SlideShare a Scribd company logo
1 of 23
Download to read offline
Securing an API World
A POSITIVE
SECURITY MODEL
FOR APIS
ISABELLEMAUNY
ISABELLE@42CRUNCH.COM
Introducing Security
Models
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
NEGATIVE SECURITY MODEL (BLACKLIST)
3
Access Allowed
by default
Block access for
suspicious traffic
Threats centric
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
POSITIVE SECURITY MODEL (WHITELIST)
4
Access Denied by
default
Allow Access only
to approved
traffic
Trust centric
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
WHY A POSITIVE MODEL ?
Much stricter access control
Limited false positives
More efficient
✓ Simple vs. very complex regular expressions for
blacklisting
No need to update when new threats are
found
5
However…
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
KEEPING UP IS HARD…
A whitelist is only powerful if complete!
It requires lots of efforts to define and
maintain up to date with constant
applications changes
✓ High human cost, usually several people full
time
Traditionally been very hard to
implement
✓ Which is why default WAF model is blacklisting
7
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
…BUT APIS ARE DIFFERENT!
OpenAPI specification (OAS) can be
leveraged to describe the API contract.
Can be easily updated from code, or via
specialized tools, so the whitelist is always
in sync with the application.
You can start addressing security straight
from design time!
OpenAPI lets you build the ultimate
whitelist!
✓ And as bonus , you get better documentation!
8
OPENAPI 

