Takeaways from API Security Breaches Webinar
3 likes2,442 views
The document outlines the risks and vulnerabilities associated with API security, highlighting common attack vectors such as client impersonation, phishing, brute force attacks, injections, and unauthorized access. It emphasizes the importance of implementing effective mitigation strategies, including stringent user authentication and input validation, to secure APIs while maintaining a good user experience. Finally, it discusses how CA API management solutions can help organizations manage, monitor, and secure their APIs effectively.
![12
©
2015
CA.
ALL
RIGHTS
RESERVED.
Phishing
aBacks
§ Risk
associated
with
redirecCon-‐based
handshakes
– Malicious
‘applicaCon’
pretends
to
be
legiCmate
– Inserts
its
own
endpoint
in
callback
address
– Gets
token
§ *E.g.
Facebook
February
2013
GET /authorize?
response_type=token&client_id=legitimate
&redirect_uri=[malicious]
Do
you
authorize
Legi%mate
app
to
access
API
on
your
behalf?
[X]
Yes
[
]
No
Tricked
you
*hBp://threatpost.com/facebook-‐patches-‐oauth-‐
authenCcaCon-‐vulnerability-‐022613/77563
API](https://image.slidesharecdn.com/ca-api-management-takeaways-api-security-breaches-webinar-150325161456-conversion-gate01/85/Takeaways-from-API-Security-Breaches-Webinar-12-320.jpg)
![13
©
2015
CA.
ALL
RIGHTS
RESERVED.
Phishing
miCgaCon
101
§ Register
and
validate
redirecCon
URIs
§ Strict
validaCon
(not
parCal)
§ Never
skip
consent
step
GET /authorize?
response_type=token&client_id=legitimate
&redirect_uri=[malicious]
Error
Invalid
callback
foiledL
(out-‐of-‐band)
Register
LegiCmate
app
Callback=foo
API](https://image.slidesharecdn.com/ca-api-management-takeaways-api-security-breaches-webinar-150325161456-conversion-gate01/85/Takeaways-from-API-Security-Breaches-Webinar-13-320.jpg)
![14
©
2015
CA.
ALL
RIGHTS
RESERVED.
Brute
force
§ E.g.
snapchat
find_friend
exploit
– December
2013
App
Contacts
Get
list
of
phone
numbers
from
local
contacts
API
Is
contact
a
member?
[for
each
local
contact]
Is
member?
[for
every
possible
phone
number]
Steal
all
phone
numbers
of
members
API](https://image.slidesharecdn.com/ca-api-management-takeaways-api-security-breaches-webinar-150325161456-conversion-gate01/85/Takeaways-from-API-Security-Breaches-Webinar-14-320.jpg)
![16
©
2015
CA.
ALL
RIGHTS
RESERVED.
InjecCon
§ InjecCon
aBacks,
parCcularly
in
public
clients
scenario
is
at
the
core
of
the
most
common
exploits
– SQL/LDAP/Xpath/Xquery/Code
injecCons
§ *E.g.
InjecCon
in
query
parameters
GET /history?transactionid=123456 select from table where id=‘[ ]’
GET /history?transactionid=%27+OR+%271%27%3D%271
select from table where id=‘’ or ‘1’=‘1’
*hBp://forums.sugarcrm.com/f6/rest-‐api-‐sql-‐injecCon-‐
exploit-‐89589/](https://image.slidesharecdn.com/ca-api-management-takeaways-api-security-breaches-webinar-150325161456-conversion-gate01/85/Takeaways-from-API-Security-Breaches-Webinar-16-320.jpg)
More Related Content
Similar to Takeaways from API Security Breaches Webinar (20)
Takeaways from API Security Breaches Webinar
- 1. Takeaways from API Security Breaches Jaime Ryan – Sr. Director, API Management Technical Strategy Tyson WhiBen – Director, API Management SoluCons MarkeCng
- 2. 2 © 2015 CA. ALL RIGHTS RESERVED. Agenda API BREACHES RISK MITIGATION STEPS API MANAGEMENT SOLUTIONS QUESTIONS 1 2 3 4
- 3. 3 © 2015 CA. ALL RIGHTS RESERVED. APIs at the center OUTSIDE PARTNERS / DIVISIONS EXTERNAL DEVELOPERS MOBILE APPS CLOUD SERVICES INTERNET OF THINGS API APPS
- 4. 4 © 2015 CA. ALL RIGHTS RESERVED. APIs expose sensiCve data APIs are also the a<ack vector of choice for hackers to disrupt your service or gain access to private informaIon API
- 5. 5 © 2015 CA. ALL RIGHTS RESERVED. Prominent API Breaches
- 6. Top API VulnerabiliCes and MiCgaCon Steps
- 7. 7 © 2015 CA. ALL RIGHTS RESERVED. When an API is hacked . . . § API vulnerabiliCes surface – When exploits are discovered by the API publisher – When discovered by 3rd party – When an organizaCon is actually hacked § Exploits are rarely documented § Public APIs are most scruCnized § Private/Hidden APIs are also vulnerable
