The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect. Downside: The more APIs, the higher the security risk! API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs. Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language. In this presentation you will learn: Security risks at each stage of the API lifecycle, and how to mitigate them. How to implement an end-to-end automated API security model that development, security and operations teams will love. How to think positive! Why a positive security model works.

1. SECURING AN API WORLD
THE DEV, SEC AND OPS
OF APIS
ISABELLE MAUNY
CHIEF EVANGELIST & CO-FOUNDER
ISABELLE@42CRUNCH.COM

2. 2
363
AVERAGE NUMBER OF APIS IN THE ENTERPRISE

3. MANY APIS, MANY DEPLOYMENTS
3
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

4. MEET
DEV SEC OPS
4

5. WHAT IS NOT
DEV-SEC-OPS?
5

6. 6
A SINGLE PERSON !

7. WHAT IS
DEV-SEC-OPS ?
7

8. INJECTING SECURITY AS EARLY
AS POSSIBLE IN THE API LIFECYCLE
8
DeploymentTestingDevelopmentDesign
SHIFTING SECURITY LEFT

9. 9
Development
Security
Operations
Business
A CHANGE IN CULTURE: TEAMS COLLABORATING…

10. 10
…USING THE RIGHT TOOLS.

11. 11

12. A DEV-SEC-OPS CYCLE FOR APIS
12From: https://jaxenter.com/exploration-devsecops-144849.html

13. 13
1
ANALYZE &
PLAN

14. KNOW YOUR APIS AND THE
RISK THEY BRING
14See: https://www.owasp.org/index.php/Application_Threat_Modeling

15. 15
SECURE
2

16. TREAT
ALL APIS
AS
PUBLIC
16

17. VALIDATE AND SANITIZE DATA 17
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
✓ Prefer Positive Security Model
Content-Type validation
✓ Don’t accept as-is!
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary

18. VALIDATE ACCESS TOKENS 18
Don’t blindly trust the incoming token contents!
Validate JWT algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.

19. IMPLEMENT A PROPER AUTHORIZATION
MODEL 19
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
✓ From where ?
What can they do ?
✓ Principles of least priviledge
✓ Do they own the data they want to access ?
OAuth scopes are often not enough !
✓ Limited to operations access
✓ You need to deal with data access!
✓ Need more fine-grained approach (XACML/OPA-
Open Policy Agent)

20. 20
VERIFY
3

21. 21
Dev QA/Testing Production Ops
Code Validation
Code reviews
API contract validation
Libraries/Components Validation
API Implementation Testing
API Contract Testing
Negative Testing: Hack yourselves!
Container Images Validation
Deployment Scripts Validation
Chaos Engineering
SSL/TLS Configuration
PenTesting

22. 22
DEFEND
4

23. 23
AUTOMATICALLY deploy security measures such as API Security
Gateways/Firewalls
Security As Code approach
Enforce Rate Limiting
Protect all APIs (Dev/QA/Prod)
Deploy at the edge and/or close to APIs (microservices architecture)
PROTECT ALL APIS

24. Dev/QA
Immediate feedback loop
Track issues found with your favorite ticketing system
Production
Analyze automatically all system logs
Profile runtime behaviour and raise potential issues automatically
24MONITOR AND ANALYZE

25. ADOPTING DEC SEC OPS
Start small and iterate
✓ Don’t try to address all issues at once!
Educate and help developers
✓ Don’t throw security at them as a new responsibility
✓ Help them by including feedback in their existing
development flow
✓ Add security people to development teams
Don’t through too many tools in the pipeline
✓ Evaluate and choose depending on your needs
25
API
Contract
Audit
Scan
Protect

26. CONTACT US:
INFO@42CRUNCH.COM
The API Security Company