Slide 1

Slide 1 text

Your API ain’t as secure as you think Lindsay Holmwood @auxesis Chief Product Officer @ CipherStash

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

πŸ‘‹ I’m Lindsay cipherstash.com/lindsay @auxesis CipherStash helps you protect sensitive data while still enabling safe access across your org.

Slide 4

Slide 4 text

The bad news

Slide 5

Slide 5 text

USD 4.35 million Global average total cost of a data breach Source: IBM Cost of a Data Breach Report 2022

Slide 6

Slide 6 text

Data breach costs are increasing

Slide 7

Slide 7 text

The landscape is changing β—‹ Compliance requirements (e.g., GDPR, CCPA) are becoming more stringent β—‹ Ransomware cost $20B globally in 2021, $6.9B in USA alone β—‹ Attackers are becoming more sophisticated (exploiting supply chains, brokering access) and are moving faster Notable breaches this year August: Twilio σ°‘” 125 customers accessed July: Shanghai Police 󰎩 1 billion citizens exposed July: Twitter σ°‘” 5.4 million user accounts exposed May: Costa Rican government 󰎫 $30M in losses per day May: NIC e-Hospital 󰏝 250 million patients exposed

Slide 8

Slide 8 text

Compliance requirements (e.g., GDPR, CCPA) are becoming more stringent. USA regulations in the wings. The landscape is changing

Slide 9

Slide 9 text

Ransomware cost $20B globally β€” $6.9B in σ°‘” alone β€” in 2021 The landscape is changing Source: FBI IC3 Crime Report 2021

Slide 10

Slide 10 text

Ransomware costs in 2021: β—‹ $20B globally β—‹ $6.9B in USA alone Attackers are becoming more sophisticated (exploiting supply chains, brokering access) and are moving faster The landscape is changing

Slide 11

Slide 11 text

May: NIC e-Hospital 󰏝 250 million patients exposed May: Costa Rican government 󰎫 $30M in losses per day July: Shanghai Police 󰎩 1 billion citizens exposed July: Twitter σ°‘” 5.4 million user accounts exposed August: Twilio σ°‘” 125 customers accessed Notable breaches in the last 6 months

Slide 12

Slide 12 text

Source: ibm.com/security/data-breach

Slide 13

Slide 13 text

APIs are at the center of many of these incidents.

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

#5 => #1 Broken Access Control Based on volume of weaknesses

Slide 16

Slide 16 text

#3 => #2 Cryptographic Failures Based on volume of weaknesses

Slide 17

Slide 17 text

#1 => #3 Injection Based on volume of weaknesses

Slide 18

Slide 18 text

πŸ’¨ β‡’ #4 Insecure design Based on volume of weaknesses

Slide 19

Slide 19 text

The good news:

Slide 20

Slide 20 text

There are technical solutions: ● New tech that are safe bets. ● Old architecture techniques getting new life.

Slide 21

Slide 21 text

Most attacks are not on core systems. They are on people who have access to core systems. Source: OAIC Feb 2022

Slide 22

Slide 22 text

Cheaper to invest now than after you get breached or regulated

Slide 23

Slide 23 text

You succeed by doing the basics well

Slide 24

Slide 24 text

What architectures and techniques should you be iterating towards?

Slide 25

Slide 25 text

1. Third party identity providers

Slide 26

Slide 26 text

3rd party IDPs for APIs β€” before Authentication: ● Challenge–Response authentication ● Secure Remote Password protocol ● Client certificate authentication Authorisation: ● ???

Slide 27

Slide 27 text

Authentication: ● OAuth2 + JWT ● SAML ● Self managed identity via Google Workspace, O365 3rd party IDPs β€” now

Slide 28

Slide 28 text

3rd party IDPs for APIs Don’t roll your own auth β€” use third party identity provider: ● Auth0, Ping, Okta Untrusted clients, trusted servers: ● Client authenticates to IDP ● IDP sets up session with API ● API is ignorant of users β€” only knows if IDP gives an OK

Slide 29

Slide 29 text

Why you should care ● Less code, lower ongoing maintenance costs ● Better threat detection than what you can build ● Your APIs become integrated with broader organisational IAM controls ● Access and behaviour tied back to identity 3rd party IDPs for APIs

Slide 30

Slide 30 text

Limit impact of attacks Attack vector Frequency Compromised credentials ~20% Cloud misconfiguration ~15% Phishing ~15% Malicious insider ~11% Source: IBM Cost of a Data Breach Report 2022

Slide 31

Slide 31 text

Identification and authentication failures ● Cred stuffing and spraying β€” automated blocking and alerting ● Cred recovery abuse β€” reduce and narrow recovery paths Broken access controls ● Check bypass β€” implement standard controls across all endpoints ● Allow by default β€” invert to deny by default Defend against:

Slide 32

Slide 32 text

We’re so focused on building auth that we forget about auth

Slide 33

Slide 33 text

Authorization ● RBAC: static permissions assigned to users via roles ● ABAC: dynamic policies based on user attrs + request context Stronger authentication methods ● Passwordless ● FIDO2 Frees you up to work impactful problems