- 8. 8 © 2015 CA. ALL RIGHTS RESERVED. Top-‐5 vulnerabiliCes/miCgaCons § Most common/current vulnerabiliCes and miCgaCons for securing your API – Client impersonaCon – Phishing – Brute force – InjecCons – Unauthorized access/compromised secrets
- 9. 9 © 2015 CA. ALL RIGHTS RESERVED. Client impersonaCon § An aBacker reverse-‐engineers a secret assigned to an app and uses it to call an API pretending to be the legiCmate app § E.g. TwiBer OAuth Keys Leaked – March 2013 § E.g. Snapchat – December 2013
- 10. 10 © 2015 CA. ALL RIGHTS RESERVED. Client impersonaCon miCgaCon #1 § It’s either confidenCal, or it isn’t – Don’t ‘hide’ a secret on a public app store or render it on a web page § Learn to ‘let go’ of your app once published – Design security mechanisms assuming public clients – Don’t grant access to resource based solely on the app idenCty (require user auth)
- 11. 11 © 2015 CA. ALL RIGHTS RESERVED. Client impersonaCon miCgaCon #2 § Call API from actual confidenCal client – Use frameworks that let you authoritaCvely assess devices, apps – From server-‐side web app vs browser-‐side script – Provision app-‐level secret post-‐installaCon as part of a registraCon step – Private app stores API
- 12. 12 © 2015 CA. ALL RIGHTS RESERVED. Phishing aBacks § Risk associated with redirecCon-‐based handshakes – Malicious ‘applicaCon’ pretends to be legiCmate – Inserts its own endpoint in callback address – Gets token § *E.g. Facebook February 2013 GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Do you authorize Legi%mate app to access API on your behalf? [X] Yes [ ] No Tricked you *hBp://threatpost.com/facebook-‐patches-‐oauth-‐ authenCcaCon-‐vulnerability-‐022613/77563 API
- 13. 13 © 2015 CA. ALL RIGHTS RESERVED. Phishing miCgaCon 101 § Register and validate redirecCon URIs § Strict validaCon (not parCal) § Never skip consent step GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious] Error Invalid callback foiledL (out-‐of-‐band) Register LegiCmate app Callback=foo API
- 14. 14 © 2015 CA. ALL RIGHTS RESERVED. Brute force § E.g. snapchat find_friend exploit – December 2013 App Contacts Get list of phone numbers from local contacts API Is contact a member? [for each local contact] Is member? [for every possible phone number] Steal all phone numbers of members API
- 15. 15 © 2015 CA. ALL RIGHTS RESERVED. Brute force miCgaCon Rate LimiCng, Quotas, SLAs § Targeted rate limiCng specific aBack vectors – Limit access to any resource granted without direct ownership – Limit failed authenCcaCon, limit password resets § Detect brute force paBern and block § Correlate idenCty, locaCon, concurrency § Rate limit to protect backend API – Global limits to prevent DoS § Apply rate-‐limiCng with applicaCon level awareness – Limit for a specific operaCon for each user/applicaCon – Limit for a specific input for each user/applicaCon Captcha? SupporCng headless clients
- 16. 16 © 2015 CA. ALL RIGHTS RESERVED. InjecCon § InjecCon aBacks, parCcularly in public clients scenario is at the core of the most common exploits – SQL/LDAP/Xpath/Xquery/Code injecCons § *E.g. InjecCon in query parameters GET /history?transactionid=123456 select from table where id=‘[ ]’ GET /history?transactionid=%27+OR+%271%27%3D%271 select from table where id=‘’ or ‘1’=‘1’ *hBp://forums.sugarcrm.com/f6/rest-‐api-‐sql-‐injecCon-‐ exploit-‐89589/
- 17. 17 © 2015 CA. ALL RIGHTS RESERVED. InjecCon MiCgaCon § Input saniCzaCon – Parse input parameters (payload/transport) – Apply paBern validaCon – JSON Path, XPath, XSD, JSON Schema, RegEx, … – Own and Cghten your metadata – Code-‐level saniCzaCon (e.g. Prepared Statements) § Signature-‐based threat detecCon – Look for injecCon paBerns in payload and at transport level
- 18. 18 © 2015 CA. ALL RIGHTS RESERVED. Unauthorized access § E.g. Unsecured API § E.g. AuthenCcated client can access resource that should be restricted § E.g. Session secret compromised Balancing UX and Security More Convenience More Risk Less Convenience Less Risk No credenCals Device Passcode App security
