Considerations for APIs (and pretty much, every system)

  35. Correctness

  36. Performance

  37. Reliability

  38. Robustness

  39. Scalability

  40. Security

  41. Security

  42. Security

  43. None
  44. None
  45. None
  46. None
  47. None
  48. Why should I care?

  49. Common misperceptions

  50. I'm not a big company

  51. Nobody will care about my data

  52. My API is not public

  53. I didn't know

  54. Ignorantia juris non excusat

  55. owasp.org

  56. Let's start

  57. Know what you are fighting

  58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

  59. OWASP WASC Web Hacking Incidents Database Project

  60. None
  61. None
  62. None
  63. None
  64. Denial of Service

  65. An attempt to make a machine or network resource unavailable

    to its intended users. https://en.wikipedia.org/wiki/Denial-of-service_attack
  66. None
  67. Can be from malicious users

  68. Or legit users trying to take advantage

  69. None
  70. How to deal With?

  71. Throttle / limit request

  72. None
  73. Rack::Attack

  74.  kickstarter/rack-attack

  75. None
  76. None
  77. Return: HTTP code 429

  78. None
  79. How to test?

  80. Apache Benchmark

  81. httpd.apache.org/docs/ 2.2/programs/ab.html

  82. ab -c 5 -n 100 http://127.0.0.1:3000/login

  83. SQL injections

  84. SQL injection is a code injection technique, used to attack

    data- driven applications, in which malicious SQL statements are inserted into an entry field for execution https://en.wikipedia.org/wiki/SQL_injection
  85. http://example.com/ api/v1/user/123

  86. “SELECT * FROM users WHERE userID='” + user_id +”‘”;

  87. “SELECT * FROM users WHERE usetID = ‘123’”

  88. Consider this:

  89. http://example.com/ api/v1/user/’%20or %20’1’=’1

  90. SELECT * FROM users WHERE userID = ‘’ or ‘1’

    = ‘1’
  91. Predictable Resource location

  92. An attack technique used to uncover hidden web site content

    and functionality. By making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing. http://www.infosecpro.com/applicationsecurity/a54.htm
  93. example.com/v1/users/1

  94. example.com/v1/users/1

  95. UUID

  96. example.com/v1/users/1

  97. example.com/v1/users/ de305d54-75b4-431b- adb2-eb6b9e546014

  98. Who does this?

  99. None
  100. Charges: ch_16KD5K2eZvKYlo2 Cm5vtG9HJ

  101. Cards: card_16KD5F2eZvKYlo 2CzRqSKsIR

  102. Transactions: txn_16Hn2s2eZvKYlo2 CSKkdbSPq

  103. Unintended disclosure of information

  104. Letting unauthorized users to access information they shouldn't

  105. It has happened to

  106. me

  107. and many others

  108. How to deal with this?

  109. Apply authentication to your API as well

  110. And respond with the minimal information needed

  111. Protip:

  112. API interactions from client to server are still user input

  113. This happened to

  114. None
  115. Several times...

  116. None
  117. NOTE: Does not work anymore

  118. None
  119. Meet Charles

  120. None
  121. None
  122. Charles can be used as a man-in- the-middle HTTPS proxy,

    enabling you to view in plain text the communication between web browser and SSL web server.
  123. None
  124. None
  125. (._. U)

  126. Wrapping up

  127. Requirements

  128. Knowledge

  129. Prevention

  130. Monitoring

  131. Awareness

  132. Questions?

  133. Thanks!  me@ferperales.net  FerPeralesM