If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as: - Transport and message encryption. - Digital Signatures - Auditing and non-repudiation - SecDevOps and security as code - Coding best practices and how to enforce them - Infrastructure Best Practices

1. GUIDELINES
TO PROPER
API SECURITY
ISABELLE MAUNY - CTO
ISABELLE@42CRUNCH.COM
The API Security Platform for the Enterprise

2. TITLE TEXT
Complex deployments
2
FROM ESTABLISHED PERIMETER…

3. 3
…TO BLURRY PERIMETER

4. TITLE TEXT
4App icon made by https://www.flaticon.com/authors/pixel-buddha
Internal
Partner Public
VIRTUAL APPLICATION NETWORKS

5. TITLE TEXTFAST APP DELIVERY
5
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

6. API SECURITY NEEDS TO
6
EVOLVE

7. 7
DEFINING API SECURITY

8. 8
Authentication
Integrity
(transport &
message)
Audit
Confidentiality
(transport &
message)
Availability
(Rate Limiting)
Authorization
Non
Repudiation
Data Validity
(attacks
protection)

9. 9
YES. You need to
consider all of this…
… AND you need to
configure all aspects
in the right way

10. 10
AND you need the
right infrastructure!

11. 11
ALL APIS SHOULD BE TREATED AS PUBLIC
1

12. 12
EXPOSING ENTERPRISE DATA
AND PROCESSES.
WHAT ARE APIS FOR ?

13. 13
Internal
External
80
55
57
69
Now
Expect in the next
18 months
Source: @The State of Cybersecurity and Digital Trust 2016” Accenture
and HIS Research - Sample: 208 Enterprise Security Professionals
Have you experienced the theft
or corruption of internal
corporate or user/consumer
information by Internal or
External threat actors?

14. 14

15. “I think that a lot of people think that because there is no GUI on an
API that no one can find it and it is invisible. But we can find
them in about five seconds with a proxy…
…Almost every threat that applies to a web app, can
happen to an API, but a lot of people for some reason are not
protecting them as much as their web applications.”
Tanya Janca
Application Security Evangelist - AppSec Podcast
15
“

16. 16
WHAT SHOULD YOU DO ?
Proceed to a full inventory of APIs within the enterprise
Implement APIs governance
Evaluate your API Security coverage

17. 17
SECURITY NEEDS TO BE RISKED-BASED
2

18. “Security is a risk control measure…In
the security sphere, one size does
not fit all. We have to take ‘appropriate
measures’.
Nat SakimuraFixing OAuth, Nat Sakimura, July 20, 2016, https://nat.sakimura.org/2016/07/20/fixing-oauth/
18
“

19. 19
Financial APIS Security Auth Grant Types
OpenID Connect Flows
TLS Settings
Message Confidentiality
Non-Repudiation
Message Integrity
Financial APIs Working Group: http://openid.net/wg/fapi/

20. 20
WHAT SHOULD YOU DO ?
Establish a threat model for all APIs
Establish corporate security policies based on that
threat model, managed by the security teams.

21. 21
SECURITY MUST BE AUTOMATED
3

22. LET’S SHIFT LEFT!
22
DeploymentTestingDevelopmentDesign

23. VULNERABILITY
SCANS
23
Infrastructure Scans
TLS + Security Setup
✓ APIs Server, CDN, HTTP Server
✓ Security headers
Code analysis (Static, Dynamic, Interactive)
Third-party libs / frameworks
Apps / APIs (e.g. OWASP ZAP)
Authentication
Authorization
DevOps Scripts!
Choose platforms/tools where
functionality is exposed as APIs/CLI.
2

24. 24
WHAT ELSE SHOULD YOU DO ?
Apply security policies as early as possible in the API
lifecycle
Choose a platform where security policies can be applied
automatically, with minimum involvement of developers
Test APIs with “security ON” from Day 1!

