Securing APIs Lunch and Learn London 

10+ years working in secure systems Hi! Platform Specialist at Okta Software Developer (.NET / Java / JS) @andymarch 

OpenStreetMap Yelp Uber Get map data Get reviews Get a ride Find me 5 good pubs between Farringdon and Kings Cross BeerTour.io ThirstyWalker.net Find x good pubs between a and b BeerTour.api Find x good pubs between a and b 

User API Client 

Information wants to be free. Stewart Brand 

No content

No content

Information wants to be free. Information also wants to be expensive. Stewart Brand 

https://delivery/panerabread.com/foundation-api/users/uramp/738194 August 2017 

https://delivery/panerabread.com/foundation-api/users/uramp/738194 https://delivery/panerabread.com/foundation-api/users/uramp/738195 https://delivery/panerabread.com/foundation-api/users/uramp/738196 https://delivery/panerabread.com/foundation-api/users/uramp/738197 https://delivery/panerabread.com/foundation-api/users/uramp/ … https://delivery/panerabread.com/foundation-api/users/uramp/ … https://delivery/panerabread.com/foundation-api/users/uramp/ … August 2017 Username, First and last name, Email, Phone number, Birthday, CC last 4 digits, Home address, linked social accounts, saved preferences and dietary restrictions, gift cards 

Architecting for Security 

API Maturity Model Phase 0 Integrate internal systems by private APIs Internal collaboration for internal applications Phase 2 Limited API access to partners, resellers and suppliers Phase 3 APIs as full fledged products with external developer access Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1 Application microservices Shared microservices Trusted partner APIs Public service APIs 

Think like a bad guy. Icon thenounproject.com/sultanm/ 

No content

API1: Broken Object Level Authorization GET /api/user/12345 GET /api/user/12345 GET /api/user/12346 GET /api/user/12347 GET /api/user/12348 

API2: Broken Authentication 

Don’t roll your own identity 

No content

No content

API3: Excessive Data Exposure { firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, cc: 1234 } Hi test tester /api/user Portal app 

API3: Excessive Data Exposure { firstName: test, lastName: tester, email: [email protected], } Hi test tester /api/user Portal app { cc: 1234 } Would you like to update your payment card ending 1234 /api/user/payment Portal app 

API4: Lack of Resources and rate limiting Icon thenounproject.com/sultanm/ 

API5: Broken Function Level Authorization TourOrganiser TourAttendee /tour/info GET GET PUT PUT 

API6: Mass Assignment { firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, role: user } { role: admin } PUT /api/user { userid: 12345, firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street, role: admin } 

API7: Security Misconfiguration 

API8: Injection Credit: https://xkcd.com/327/ 

API8: Injection GET /api/user?id=12345 { firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street } 

API8: Injection GET /api/user?id=12345%27%20union%20(select%20*%2 0from%20users%3B) {Result: {[ { firstName: test, lastName: tester, email: [email protected], homeAddress: 123 Fake Street}, { firstName: example, lastName: users, email: [email protected], homeAddress: 987 Demo Road}, { firstName: Ex, lastName: Ample, email: [email protected], homeAddress: Flat 1 Test Towers 

API9: Improper Assets Management /tour/info v1 v1 v1 v2 v2 

API10: Insufficient Logging & Monitoring Icon thenounproject.com/sultanm/ 

API Access Management 

API Access Management (API AM) Lifecycle What state is it in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics 

No content

Delegated authorization with OAuth 2.0 

Who’s who of OAuth 2.0 Resource Owner Client Authorization Server Resource Server Guest Hotel Room Reception Desk Hotel 

Authorization Server (The source of trust for the application) 

No content

No content

No content

Scope (a requested permission) 

No content

Register: redirect address ClientID, Client secret 

No content

No content

ClientId (a unique identifier of an application) 

ClientSecret (an authenticator for an application) 

No content

No content

client id, client secret, scopes Access Token Access Token 

Access Policy (control the behavior of the authz server for a given application) 

No content

No content

No content

No content

No content

API Access Management (API AM) Lifecycle What state is it in? How was it designed? How was it built? Is it deployed? To which GWs? Is it live/available? Interface What does it expose? Which resources? Which methods? Which objects? Which fields? Access Who can use it? Which users/groups? How do they authenticate? Using which clients? In what contexts? Consumption How to succeed with it? API Documentation? Debugging/errors? Track usage? Examples/SDKs? Business How does it drive business goals? Partner CRM Monetization Marketing Business Analytics 

&