Tweet
Tweet

Slide 1

Slide 1 text

When Failure Looks Like Success API Security D. Keith Casey, Jr. API Problem Solver

Slide 2

Slide 2 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 2 Who Am I?

Slide 3

Slide 3 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 3 Who Am I?

Slide 4

Slide 4 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 4 Who Am I?

Slide 5

Slide 5 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 5 Who Am I?

Slide 6

Slide 6 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 6 Who Am I?

Slide 7

Slide 7 text

So let’s talk about Failure

Slide 8

Slide 8 text

You?

Slide 9

Slide 9 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 9 API Journey: A Maturity Model 9 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. Security Team evaluates use cases, interfaces, authentication, access management, etc, etc Phase 1

Slide 10

Slide 10 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 10 API Journey: A Maturity Model 10 Phase 0 Integrate internal systems by introducing Private APIs Internal advocacy & collaboration for internal APIs and CoE/Governance Phase 2 Limited API access to partners, resellers and suppliers Phase 3 Grow these APIs as full fledged products with external developer access Either monetized directly or to reach new customers and enter new markets. The security issue was always there Phase 1

Slide 11

Slide 11 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential Three Groups – Always at Odds Front End Developers Back End Developers Security Architects

Slide 12

Slide 12 text

What is API Security?

Slide 13

Slide 13 text

Aspect #1: We expose only the interfaces which we intend.

Slide 14

Slide 14 text

Aspect #2: We share and accept only the data which we intend.

Slide 15

Slide 15 text

Aspect #3: We grant access only to the people or systems we intend.

Slide 16

Slide 16 text

Approach #1: Trust our End Users

Slide 17

Slide 17 text

No, I’m kidding. Unqualified trust is not security. No, I’m kidding.

Slide 18

Slide 18 text

Approach #2: Use an API Gateway

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Wait.. We’re talking about tools. What if we have the wrong mindset?

Slide 21

Slide 21 text

Aspect #0: Think like a Bad Guy.

Slide 22

Slide 22 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential • Read the news, look at competitors • Talk to your legal/compliance teams • Talk to your developers about their horror stories • Write a Black Mirror episode How do I think like a Bad Guy?

Slide 23

Slide 23 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?

Slide 24

Slide 24 text

Be Smarter about Data

Slide 25

Slide 25 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential Be Smarter about Data • Don’t collect it if you don’t have to • Secure it in flight (SSL/TLS) • Encrypt it at rest 25 Ref: https://www.bbc.com/news/technology-46401890

Slide 26

Slide 26 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?

Slide 27

Slide 27 text

Use the Right Tools

Slide 28

Slide 28 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 28 Authentication vs Authorization API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 Developer or User 1. Developer makes request to API 2. API returns a 401 Not Authorized 3. Developer authenticates with Okta 4. Okta returns an Access Token and Refresh Token (optional) IdP

Slide 29

Slide 29 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 29 Token Validation API Management Dashboard Resource Server (RS) Identity Provider API Gateway 1 4 2 3 6 5 Developer or User 1. Developer uses Access Token for request 2. Optional: API gateway validates token 3. Gateway relays request 4. Optional: API validates token 5. API returns the response/result to the gateway 6. API gateway relays response to user IdP

Slide 30

Slide 30 text

Full Lifecycle API Management Lifecycle What state is it in? • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities

Slide 31

Slide 31 text

Full Lifecycle API Management Lifecycle What state is it in? • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities

Slide 32

Slide 32 text

Full Lifecycle API Management Lifecycle What state is it in? • How was it designed? • How was it built? • Is it deployed? • To which GWs? • Is it live/available? Interface What does it expose? • Which resources? • Which methods? • Which objects? • Which fields? Access Who can use it? • Which users/groups? • How do they authenticate? • Using which clients? • In what contexts? Consumption How to succeed with it? • API Documentation? • Debugging/errors? • Track usage? • Examples/SDKs? Business How does it drive business goals? • Partner CRM • Monetization • Marketing • Business Analytics API Gateway Capabilities

Slide 33

Slide 33 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?

Slide 34

Slide 34 text

Stick to the standards

Slide 35

Slide 35 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential API Keys are Not Good Enough • Not consistent • Not scoped • Not revocable • Included poorly (url vs headers)

Slide 36

Slide 36 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential A Bad Example • curl –X POST https://api.company.com/projects?key=abcdef012345 --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234?key=abcdef012345 36

Slide 37

Slide 37 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential A Better Example • curl –X POST https://api.company.com/projects --header “Authorization: Bearer abcdef012345” --data ‘{“name”:”My Project”, “date_due”:”2018-09-14”}’ • curl –X DELETE https://api.company.com/projects/1234 --header “Authorization: Bearer abcdef012345” 37

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential OAuth 2.0 - Hotel key cards, but for apps

Slide 40

Slide 40 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential 40 • OpenID Connect Core 1.0 (spec) • Authorization Code, Implicit, and Hybrid flows • OpenID Provider Metadata (spec) • OAuth 2.0 (RFC 6749) • Authorization Code, Implicit, Resource Owner Password, Client Credentials • JSON Web Token (RFC 7519) • OAuth 2.0 Dynamic Client Registration (RFC 7591) • OAuth 2.0 Authorization Server Metadata (spec) • OAuth 2.0 Bearer Token Usage (RFC 6750) • OAuth 2.0 Multiple Response Types (spec) • OAuth 2.0 Form Response Mode (spec) • OAuth 2.0 Token Revocation (RFC 7009) • OAuth 2.0 Token Introspection (RFC 7662) • Proof Key for Code Exchange for OAuth Public Clients (RFC 7636) Common OAuth/OIDC Specifications

Slide 41

Slide 41 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?

Slide 42

Slide 42 text

Integrate into your existing processes

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential • Valuable data • Accessible infrastructure • Simple or No authentication or authorization • Custom developed auth systems • To act undetected/unmonitored What does a Bad Guy want?

Slide 45

Slide 45 text

Closing Thoughts

Slide 46

Slide 46 text

© Okta and/or its affiliates. All rights reserved. Okta Confidential Questions to Ask • What is the worst thing someone can do with our API? • What happens if our competitors get our data? • What data do we need to collect & expose? • Who are your users now? In a year? • How are we monitoring for anomalies and bad behavior?

Slide 47

Slide 47 text

D. Keith Casey, Jr. API Problem Solver @CaseySoftware When Failure Looks Like Success API Security