25. 25
SECURITY BLUEPRINT

26. 26
REQUEST
RESPONSE
1 2
Request
Validation
Message
Validation
3
Token
Validation
Crypto
Validation
4
Tra!c
Enforcement
5 6 7
AAA
Message
Processing
1
Message
Validation
2
Crypto
Operations
3
Response
Validation
4
Message
Processing

27. IT ALL STARTS WITH TRANSPORT
TLS covers Confidentiality and Integrity at transport level.
Configuration matters!
✓ Protocol accepted (TLS 1.2, 1.3 are recommended)
✓ Cipher suites
Can use Mutual SSL for authentication is some scenarios
Review/Enforce across the whole transaction flow
✓ Inbound/Outbound
Remember: channel is encrypted… but data goes in clear!
27

28. VERIFYING SSL/TLS SETUP
www.ssllabs.com
report.io
securityheaders.io
New! hardenize.com
28

29. REQUEST VALIDATION
Verbs
Path
Headers
Query params
Cookies
CORS
Apply positive and negative security models (a.k.a whitelisting and
blacklisting)
Leverage Open API to apply positive security model!
29

30. TOKEN VALIDATION
Which token format is accepted ?
Where (query param ? header ?)
Is it of the right format ?
Has it expired ?
Was 2-factor auth used if required ? (Level of Assurance - LoA
3 or greater)
30

31. CRYPTOGRAPHY
31

32. CRYPTO VALIDATION
Can I decrypt ?
Can I verify the signature ?
Decrypt before payload validation !
32

33. INTEGRITY
What I received is what was sent and I know who sent it.
Digital signatures over content.
You probably already use this with OpenID Connect (id token must be
signed and optionally encrypted)
Transport agnostic!
Other applications
✓ Non-Repudiation
33

34. CONFIDENTIALITY
I don’t want anybody to see the messages exchanged.
Data can only be read by the right person/system
Transport agnostic!
Multiple recipients
✓ Part of message goes to target A, another to target B
34

35. USEFUL ACRONYMS
JOSE: Javascript Object Signing and Encryption
✓ IETF Standard for JWS and JWE
JWE
✓ JSON Web Encryption
JWS
✓ JSON Web Signature
JWT
✓ JSON Web Token
JWK
✓ JSON Web Key 35

36. USEFUL LINKS
Signing/Validating JWT
✓ jwt.io (sponsored by Auth0)
Building JWK
✓ https://mkjwk.org
Learning about the topic!
✓ https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3
36

37. DATA VALIDATION
Payload validation (request, responses, errors!)
Block sensitive data in responses (N26 attack lessons…)
Make sure you don’t return too much information in case of
errors. Too much info for attacker!
✓ Avoid Response.post ( exception.printStackTrace) !
37

38. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT)
Choose Grant Types wisely
✓ Know the deployment
✓ Know who will invoke the APIs.
Use HTTPs across all actors (Resource Server, Authorization Server, Client)
Prevent Token theft ! Look at
✓ PKCE for mobile apps ( prevents authorization_code from being stolen)
✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800)
✓ Token Binding ( new RFC, still in Draft 05)
Use proven libs and products !
Learn Learn and Learn …
✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce
✓ https://alexbilbie.com/guide-to-oauth-2-grants/
✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-
ec6a5c00d864 38

39. 39
www.42crunch.com/whitepaper

40. CONTACT: INFO@42CRUNCH.COM
WWW.42CRUNCH.COM
The API Security Platform for the Enterprise

41. RESOURCES
Chaos Engineering
✓ http://principlesofchaos.org
✓ https://github.com/dastergon/awesome-chaos-engineering
OWASP ZAP
✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Source Code Analysis
✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Code Security reviews
✓ https://www.owasp.org/index.php/Code_Review_Introduction
Systems Scans
✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
41

42. RESOURCES
SSL Setup Scan
✓ https://hardenize.com
✓ https://securityheaders.io
✓ https://www.ssllabs.com/ssltest/
Threat Modelling
✓ https://www.owasp.org/index.php/Application_Threat_Modeling
42