Deconstructing API Security Ian Goldsmith apibuilder 2015 Akana
Deconstructing API Security Ian Goldsmith @apibuilder © 2015 Akana. All Rights Reserved.
APIs Extend your Digital Ecosystems © 2015 Akana. All Rights Reserved.
Leverage Developers & Partners Ecosystems Tap into an extended ecosystem of developers with APIs © 2015 Akana. All Rights Reserved.
Capture new Opportunities with APIs ü Drive Innovation ü Increase Reach ü Support New Devices ü Discover New Business Models ü Increase Partner Network © 2015 Akana. All Rights Reserved.
API SECURITY © 2015 Akana. All Rights Reserved.
API Consumer Security? © 2015 Akana. All Rights Reserved.
Major API Security Concerns © 2015 Akana. All Rights Reserved.
EVOLUTION OF SECURITY IN DIGITAL CHANNELS © 2015 Akana. All Rights Reserved.
Client-Server/ Web Applications Access locations and variability of operations were limited • No Programmatic Access • Security through network isolation • Limited Users © 2015 Akana. All Rights Reserved.
Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B 2 B and Partners applications • Complex, but quite secure and flexible © 2015 Akana. All Rights Reserved.
WS-Security Policy <wsp: Policy wsu: Id="WSS 11 Saml. With. Certificates_policy"> <wsp: Exactly. One> <wsp: All> <sp: Symmetric. Binding> <wsp: Policy> <sp: Protection. Token> <wsp: Policy> <sp: X 509 Token sp: Include. Token="http: //docs. oasis‑open. org/ws‑sx/wsicy/200702/Include. Token/Never”> <wsp: Policy> <sp: Require. Thumbprint. Reference/> <sp: Require. Derived. Keys wsp: Optional="true"/> <sp: Wss. X 509 V 3 Token 10/> </wsp: Policy> </sp: X 509 Token> </wsp: Policy> </sp: Protection. Token> <sp: Algorithm. Suite> <wsp: Policy> <sp: Basic 256/> </wsp: Policy> </sp: Algorithm. Suite> <sp: Layout> <wsp: Policy> <sp: Strict/> </wsp: Policy> </sp: Layout> <sp: Include. Timestamp/> <sp: Only. Sign. Entire. Headers. And. Body/> </wsp: Policy> </sp: Symmetric. Binding> © 2015 Akana. All Rights Reserved. <sp: Signed. Supporting. Tokens> <wsp: Policy> <sp: Saml. Token sp: Include. Token= "http: //docs. oasis-open. org/ws-sx/wssecuritypolicy/200702/Include. Token/Always. To. Recipient"> <wsp: Policy> <sp: Wss. Saml. V 11 Token 11/> </wsp: Policy> </sp: Saml. Token> </wsp: Policy> </sp: Signed. Supporting. Tokens> <sp: Endorsing. Supporting. Tokens> <wsp: Policy> <sp: X 509 Token sp: Include. Token=”Always. To. Recipient"> <wsp: Policy> <sp: Wss. X 509 V 3 Token 11/> </wsp: Policy> </sp: X 509 Token> </wsp: Policy> </sp: Endorsing. Supporting. Tokens> <sp: Wss 11> <wsp: Policy> <sp: Must. Support. Ref. Key. Identifier/> <sp: Must. Support. Ref. Issuer. Serial/> <sp: Must. Support. Ref. Thumbprint/> <sp: Must. Support. Ref. Encrypted. Key/> </wsp: Policy> </sp: Wss 11> </wsp: All> </wsp: Exactly. One> </wsp: Policy>
And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS -Security, etc. • Focus on human readability, developer adoption © 2015 Akana. All Rights Reserved.
OWASP Top Ten • • • A 1 – Injection A 2 – Broken authentication and session management A 3 – Cross-site scripting (XSS) A 4 – Insecure direct object references A 5 – Security misconfiguration A 6 – Sensitive data exposure A 7 – Missing function-level access control A 8 – Cross-site request forgery (CSRF) A 9 – Using components with known vulnerabilitites A 10 – Unvalidated redirects and forwards © 2015 Akana. All Rights Reserved.
PCI Compliance • APIs are now part of e-commerce • Card payments pass through API • The infrastructure underlying the API? © 2015 Akana. All Rights Reserved.
SECURING APIS © 2015 Akana. All Rights Reserved.
Securing APIs 5 1 6 Authentication & Authorization 3 2 Message Security App Key Validation/ Licensing 4 Developers © 2015 Akana. All Rights Reserved. Content Filtering Threat Protection Rate Limiting
Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure © 2015 Akana. All Rights Reserved.
Understanding OAuth lets a person delegate constrained access from one app to another Client App Resource Owner User © 2015 Akana. All Rights Reserved. Resource Server
OAuth Flow © 2015 Akana. All Rights Reserved.
OAuth – You need OAuth has become complex • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • Qo. S, Monitoring • Policy Management • API Proxying • Reporting • Analytics © 2015 Akana. All Rights Reserved.
Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – – – OAuthorization Scopes Document visibility Quota policies © 2015 Akana. All Rights Reserved.
Message and Parameter Security HTTP Parameter • http: //apis. foo. com/resources/sample/foo? app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • JWS/JWE, XML Encryption & Signature © 2015 Akana. All Rights Reserved.
Threat Protection • • • Denial of Service Injection Attacks – Detect and prevent SQL, Java. Script or XPath/XQuery injection attacks Cross Site Scripting Network address and range blacklists/whitelists HTTP Parameter Stuffing © 2015 Akana. All Rights Reserved.
Content Threats • Provide a content firewall, protecting against malicious content • • • Validate message content including message headers, form and query parameters, XML and JSON data structures. Policies for XML and JSON Do. S Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines © 2015 Akana. All Rights Reserved.
Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc. © 2015 Akana. All Rights Reserved.
API Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting © 2015 Akana. All Rights Reserved.
MANAGING AND AUTOMATING SECURITY © 2015 Akana. All Rights Reserved.
Credit : Peter Cheslock © 2015 Akana. All Rights Reserved.
Govern Manage your Development/Deployment Process • API Initiatives need to integrated with your Dev. Ops • Define and track multiple API and versions and the dependencies on those versions throughout the process. • Integrated with your development tools – IDE, Github, Chef, Puppet • Integrated with your deployment Tools © 2015 Akana. All Rights Reserved. APIs Lifecycle
Automated Governance of Apps • User and App onboarding – Configurable forms to gather user/app info, collect agreements, etc. – Configurable role-based notifications and approvals • Mobile app based API SDLC approvals – Deliver approval requests to stakeholders on their preferred platform • Dev. Ops automation © 2015 Akana. All Rights Reserved.
API Resources and API University • Resource Center – http: //resource. akana. com/ • Follow us on: www. facebook. com/soasoftware www. linkedin. com/company/soasoftware @soasoftwareinc © 2015 Akana. All Rights Reserved.
- Slides: 31