If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS.
But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as:
- Transport and message encryption.
- Digital Signatures
- Auditing and non-repudiation
- SecDevOps and security as code
- Coding best practices and how to enforce them
- Infrastructure Best Practices
13. 13
Internal
External
80
55
57
69
Now
Expect in the next
18 months
Source: @The State of Cybersecurity and Digital Trust 2016” Accenture
and HIS Research - Sample: 208 Enterprise Security Professionals
Have you experienced the theft
or corruption of internal
corporate or user/consumer
information by Internal or
External threat actors?
15. “I think that a lot of people think that because there is no GUI on an
API that no one can find it and it is invisible. But we can find
them in about five seconds with a proxy…
…Almost every threat that applies to a web app, can
happen to an API, but a lot of people for some reason are not
protecting them as much as their web applications.”
Tanya Janca
Application Security Evangelist - AppSec Podcast
15
“
16. 16
WHAT SHOULD YOU DO ?
Proceed to a full inventory of APIs within the enterprise
Implement APIs governance
Evaluate your API Security coverage
18. “Security is a risk control measure…In
the security sphere, one size does
not fit all. We have to take ‘appropriate
measures’.
Nat SakimuraFixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/
18
“
20. 20
WHAT SHOULD YOU DO ?
Establish a threat model for all APIs
Establish corporate security policies based on that
threat model, managed by the security teams.
24. 24
WHAT ELSE SHOULD YOU DO ?
Apply security policies as early as possible in the API
lifecycle
Choose a platform where security policies can be applied
automatically, with minimum involvement of developers
Test APIs with “security ON” from Day 1!
27. IT ALL STARTS WITH TRANSPORT
TLS covers Confidentiality and Integrity at transport level.
Configuration matters!
✓ Protocol accepted (TLS 1.2, 1.3 are recommended)
✓ Cipher suites
Can use Mutual SSL for authentication is some scenarios
Review/Enforce across the whole transaction flow
✓ Inbound/Outbound
Remember: channel is encrypted… but data goes in clear!
27
30. TOKEN VALIDATION
Which token format is accepted ?
Where (query param ? header ?)
Is it of the right format ?
Has it expired ?
Was 2-factor auth used if required ? (Level of Assurance - LoA
3 or greater)
30
32. CRYPTO VALIDATION
Can I decrypt ?
Can I verify the signature ?
Decrypt before payload validation !
32
33. INTEGRITY
What I received is what was sent and I know who sent it.
Digital signatures over content.
You probably already use this with OpenID Connect (id token must be
signed and optionally encrypted)
Transport agnostic!
Other applications
✓ Non-Repudiation
33
34. CONFIDENTIALITY
I don’t want anybody to see the messages exchanged.
Data can only be read by the right person/system
Transport agnostic!
Multiple recipients
✓ Part of message goes to target A, another to target B
34
35. USEFUL ACRONYMS
JOSE: Javascript Object Signing and Encryption
✓ IETF Standard for JWS and JWE
JWE
✓ JSON Web Encryption
JWS
✓ JSON Web Signature
JWT
✓ JSON Web Token
JWK
✓ JSON Web Key 35
36. USEFUL LINKS
Signing/Validating JWT
✓ jwt.io (sponsored by Auth0)
Building JWK
✓ https://mkjwk.org
Learning about the topic!
✓ https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3
36
37. DATA VALIDATION
Payload validation (request, responses, errors!)
Block sensitive data in responses (N26 attack lessons…)
Make sure you don’t return too much information in case of
errors. Too much info for attacker!
✓ Avoid Response.post ( exception.printStackTrace) !
37
38. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT)
Choose Grant Types wisely
✓ Know the deployment
✓ Know who will invoke the APIs.
Use HTTPs across all actors (Resource Server, Authorization Server, Client)
Prevent Token theft ! Look at
✓ PKCE for mobile apps ( prevents authorization_code from being stolen)
✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800)
✓ Token Binding ( new RFC, still in Draft 05)
Use proven libs and products !
Learn Learn and Learn …
✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce
✓ https://alexbilbie.com/guide-to-oauth-2-grants/
✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-
ec6a5c00d864 38