INITIATIVE
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HOW 42CRUNCH LEVERAGES OAS
9
Audit Service
performs 200+
security checks on
API Contract
Scan service
ensures API
implementation
conforms to API
contract
Protection service is
automatically
configured from
API contract
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
OWASP API SECURITY TOP 10
10
• API1	:	Broken	Object	Level	Authorisation	
• API2	:	Broken	Authentication	
• API3	:	Excessive	Data	Exposure	
• API4	:	Lack	of	Resources	&	Rate	Limiting	
• API5	:	Missing	Function/Resource	Level	Access	Control	
• API6	:	Mass	Assignment	
• API7	:	Security	Misconfiguration	
• API8	:	Injection	
• API9	:	Improper	Assets	Management	
• API10	:	Insufficient	Logging	&	Monitoring	
DOWNLOAD
Addressing API threats
with a positive model
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
EQUIFAX AND MANY MORE COMPANIES (2017)
The Attack
✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type
validation error is raised.
✓ Can also be exploited using the Content-Disposition or Content-Length headers
The Breach
✓ One of the most important in history: 147 millions people worldwide, very sensitive data
✓ Equifax got fined $700 million in Sept 2019
Core Issue
✓ Remote command injection vulnerability in Apache Struts widely exploited during months.
12
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
CONTENT-TYPE IN OAS
Declare “consumes” at API or operation level
✓ Limits Content-Type header value to specific mime types
Declare all request headers
13
"consumes": [
“application/x-www-form-urlencoded”,
“application/json”
],
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HOW 42CRUNCH ADDRESSES THE PROBLEM
At Audit time
✓ Detect that Consumes is not defined
At Scan time
✓ Inject wrong Content-Type
✓ Inject wrong formats for all listed headers
At Runtime
✓ Block any Content-Type that does not match Consumes value at Runtime
✓ Block any header not matching the description
✓ Block inbound data that does not match the Content-Type
14
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HARBOUR REGISTRY
The Attack
✓ Privilege escalation: become registry administrator
The Breach
✓ 1300+ registries with default security settings
Core Issue
✓ Mass Assignment vulnerability allows any normal user to become an admin
✓
POST /api/users
{“username”:”test”,”email”:”test123@gmail.com”,”realname
”:”noname”,”password”:”Password1u0021″,”comment”:null,
“has_admin_role” = True}
15
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HOW OAS CAN BE USED ?
Describe inbound schema for all requests
Use different schemas by operation (retrieve
user data vs. update user data)
16
"UsersItem": {
"type": "object",
"additionalProperties": false,
"properties": {
"_id": {
"type": "number",
"format": "integer",
"minimum": 0,
"maximum": 999999
},
"email": {
"type": "string",
"format": "email",
"pattern": “<email_regex>”,
"minLength": 10,
"maxLength": 60
},…
"is_admin": {
"description": "is admin",
"type": "boolean"
},
…
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HOW 42CRUNCH ADDRESSES THE PROBLEM
At Audit time
✓ Detects that schemas are not associated to requests
✓ Analyzes how well data is defined (patterns, min, max, enums)
✓ Highlights usage of “additional properties”
At Scan time
✓ Injects additional properties
✓ Injects improper data
At Runtime
✓ Enforces schema definition
✓ Enforces Additional Properties restrictions
✓ Block non-declared VERBs (block unwanted POST)
17
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
UBER (SEPT 2019)
The Attack
✓ Account takeover for any Uber account from a phone number
The Breach
✓ None. This was a bug bounty.
Core Issues
✓ First Data leakage : driver internal UUID exposed through error message!
✓ Second Data leakage via the getConsentScreenDetails operation: full account information is
returned, when only a few fields are used by the UI. This includes the mobile token used to
login onto the account
18
A2
A3
A4
A5
A6
A10
A9
A8
A7
A1
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HOW OAS CAN BE USED ?
Describe thoroughly all potential responses
Define the produces value
✓ Which data will be returned
Use different schemas by operation (retrieve
user data vs. update user data)
19
”produces”: [
"application/json"
],
"responses": {
"200": {
"description": “successful..”,
"schema": {
"type": "array",
"minItems": 0,
"maxItems": 50,
"items": {
"$ref": "#/definitions/
UsersItem"
}
}
"403": {
"description": “invalid…”,
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"pattern": "xxxx",
"minLength": 1,
"maxLength": 255
},
“success”: …
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
HOW 42CRUNCH ADDRESSES THE PROBLEM
At Audit time
✓ Analyzes which responses should be defined depending on verb (GET, POST, …)
✓ Detects that schemas are not associated to responses
✓ Analyzes how well data is defined (patterns, min, max, enums)
✓ Highlights usage of “additional properties”
At Scan time
✓ Validates responses are all defined in contract
✓ Validates responses match schemas defined in contract
At Runtime
✓ Block responses that do not match “Produces” value (unknown mime-type)
✓ Blocks responses that do not match schema definition
✓ Block non-declared responses (unknown HTTP codes)
✓ Enforces Additional Properties restrictions
20
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
A POSITIVE MODEL FOR API SECURITY WITH 42CRUNCH
Leverage OAS and build the ultimate whitelist at
design time!
✓ Right in your IDE with our VSCode extension
✓ Thorough report with priorities to act upon
Ensure API Contract is up to date via automated
audit and scan at integration/testing time
✓ Include API Contract audit and scan in your favorite CI/CD
pipeline
Leverage the power of OAS to protect your APIs at
runtime
✓ Lightweight, Kubernetes-ready firewall to automatically
protect your APIs from API contract!
21
Securing an API World
CONTACT US:
INFO@42CRUNCH.COM
Start testing your API contracts today on apisecurity.io!
 © COPYRIGHT 42CRUNCH | CONFIDENTIAL
RESOURCES
• 42Crunch Website
• Free OAS Security Audit
• OpenAPI VS Code Extension
• OpenAPI Spec Encyclopedia
• OWASP API Security Top 10
• APIsecurity.io

More Related Content

What's hot

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation42Crunch
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story42Crunch
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsIsabelle Mauny
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop42Crunch
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns42Crunch
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at ScaleNordic APIs
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 

What's hot (20)

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
Why you need API Security Automation
Why you need API Security AutomationWhy you need API Security Automation
Why you need API Security Automation
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
 

Similar to WEBINAR: Positive Security for APIs: What it is and why you need it!

apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop42Crunch
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesAhmad Khan
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversysKrishnendu Paul
 
Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...
Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...
Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...Vlad Mihnea
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Scott Sims
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 

