The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect.
Downside: The more APIs, the higher the security risk!
API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs.
Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language.
In this presentation you will learn:
Security risks at each stage of the API lifecycle, and how to mitigate them.
How to implement an end-to-end automated API security model that development, security and operations teams will love.
How to think positive! Why a positive security model works.
17. VALIDATE AND SANITIZE DATA 17
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
✓ Prefer Positive Security Model
Content-Type validation
✓ Don’t accept as-is!
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary
18. VALIDATE ACCESS TOKENS 18
Don’t blindly trust the incoming token contents!
Validate JWT algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.
19. IMPLEMENT A PROPER AUTHORIZATION
MODEL 19
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
✓ From where ?
What can they do ?
✓ Principles of least priviledge
✓ Do they own the data they want to access ?
OAuth scopes are often not enough !
✓ Limited to operations access
✓ You need to deal with data access!
✓ Need more fine-grained approach (XACML/OPA-
Open Policy Agent)
23. 23
AUTOMATICALLY deploy security measures such as API Security
Gateways/Firewalls
Security As Code approach
Enforce Rate Limiting
Protect all APIs (Dev/QA/Prod)
Deploy at the edge and/or close to APIs (microservices architecture)
PROTECT ALL APIS
24. Dev/QA
Immediate feedback loop
Track issues found with your favorite ticketing system
Production
Analyze automatically all system logs
Profile runtime behaviour and raise potential issues automatically
24MONITOR AND ANALYZE
25. ADOPTING DEC SEC OPS
Start small and iterate
✓ Don’t try to address all issues at once!
Educate and help developers
✓ Don’t throw security at them as a new responsibility
✓ Help them by including feedback in their existing
development flow
✓ Add security people to development teams
Don’t through too many tools in the pipeline
✓ Evaluate and choose depending on your needs
25
API
Contract
Audit
Scan
Protect