CA API Gateway: Web API and Application Security

CA API Gateway: Web API and Application SecurityBen Urbanski, Advisor, API Management Presales, CA Technologies

D03X41E

DEVOPS

5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only Terms of this Presentation


Abstract

This session explores common web service, web API and web application security considerations and how you can use CA API Management solutions to address them.

Ben Urbanski has almost 10 years of experience with API gateways beginning at IBM in 2007, continuing at Layer 7 in 2011, and to this day at CA Technologies. During that time, he’s been a presales engineer, a senior director of presales engineering, and now an advisor on CA’s API Management Presales Center of Excellence team. He has helped many customers understand how they can simplify and accelerate the creation, security, integration and management of their web services, web APIs, web applications and mobile applications using API gateways, API portals and related products. Earlier in his career, he spent time as a software engineer at several companies, so he’s well grounded in software development practices and how they relate to API management.

Ben Urbanski

CA TechnologiesAdvisor, API Management Presales


Agenda

SECURING THE NEW PERIMETER

CA API MANAGEMENT SUITE AND COMMON USE CASES

DEMONSTRATION

SECURITY PROCESS

SECURITY CONSIDERATIONS AND FEATURES

WHERE TO START?

1

2

3

4

5

6


The Digital Enterprise and Application Economy

Developer Community

Cloud ServicesPartners/Divisions

Mobile Apps

IoT / Big Data Social Registration


APIs are the New Perimeter


CA quickly and easily creates, secures and manages APIs


CA API Management

ESMCA (Mobile) API Gateway

App Developers

Applications

CA API Developer Portal

Design Time

Runtime

MSSO SDKsMAS SDKs

CA Mobile App Services

Runtime

CA Live API Creator

API Publishers

Design Time

http://transform.ca.com/CA-Mobile-App-Services.html

http://transform.ca.com/CA-Live-API-Creator.html

http://transform.ca.com/CA-Live-API-Creator.html


Internal Security Integration (ESB or noESB or µS) Traffic Management (SLA) API Creation

Security Gateway API Management Mobile Enablement Identity Brokering

DMZTrusted Zone

ApplicationsRuntime

MSSO SDKs

Partner App DevelopersDesign Time

Internal API and App Developers

Design TimePortal

Gateways(optionally with MAG & MAS)

GatewaysMAS SDKs

CA Live API Creatoror

Application Servers

API Academy

CA API Management Use Cases and Deployment


Security Begins with Risk Analysis

Risk Assessment

What is your risk?

Risk Management

What will you do about it?


What is your risk?

Assets

Threats Vulnerabilities

Risk


What will you do about it?

Avoidance

Reduction

Sharing

Retention


Security Gateway / Internal Security

Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance

Leading edge support for industry and vendor security standards and solutions

Service Virtualization

Identification (w/Federation & Brokering), Authentication, Authorization & Auditing

Confidentiality Integrity Logging Non-repudiation Data Classification and Compliance Threat Protection


Security Gateway / Internal Security (additional detail)

Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance– Common Criteria (CC) is the most relevant security certification for solutions in

our space; CA is the only gateway vendor with a recent certification to more relevant profiles

– FIPS 140-2 Level 1 crypto processing in all form factors by default. CA offers an optional hardware acceleration card for crypto processing that includes an on board HSM in its hardware appliance form factor for FIPS 140-2 Level 3.

– CA’s emphasis on performance allows our customers to take advantage of our many security capabilities without experiencing significant negative performance and scalability impacts.



Leading edge support for industry and vendor security standards and solutions– The industry and vendors are frequently creating and evolving security standards and solutions. The

standards and solutions can be difficult to understand, implement and maintain. CA wraps its expert knowledge of both in automatic and/or simple to configure policy language that keeps pace with changes.

– CA is often used to negotiate differences in security standards and solutions between consumers and providers of services. For example, consumers might want to send their credentials using WS-Security UserName tokens, and providers might expect credentials via SAML tokens. With CA in between, neither consumers nor providers need to change. Instead, CA can accept WS-Security Username tokens (and many others) from the consumer, perform authentication and authorization (and more), and include a SAML assertion in the request forwarded to the provider.

Service Virtualization– An ESB concept, but with security implications. By using CA to virtualize your services (including their

identity, protocol and interface), you effectively hide implementation details from attackers.