Similar to WEBINAR: Positive Security for APIs: What it is and why you need it! (20)

apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practices
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversys
 
Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...
Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...
Ymens - Bouncing off clouds - Rapid Development for Cloud Ready Applications...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 

Recently uploaded

Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기Chiwon Song
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Neo4j
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9Jürgen Gutsch
 
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example ProjectMastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example Projectwajrcs
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 

Recently uploaded (20)

Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Sustainable Web Design - Claire Thornewill
Sustainable Web Design - Claire ThornewillSustainable Web Design - Claire Thornewill
Sustainable Web Design - Claire Thornewill
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9
 
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example ProjectMastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 

WEBINAR: Positive Security for APIs: What it is and why you need it!

  • 1. Securing an API World A POSITIVE SECURITY MODEL FOR APIS ISABELLEMAUNY ISABELLE@42CRUNCH.COM
  • 3.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL NEGATIVE SECURITY MODEL (BLACKLIST) 3 Access Allowed by default Block access for suspicious traffic Threats centric
  • 4.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL POSITIVE SECURITY MODEL (WHITELIST) 4 Access Denied by default Allow Access only to approved traffic Trust centric
  • 5.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL WHY A POSITIVE MODEL ? Much stricter access control Limited false positives More efficient ✓ Simple vs. very complex regular expressions for blacklisting No need to update when new threats are found 5
  • 7.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL KEEPING UP IS HARD… A whitelist is only powerful if complete! It requires lots of efforts to define and maintain up to date with constant applications changes ✓ High human cost, usually several people full time Traditionally been very hard to implement ✓ Which is why default WAF model is blacklisting 7
  • 8.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL …BUT APIS ARE DIFFERENT! OpenAPI specification (OAS) can be leveraged to describe the API contract. Can be easily updated from code, or via specialized tools, so the whitelist is always in sync with the application. You can start addressing security straight from design time! OpenAPI lets you build the ultimate whitelist! ✓ And as bonus , you get better documentation! 8 OPENAPI 
 INITIATIVE
  • 9.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HOW 42CRUNCH LEVERAGES OAS 9 Audit Service performs 200+ security checks on API Contract Scan service ensures API implementation conforms to API contract Protection service is automatically configured from API contract
  • 10.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL OWASP API SECURITY TOP 10 10 • API1 : Broken Object Level Authorisation • API2 : Broken Authentication • API3 : Excessive Data Exposure • API4 : Lack of Resources & Rate Limiting • API5 : Missing Function/Resource Level Access Control • API6 : Mass Assignment • API7 : Security Misconfiguration • API8 : Injection • API9 : Improper Assets Management • API10 : Insufficient Logging & Monitoring DOWNLOAD
  • 11. Addressing API threats with a positive model
  • 12.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL EQUIFAX AND MANY MORE COMPANIES (2017) The Attack ✓ Remote command injection attack: server executes commands written in ONGL language when a Content-Type validation error is raised. ✓ Can also be exploited using the Content-Disposition or Content-Length headers The Breach ✓ One of the most important in history: 147 millions people worldwide, very sensitive data ✓ Equifax got fined $700 million in Sept 2019 Core Issue ✓ Remote command injection vulnerability in Apache Struts widely exploited during months. 12 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
  • 13.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL CONTENT-TYPE IN OAS Declare “consumes” at API or operation level ✓ Limits Content-Type header value to specific mime types Declare all request headers 13 "consumes": [ “application/x-www-form-urlencoded”, “application/json” ],