- 19. 19 © 2015 CA. ALL RIGHTS RESERVED. Unauthorized Access MiCgaCon § AuthenCcaCon – Local auth, integraCon into exisCng idenCty providers – Social provider integraCon – FederaCon, SAML § Token issuing, lifecycle management – OAuth, OpenID Connect – JWT/JWS – Token refresh, revocaCon § Assert user/app/device idenCCes § Scope – User-‐granted permissions § Resource Server – Map token idenCCes and resource ownership § IdenCty mapping – SAML/OAuth/local/Kerberos/… – RunCme mapping internal/external
- 20. How API Management can help
- 21. 21 © 2015 CA. ALL RIGHTS RESERVED. CA API Management Manages & Secures APIs @ Design & RunCme CA API GATEWAY … MOBILE DEVELOPERS MOBILE APPS CA API DEVELOPER PORTAL API API Design Time RunCme § Discover APIs § Self-‐register § Collaborate & test § AdaptaCon, mediaCon § ThroBling, caching § Policy & access control § Create & publish APIs § API Plans & pricing § Monitoring & analyCcs § Embed app security § SSO, social, risk § OAuth 2.0, OpenID Connect, UMA
- 22. 22 © 2015 CA. ALL RIGHTS RESERVED. On-‐Premise Hybrid SaaS The Gateway and Portal – Flexible Delivery Models § Soyware ownership § Highly customizable to match business needs § Control over infrastructure and upgrades § Flexible combinaCon of on/off premise soluCons § Provides business and compliance flexibility § Includes integraCon § Faster deployment/less customizaCon § Reduced infrastructure/upgrade costs § Simple scalability § Growing set of funcConality Flexibility for iniIal investment and in the rate/extent of migraIon to the cloud
- 23. 23 © 2015 CA. ALL RIGHTS RESERVED. Goals of the business, employee and consumer To move seamlessly and securely between apps and devices
- 24. 24 © 2015 CA. ALL RIGHTS RESERVED. App Context IdenCty 2. User provides Enterprise credenCals 1. User taps one of the four enterprise apps 3. User can seamlessly switch between the four enterprise apps
- 25. 25 © 2015 CA. ALL RIGHTS RESERVED. Discuss Q4 targets with Bob. Don’t forget to Discuss Q4 targets with Bob. Don’t forget to cover incenCves. 1. Phone detects it is close to tablet using Bluetooth Low Energy 2. Session migrates to tablet so user does not have to reenter credenCals App Context 3. App session context pushed to secure cloud storage Source Target 4. Context can be pushed to different target apps § Email § Notes § …etc. IdenCty
- 26. 26 © 2015 CA. ALL RIGHTS RESERVED. Latest analyst reviews: CA API Management is a leader “CA Technologies has strong API security, integraIon, and mobile app support. With Layer 7’s long history as an SOA applicaCon gateway provider, CA’s soluCon has among the best API security, message transformaCon, and integraCon features in our evaluaCon. Among the tradiConal gateway vendors, Layer 7 was an early mover into the API management space, which has given CA a head start to round out the features of its portal and tooling for API product managers. The gateway’s mobile app support is also among the best in our evaluaCon ..” The Forrester Wave: API Management SoluIons, Q3 2014. The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representaCon of Forrester's call on a market and is ploBed using a detailed spreadsheet with exposed scores, weighCngs, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. InformaCon is based on best available resources. Opinions reflect judgment at the Cme and are subject to change Forrester Research Inc., “Forrester Wave: API Management SoluCons, Q3 2014”, September 29, 2014
- 27. 27 © 2015 CA. ALL RIGHTS RESERVED. Summary § Protect your APIs – But support developers – Do not sacrifice UX § Leverage API infrastructure to implement API security best pracCces
- 28. 28 © 2015 CA. ALL RIGHTS RESERVED. CA API Management at RSA
- 29. Director API Management Product MarkeCng [email protected] Tyson Whi<en ca.com/api Sr Director, Technical Strategy [email protected] Jaime Ryan
- 30. 30 © 2015 CA. ALL RIGHTS RESERVED. Legal NoCce © Copyright CA 2015. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respecCve companies. No unauthorized use, copying or distribuCon permiBed. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the informaCon. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connecCon with this presentaCon, including, without limitaCon, lost profits, lost investment, business interrupCon, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.