Slide 34

Slide 34 text

2. RPC + standardised serialisation formats

Slide 35

Slide 35 text

Use code generation to handle: ● Routes ● Serialisation ● HTTP methods, request/response headers ● Errors RPC

Slide 36

Slide 36 text

RPC Examples gRPC Twirp Origin Google Twitch Payloads protobufs Binary or JSON HTTP HTTP/2 HTTP 1.1 only Streaming Bidirectional None Honorable mention: GraphQL

Slide 37

Slide 37 text

Strongly typed communication for: ● Network transport ● Storage Reduces attack surface, to mitigate attacks like: ● Injection Serialisation

Slide 38

Slide 38 text

Example: Protocol Buffers Binary representation of data structures: 1. Describe data structure using built in types 2. Compile bindings for languages 3. Encode/decode data structure in efficient binary format Supports basic backwards compatibility via tags. service SearchService { rpc Search(SearchRequest) returns (SearchResponse); } message SearchRequest { required string query = 1; optional int32 page_number = 2; optional int32 result_per_page = 3; } message SearchResponse { repeated Result results = 1; } message Result { string url = 1; string title = 2; repeated string snippets = 3; }

Slide 39

Slide 39 text

Reduce attack surface: ● To only what the endpoint explicitly exposes ● Stop enumeration Build secure clients, faster: ● Automatically generate clients for different languages ● Automatically generate documentation ● Backwards compatibility baked in RPC + serialisation formats for APIs

Slide 40

Slide 40 text

Limit impact of attacks Attack vector Frequency Vulnerability in third-party software ~13% System Error ~7% Source: IBM Cost of a Data Breach Report 2022

Slide 41

Slide 41 text

Deserialization attacks ● Injection β€” data injection, only support primitive data types ● Privilege escalation β€” gaining RCE through object deserialisation Denial of Service ● Resource Exhaustion β€” drop and log deserialization failures Defend against:

Slide 42

Slide 42 text

Defence in depth: ● Use strongly typed languages to stop injection attacks propagating from client to server ● WASM, to more tightly control the client side gRPC reflection: ● Enumerates gRPC services ● Exposes protobufs in human readable format (arguments, fields) Also consider:

Slide 43

Slide 43 text

β€œNew” attacks like request smuggling SSRF WASM Also consider:

Slide 44

Slide 44 text

3. Application Level Encryption

Slide 45

Slide 45 text

Encrypt data before it hits your database

Slide 46

Slide 46 text

ID Name Email Medicare DOB Last Visit 1 Bob Alice [email protected] 1234-1679 1985-04-13 2021-11-12 2 Ada Lovelace [email protected] 7811-8900 1815-12-18 2021-03-01 3 Ron Rivest [email protected] 1111-7777 1947-05-06 2020-08–17 ID Name Email Medicare DOB Last Visit 1 FaEZff3jxBo Ooi9EGk9AHY kFUXefymauo AIaq/7zh8Bg 8E7bW/piQdc 2 /+P5vR/Y6c8 l9pjVGliPpY coOsKQoqMGs v65rNTAOLbc Jrh2cWxZQFI 3 GzSs7yV+om8 rnm2X1+f8pw lKWK7jdaUBk 1dPr3mM/nzY MysZlt3F6FE Application-Level Encryption is the best defence against data breaches But adoption is low.

Slide 47

Slide 47 text

Why? Queries are impossible! ID Name Email Medicare DOB Last Visit 1 FaEZff3jxBo Ooi9EGk9AHY kFUXefymauo AIaq/7zh8Bg 8E7bW/piQdc 2 /+P5vR/Y6c8 l9pjVGliPpY coOsKQoqMGs v65rNTAOLbc Jrh2cWxZQFI 3 GzSs7yV+om8 rnm2X1+f8pw lKWK7jdaUBk 1dPr3mM/nzY MysZlt3F6FE 4 8LDcY5j8as0 o4+DZioP8Y8 jUxr2zGw0UQ TwaxYXYaLzA kBhGkhRZh2s 5 7KkpjDE39ng hm1dbQpe/iA dqMY09YeG8s zcIxZM7sVVw rLqsko3LmW8 Medicare number = β€œ1234-1567” ?

Slide 48

Slide 48 text

Wide range of App Level Encryption plugins for most languages + frameworks: All have the same caveat: You do this, you lose search JavaScript objection-encryption, sequelize-encrypted, mongoose-encryption, typeorm-encrypted, typeorm-encrypted-model, prisma-field-encryption, bookshelf-encrypt-columns, mongoose-field-encryption, Ruby ActiveRecord Encryption, Lockbox, attr_encrypted, strongbox, crypt_keeper, active_record_encryption, mongoid-encrypted-fields, mongoid-encrypted, symmetric-encryption Python django-fernet-fields, django-encrypted-model-fields, django-cryptographic-fields, django-cryptography, sqlalchemy_utils EncryptedType C# EntityFrameworkCore.DataEncryption, EntityFrameworkCore.EncryptColumn, EntityEncryption PHP EloquentEncryption, eloquent-aes, ambta/DoctrineEncryptBundle, absolute-quantum/DoctrineEncryptBundle, EncryptBundle, elgibor-solution/laravel-database-encryption