  • 14.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HOW 42CRUNCH ADDRESSES THE PROBLEM At Audit time ✓ Detect that Consumes is not defined At Scan time ✓ Inject wrong Content-Type ✓ Inject wrong formats for all listed headers At Runtime ✓ Block any Content-Type that does not match Consumes value at Runtime ✓ Block any header not matching the description ✓ Block inbound data that does not match the Content-Type 14
  • 15.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HARBOUR REGISTRY The Attack ✓ Privilege escalation: become registry administrator The Breach ✓ 1300+ registries with default security settings Core Issue ✓ Mass Assignment vulnerability allows any normal user to become an admin ✓ POST /api/users {“username”:”test”,”email”:”test123@gmail.com”,”realname ”:”noname”,”password”:”Password1u0021″,”comment”:null, “has_admin_role” = True} 15 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1 https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
  • 16.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HOW OAS CAN BE USED ? Describe inbound schema for all requests Use different schemas by operation (retrieve user data vs. update user data) 16 "UsersItem": { "type": "object", "additionalProperties": false, "properties": { "_id": { "type": "number", "format": "integer", "minimum": 0, "maximum": 999999 }, "email": { "type": "string", "format": "email", "pattern": “<email_regex>”, "minLength": 10, "maxLength": 60 },… "is_admin": { "description": "is admin", "type": "boolean" }, …
  • 17.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HOW 42CRUNCH ADDRESSES THE PROBLEM At Audit time ✓ Detects that schemas are not associated to requests ✓ Analyzes how well data is defined (patterns, min, max, enums) ✓ Highlights usage of “additional properties” At Scan time ✓ Injects additional properties ✓ Injects improper data At Runtime ✓ Enforces schema definition ✓ Enforces Additional Properties restrictions ✓ Block non-declared VERBs (block unwanted POST) 17
  • 18.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL UBER (SEPT 2019) The Attack ✓ Account takeover for any Uber account from a phone number The Breach ✓ None. This was a bug bounty. Core Issues ✓ First Data leakage : driver internal UUID exposed through error message! ✓ Second Data leakage via the getConsentScreenDetails operation: full account information is returned, when only a few fields are used by the UI. This includes the mobile token used to login onto the account 18 A2 A3 A4 A5 A6 A10 A9 A8 A7 A1
  • 19.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HOW OAS CAN BE USED ? Describe thoroughly all potential responses Define the produces value ✓ Which data will be returned Use different schemas by operation (retrieve user data vs. update user data) 19 ”produces”: [ "application/json" ], "responses": { "200": { "description": “successful..”, "schema": { "type": "array", "minItems": 0, "maxItems": 50, "items": { "$ref": "#/definitions/ UsersItem" } } "403": { "description": “invalid…”, "schema": { "type": "object", "properties": { "message": { "type": "string", "pattern": "xxxx", "minLength": 1, "maxLength": 255 }, “success”: …
  • 20.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL HOW 42CRUNCH ADDRESSES THE PROBLEM At Audit time ✓ Analyzes which responses should be defined depending on verb (GET, POST, …) ✓ Detects that schemas are not associated to responses ✓ Analyzes how well data is defined (patterns, min, max, enums) ✓ Highlights usage of “additional properties” At Scan time ✓ Validates responses are all defined in contract ✓ Validates responses match schemas defined in contract At Runtime ✓ Block responses that do not match “Produces” value (unknown mime-type) ✓ Blocks responses that do not match schema definition ✓ Block non-declared responses (unknown HTTP codes) ✓ Enforces Additional Properties restrictions 20
  • 21.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL A POSITIVE MODEL FOR API SECURITY WITH 42CRUNCH Leverage OAS and build the ultimate whitelist at design time! ✓ Right in your IDE with our VSCode extension ✓ Thorough report with priorities to act upon Ensure API Contract is up to date via automated audit and scan at integration/testing time ✓ Include API Contract audit and scan in your favorite CI/CD pipeline Leverage the power of OAS to protect your APIs at runtime ✓ Lightweight, Kubernetes-ready firewall to automatically protect your APIs from API contract! 21
  • 22. Securing an API World CONTACT US: INFO@42CRUNCH.COM Start testing your API contracts today on apisecurity.io!
  • 23.  © COPYRIGHT 42CRUNCH | CONFIDENTIAL RESOURCES • 42Crunch Website • Free OAS Security Audit • OpenAPI VS Code Extension • OpenAPI Spec Encyclopedia • OWASP API Security Top 10 • APIsecurity.io