GUIDELINES TO PROPER API SECURITY ISABELLE MAUNY - CTO [email protected] The API Security Platform for the Enterprise 

TITLE TEXT Complex deployments 2 FROM ESTABLISHED PERIMETER… 

3 …TO BLURRY PERIMETER 

TITLE TEXT 4 App icon made by https://www.flaticon.com/authors/pixel-buddha Internal Partner Public VIRTUAL APPLICATION NETWORKS 

TITLE TEXT FAST APP DELIVERY 5 APPLICATION
 DEVELOPMENT APPLICATION
 SECURITY 

API SECURITY NEEDS TO 6 EVOLVE 

7 DEFINING API SECURITY 

8 Authentication Integrity (transport & message) Audit Confidentiality (transport & message) Availability (Rate Limiting) Authorization Non Repudiation Data Validity (attacks protection) 

9 YES. You need to consider all of this… … AND you need to configure all aspects in the right way 

10 AND you need the right infrastructure! 

11 ALL APIS SHOULD BE TREATED AS PUBLIC 1 

12 EXPOSING ENTERPRISE DATA AND PROCESSES. WHAT ARE APIS FOR ? 

13 Internal External 80 55 57 69 Now Expect in the next 18 months Source: @The State of Cybersecurity and Digital Trust 2016” Accenture and HIS Research - Sample: 208 Enterprise Security Professionals Have you experienced the theft or corruption of internal corporate or user/consumer information by Internal or External threat actors? 

14 

“I think that a lot of people think that because there is no GUI on an API that no one can find it and it is invisible. But we can find them in about five seconds with a proxy… …Almost every threat that applies to a web app, can happen to an API, but a lot of people for some reason are not protecting them as much as their web applications.” Tanya Janca Application Security Evangelist - AppSec Podcast 15 “ 

16 WHAT SHOULD YOU DO ? Proceed to a full inventory of APIs within the enterprise Implement APIs governance Evaluate your API Security coverage 

17 SECURITY NEEDS TO BE RISKED-BASED 2 

“Security is a risk control measure…In the security sphere, one size does not fit all. We have to take ‘appropriate measures’. Nat Sakimura Fixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/ 18 “ 

19 Financial APIS Security Auth Grant Types OpenID Connect Flows TLS Settings Message Confidentiality Non-Repudiation Message Integrity Financial APIs Working Group: http:/ /openid.net/wg/fapi/ 

20 WHAT SHOULD YOU DO ? Establish a threat model for all APIs Establish corporate security policies based on that threat model, managed by the security teams. 

21 SECURITY MUST BE AUTOMATED 3 

LET’S SHIFT LEFT! 22 Deployment Testing Development Design 

VULNERABILITY SCANS 23 Infrastructure Scans TLS + Security Setup ✓ APIs Server, CDN, HTTP Server ✓ Security headers Code analysis (Static, Dynamic, Interactive) Third-party libs / frameworks Apps / APIs (e.g. OWASP ZAP) Authentication Authorization DevOps Scripts! Choose platforms/tools where 
 functionality is exposed as APIs/CLI. 2 

24 WHAT ELSE SHOULD YOU DO ? Apply security policies as early as possible in the API lifecycle Choose a platform where security policies can be applied automatically, with minimum involvement of developers Test APIs with “security ON” from Day 1! 

25 SECURITY BLUEPRINT 

26 REQUEST RESPONSE 1 2 Request Validation Message Validation 3 Token Validation Crypto Validation 4 Tra!c Enforcement 5 6 7 AAA Message Processing 1 Message Validation 2 Crypto Operations 3 Response Validation 4 Message Processing 

IT ALL STARTS WITH TRANSPORT TLS covers Confidentiality and Integrity at transport level. Configuration matters! ✓ Protocol accepted (TLS 1.2, 1.3 are recommended) ✓ Cipher suites Can use Mutual SSL for authentication is some scenarios Review/Enforce across the whole transaction flow ✓ Inbound/Outbound Remember: channel is encrypted… but data goes in clear! 27 

VERIFYING SSL/TLS SETUP www.ssllabs.com report.io securityheaders.io New! hardenize.com 28 

REQUEST VALIDATION Verbs Path Headers Query params Cookies CORS Apply positive and negative security models (a.k.a whitelisting and blacklisting) Leverage Open API to apply positive security model! 29 

TOKEN VALIDATION Which token format is accepted ? Where (query param ? header ?) Is it of the right format ? Has it expired ? Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater) 30 

CRYPTOGRAPHY 31 

CRYPTO VALIDATION Can I decrypt ? Can I verify the signature ? Decrypt before payload validation ! 32 

INTEGRITY What I received is what was sent and I know who sent it. Digital signatures over content. You probably already use this with OpenID Connect (id token must be signed and optionally encrypted) Transport agnostic! Other applications ✓ Non-Repudiation 33 

CONFIDENTIALITY I don’t want anybody to see the messages exchanged. Data can only be read by the right person/system Transport agnostic! Multiple recipients ✓ Part of message goes to target A, another to target B 34 

USEFUL ACRONYMS JOSE: Javascript Object Signing and Encryption ✓ IETF Standard for JWS and JWE JWE ✓ JSON Web Encryption JWS ✓ JSON Web Signature JWT ✓ JSON Web Token JWK ✓ JSON Web Key 35 

USEFUL LINKS Signing/Validating JWT ✓ jwt.io (sponsored by Auth0) Building JWK ✓ https://mkjwk.org Learning about the topic! ✓ https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3 36 

DATA VALIDATION Payload validation (request, responses, errors!) Block sensitive data in responses (N26 attack lessons…) Make sure you don’t return too much information in case of errors. Too much info for attacker! ✓ Avoid Response.post ( exception.printStackTrace) ! 37 

AAA (AUTHENTICATION/AUTHORIZATION /AUDIT) Choose Grant Types wisely ✓ Know the deployment ✓ Know who will invoke the APIs. Use HTTPs across all actors (Resource Server, Authorization Server, Client) Prevent Token theft ! Look at ✓ PKCE for mobile apps ( prevents authorization_code from being stolen) ✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800) ✓ Token Binding ( new RFC, still in Draft 05) Use proven libs and products ! Learn Learn and Learn … ✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce ✓ https://alexbilbie.com/guide-to-oauth-2-grants/ ✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows- ec6a5c00d864 38 

39 www.42crunch.com/whitepaper 

CONTACT: [email protected] WWW.42CRUNCH.COM The API Security Platform for the Enterprise 

RESOURCES Chaos Engineering ✓ http:/ /principlesofchaos.org ✓ https:/ /github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https:/ /www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https:/ /www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https:/ /www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https:/ /www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools 41 

RESOURCES SSL Setup Scan ✓ https:/ /hardenize.com ✓ https:/ /securityheaders.io ✓ https:/ /www.ssllabs.com/ssltest/ Threat Modelling ✓ https:/ /www.owasp.org/index.php/Application_Threat_Modeling 42