Slide 49

Slide 49 text

What’s changed? Searchable Symmetric Encryption Index encrypted records and search them Searchable encrypted index

Slide 50

Slide 50 text

Emerging tools: Old pattern, new applications JavaScript objection-encryption, sequelize-encrypted, mongoose-encryption, typeorm-encrypted, typeorm-encrypted-model, prisma-field-encryption, bookshelf-encrypt-columns, mongoose-field-encryption, Ruby ActiveRecord Encryption, Lockbox, attr_encrypted, strongbox, crypt_keeper, active_record_encryption, mongoid-encrypted-fields, mongoid-encrypted, symmetric-encryption Python django-fernet-fields, django-encrypted-model-fields, django-cryptographic-fields, django-cryptography, sqlalchemy_utils EncryptedType C# EntityFrameworkCore.DataEncryption, EntityFrameworkCore.EncryptColumn, EntityEncryption PHP EloquentEncryption, eloquent-aes, ambta/DoctrineEncryptBundle, absolute-quantum/DoctrineEncryptBundle, EncryptBundle, elgibor-solution/laravel-database-encryption +

Slide 51

Slide 51 text

Limit impact of attacks Attack vector Frequency Compromised credentials ~20% Cloud misconfiguration ~15% Vulnerability in 3rd party software ~12% Malicious insider ~11% Physical Security Compromise ~9% Source: IBM Cost of a Data Breach Report 2022

Slide 52

Slide 52 text

Most attacks are not on core systems. They are on people who have access to core systems. Source: OAIC Feb 2022

Slide 53

Slide 53 text

Broken access controls ● Check bypass β€” multiple factors required to decrypt data Security misconfiguration ● Unauthorised access β€” even if authenticated, data still encrypted Insecure design ● Incomplete threat model β€” last line of defense Defend against:

Slide 54

Slide 54 text

4. Security static analysis

Slide 55

Slide 55 text

Analyse code and infracode for known vulnerabilities. Well established tools: ● semgrep ● tfsec Integrate into CI, catch insecurity before it’s shipped to production. Security static analysis

Slide 56

Slide 56 text

● Finds insecure defaults and configurations ● Hundreds of checks across major and minor clouds ● Drop into CI pipelines Example: tfsec

Slide 57

Slide 57 text

● Supports 25+ languages ● Thousands of rules out of the box ● Easy to write new rules Example: semgrep

Slide 58

Slide 58 text

Limit impact of attacks Attack vector Frequency Cloud misconfiguration ~15% Physical security compromise ~9% System error ~7% Source: IBM Cost of a Data Breach Report 2022

Slide 59

Slide 59 text

Security misconfiguration ● Default accounts & features β€” reduce attack surface ● Implementation exposure β€” disable debugging output Insecure design ● Missed controls β€” catch design errors early in build Defend against:

Slide 60

Slide 60 text

Use security static analysis to identify and enforce secure code standards: 🚧 authorisation access controls πŸ”’ app level encryption ☎ RPC + serialisation formats

Slide 61

Slide 61 text

Recap: These techniques should be on your radar:

Slide 62

Slide 62 text

A01:2021 Broken Access Control A02:2021 Cryptographic Failures A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery Third party identity providers

Slide 63

Slide 63 text

Standardised serialisation formats + RPC A01:2021 Broken Access Control A02:2021 Cryptographic Failures A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery

Slide 64

Slide 64 text

Application Level Encryption A01:2021 Broken Access Control A02:2021 Cryptographic Failures A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery

Slide 65

Slide 65 text

Security Static Analysis A01:2021 Broken Access Control A02:2021 Cryptographic Failures A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 Software and Data Integrity Failures A09:2021 Security Logging and Monitoring Failures A10:2021 Server-Side Request Forgery

Slide 66

Slide 66 text

Most attacks are not on core systems. They are on people who have access to core systems. Source: OAIC Feb 2022

Slide 67

Slide 67 text

Cheaper to invest now than after you get breached or regulated

Slide 68

Slide 68 text

You succeed by doing the basics well

Slide 69

Slide 69 text

Thank you! πŸ™‹ What questions do you have? πŸ’– the talk? Let @auxesis know on Twitter. Appendix + sources at cipherstash.com/lindsay

Slide 70

Slide 70 text

πŸ“’ Appendix β€” Links β—‹ Cost of a Data Breach Report 2022 β€” IBM β—‹ Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill β€” Wired β—‹ Federal Bureau of Investigation Internet Crime Report 2021 β—‹ 2022 Costa Rican ransomware attack β—‹ OWASP Top 10:2021 β—‹ How Unsecure gRPC Implementations Can Compromise APIs β€” Trend Micro β—‹ Four different authorization models to map users to the correct permission β€” Auth0 β—‹ twitchtv/twirp: A simple RPC framework with protobuf service definitions β—‹ GRPC Server Reflection Protocol β—‹ neex/http2smugl: detect and exploit HTTP request smuggling β—‹ aquasecurity/tfsec: Security scanner for your Terraform code β—‹ returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code