Upgrade to Pro — share decks privately, control downloads, hide ads and more …

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

Fernando Perales
July 02, 2015
Programming
0
130

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

API First? Security first: what you need to know in order to create secure APIs

Several tools and frameworks such Angular, Ember, React and Flight among others as well as mobile development depend on an API to communicate with your application back-end.

In this talk, we'll anayize common errors in both creation and consumption of APIs and how to mitigate those failures as well as exploring the anatomy of a secure API

Talk presented during Software Guru Conference and Expo in Mexico City, Mexico

http://sg.com.mx/sgce

Fernando Perales

July 02, 2015
Tweet

More Decks by Fernando Perales

See All by Fernando Perales
Guía Práctica para Convertirse en Contribuidor de Open Source en 10 Años (o más)
ferperales
0
3
Guía práctica para convertirse en Senior Engineer en 10 años
ferperales
0
110
Consultoría y Open Source: buscando el balance entre beneficio y la diversión
ferperales
0
26
The Senior Software Engineer
ferperales
0
88
Open the gate a little: strategies to protect and share data
ferperales
0
400
The Padawan Path
ferperales
0
870
The Senior Software Engineer - FSL
ferperales
0
120
I [i18n] you: estrategias para manejo efectivo de traducciones en proyectos de Open Source
ferperales
0
55
4000 mexicanos dijeron - FSL
ferperales
0
45

Other Decks in Programming

See All in Programming
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
2
130
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
6
1.2k
使ってみよう Azure AI Document Intelligence
kosmosebi
2
360
Ruby Pattern Matching
bkuhlmann
0
930
Snowflakeで眠ったデータを起こそう!
estie
0
140
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
970
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
Hanami and htmx
bkuhlmann
0
220
業務ツールとして使うPostman
msys75
0
100
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
4
380
ServerAction で Progressive Enhancement はどこまで頑張れるか? / progressive-enhancement-with-server-action
takefumiyoshii
6
420
2 週間で Twitter Bot を作ってみた
contour_gara
0
770

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
242
1.2M
Code Review Best Practice
trishagee
56
15k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
Done Done
chrislema
178
15k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
Faster Mobile Websites
deanohume
300
30k
BBQ
matthewcrist
80
8.8k
Testing 201, or: Great Expectations
jmmastey
30
6.4k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k

Transcript

  1. Enlighten your software ¿API primero? Seguridad primero: lo que necesitas

    saber para crear APIs seguras Fernando Perales

  2. <me>

  3. Fernando Perales Software Engineer @ Crowd Interactive FLOSS Advocate /(.*)

    metal and lover/ Passionate about web development and lean startup

  4.  FerPeralesM

  5.  FerPerales

  6. </me>

  7. Why an API?

  8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

  9. API first

  10. When to not API first

  11. Extracted from monolithic

  12. Going mobile

  13. Public API

  14. Decisions

  15. Technology

  16. SOAP vs REST

  17. XML vs JSON

  18. Let's go for...

  19. REST + JSON

  20. REST

  21. Roy Fielding

  22. “REST's client–server separation of concerns simplifies component implementation, reduces the

    complexity of connector semantics, improves the effectiveness of performance tuning, and increases the scalability of pure server components.”

  23. Architectural constraints

  24. Client-server

  25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

  26. Stateless

  27. Cacheable

  28. Layered system

  29. Code on demand (optional)

  30. Uniform interface

  31. None
  32. None

  33. REST is an architectural style, not an standard

  34. Considerations for APIs (and pretty much, every system)

  35. Correctness

  36. Performance

  37. Reliability

  38. Robustness

  39. Scalability

  40. Security

  41. Security

  42. Security

  43. None
  44. None
  45. None
  46. None
  47. None

  48. Why should I care?

  49. Common misperceptions

  50. I'm not a big company

  51. Nobody will care about my data

  52. My API is not public

  53. I didn't know

  54. Ignorantia juris non excusat

  55. owasp.org

  56. Let's start

  57. Know what you are fighting

  58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

  59. OWASP WASC Web Hacking Incidents Database Project

  60. None
  61. None
  62. None
  63. None

  64. Denial of Service

  65. An attempt to make a machine or network resource unavailable

    to its intended users. https://en.wikipedia.org/wiki/Denial-of-service_attack
  66. None

  67. Can be from malicious users

  68. Or legit users trying to take advantage

  69. None

  70. How to deal With?

  71. Throttle / limit request

  72. None

  73. Rack::Attack

  74.  kickstarter/rack-attack

  75. None
  76. None

  77. Return: HTTP code 429

  78. None

  79. How to test?

  80. Apache Benchmark

  81. httpd.apache.org/docs/ 2.2/programs/ab.html

  82. ab -c 5 -n 100 http://127.0.0.1:3000/login

  83. SQL injections

  84. SQL injection is a code injection technique, used to attack

    data- driven applications, in which malicious SQL statements are inserted into an entry field for execution https://en.wikipedia.org/wiki/SQL_injection

  85. http://example.com/ api/v1/user/123

  86. “SELECT * FROM users WHERE userID='” + user_id +”‘”;

  87. “SELECT * FROM users WHERE usetID = ‘123’”

  88. Consider this:

  89. http://example.com/ api/v1/user/’%20or %20’1’=’1

  90. SELECT * FROM users WHERE userID = ‘’ or ‘1’

    = ‘1’

  91. Predictable Resource location

  92. An attack technique used to uncover hidden web site content

    and functionality. By making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing. http://www.infosecpro.com/applicationsecurity/a54.htm

  93. example.com/v1/users/1

  94. example.com/v1/users/1

  95. UUID

  96. example.com/v1/users/1

  97. example.com/v1/users/ de305d54-75b4-431b- adb2-eb6b9e546014

  98. Who does this?

  99. None

  100. Charges: ch_16KD5K2eZvKYlo2 Cm5vtG9HJ

  101. Cards: card_16KD5F2eZvKYlo 2CzRqSKsIR

  102. Transactions: txn_16Hn2s2eZvKYlo2 CSKkdbSPq

  103. Unintended disclosure of information

  104. Letting unauthorized users to access information they shouldn't

  105. It has happened to

  106. me

  107. and many others

  108. How to deal with this?

  109. Apply authentication to your API as well

  110. And respond with the minimal information needed

  111. Protip:

  112. API interactions from client to server are still user input

  113. This happened to

  114. None

  115. Several times...

  116. None

  117. NOTE: Does not work anymore

  118. None

  119. Meet Charles

  120. None
  121. None

  122. Charles can be used as a man-in- the-middle HTTPS proxy,

    enabling you to view in plain text the communication between web browser and SSL web server.
  123. None
  124. None

  125. (._. U)

  126. Wrapping up

  127. Requirements

  128. Knowledge

  129. Prevention

  130. Monitoring

  131. Awareness

  132. Questions?

  133. Thanks!  [email protected]  FerPeralesM