Identification, Authentication & Authorization– Many out-of-the-box methods of identification, authentication and authorization based on industry standards

and vendor proprietary mechanisms– The ability to support identity federation based on different standards, and identity brokering between

standards and vendor proprietary mechanisms– Some (but not all) supported standards include SSL with mutual authentication, FTP Credentials, HTTP Basic,

HTTP Digest, HTTP Cookies, NTLM, Kerberos, SAML, WS-SecureConversation, WS-Security, OAuth, OpenID Connect, XACML, LDAP, WS-Trust, WS-Federation, X.509 Certificates

– Some (but not all) supported vendor proprietary mechanisms include Mobile SSO, CA Single Sign-On, Tivoli Access Manager, Oracle Access Manager, Sun Java System Access Manager

– CA can easily and conditionally use one or more of the above methods in a single policy (including JDBC and other protocols for custom identity provider implementations)

– CA provides an out-of-the-box and configurable WS-Trust based STS service– CA can be an enterprise PEP, PDP, PIP and PRP for XACML– CA can be a SAML identity provider– CA can be a OAuth authorization server and an OpenID Connect server



Confidentiality– Easy to configure and accelerated secure transport (SSL/TLS) for point-to-point encryption and confidentiality

(both in front and behind our gateway, with and without client authentication)

– Easy to configure and accelerated end-to-end confidentiality with message or element level encryption and decryption based on industry standards (e.g. XML Encryption, WS-Security, and JWE)

Integrity– Easy to configure and accelerated end-to-end integrity with message or element level digital signature and

verification based on industry standards (e.g. XML Signature and WS-Security)

– HMAC signature support for emerging non-XML standards like REST and OAuth



Auditing & Logging– Automatic and configurable auditing and logging of events by category and priority level both on and off

gateways

– Gateway Audit Event viewer that can see all audit events across a cluster of multiple gateways with or without full request and response message recording

– Auditing and logging is very configurable and can be managed globally across a cluster and/or conditionally in policy

– Audit and log events can be sent remotely via syslog and/or all other outbound protocols supported by CA

Non-repudiation– CA supports non-repudiation through a combination of auditing, logging and digital signatures



Data Classification and Compliance– Automatic XML well-formed-ness validation

– XML schema validation, Schematron, and JSON schema validation

– Many additional out-of-the-box assertions for classifying, validating, masking and filtering message content at runtime

Threat Protection– Automatic threat protection for TCP/IP Based Attacks, Coercive Parsing and XML Bomb, External Entity Attack,

Schema Poisoning, WSDL Scanning and XML Routing Detours

– Configurable threat protection for single and multi-message denial of service attacks

– Injection attack protection (both SQL and code)

– Rate limiting and SLA enforcement with high performance and accuracy across a cluster of multiple gateways

– True replay attack protection across a cluster of multiple gateways

– Virus scanning via the ICAP protocol with specific support Symantec, McAfee and Sophos


CA Mobile API Gateway

Apple Push Notification Android Push Notification Mobile SSO (API and SDK)

– Multi-user Support– Social Login– One Time Password– Dynamic App Config & Credential Provisioning– Geo-location Support– Cross Device SSO (QRC, BLE, NFC)

Enterprise Browser Samsung KNOX for APIs

API Portal

API Servers

IdM

MAG


OWASP Top 10[1] Protection as Web App Proxy

A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Un-validated Redirects and Forwards

[1] https://www.owasp.org/index.php/Top_10_2013-Top_10


Where do I start?

Reduce attack surface (expose only what’s needed; require all traffic to go through gateway)

Use a secure transport (i.e. SSL/TLS) Control access (e.g. Mutual Auth SSL, HTTP Basic Auth, OAuth, MSSO, API Key?,

etc.) Enforce a strict interface (i.e. validate protocol, resource, method, parameters,

schema) Validate (and optionally encode) input (and optionally output) parameter values Rate limit (to not exceed capacity - anywhere) Monitor (log and audit)


CA (Mobile) API Gateway(for runtime policy enforcement)

Policy Manager(for policy authoring and administration)

ACMEWarehouse

Service

CA API Developer Portal(for discovering, exploring, registering to access

and monitoring utilization of APIs)

Demo


Must See Demos

Optimize with API Insights & Monitoring

CA API ManagementTheater 3

Orchestrate and Secure APIs & Microservices


Launch Faster with API Management in the Cloud


Deliver Continuously with API Testing



Recommended Sessions

SESSION # TITLE DATE/TIME

DO3T82S Building the Digital Platform - with secure APIs 11/16/2016 at 1:00 pm

DO3X18S Securing your API Portfolio with API Management 11/16/2016 at 2:00 pm

DO3T02S Case Study: How Adobe Secures, Manages and Deploys Enterprise Mobile Apps 11/17/2016 at 1:45 pm


Questions?


Thank you.

Stay connected at communities.ca.com

@CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.31 @CAWORLD #CAWORLD

DevOps – API Management and Application Development

For more information on DevOps – API Management and Application Development, please visit: http://cainc.to/DL8ozQ

http://cainc.to/DL8ozQ

Technology

CA API Gateway: Web API and Application Security