Upload
ca-api-management
View
495
Download
0
Tags:
Embed Size (px)
Citation preview
Takeaways from API Security Breaches Jaime Ryan – Sr. Director, API Management Technical Strategy Tyson WhiBen – Director, API Management SoluCons MarkeCng
2 © 2015 CA. ALL RIGHTS RESERVED.
Agenda
API BREACHES
RISK MITIGATION STEPS
API MANAGEMENT SOLUTIONS
QUESTIONS
1
2
3
4
3 © 2015 CA. ALL RIGHTS RESERVED.
APIs at the center
OUTSIDE PARTNERS / DIVISIONS
EXTERNAL DEVELOPERS
MOBILE APPS CLOUD SERVICES INTERNET OF THINGS
API
APPS
4 © 2015 CA. ALL RIGHTS RESERVED.
APIs expose sensiCve data
APIs are also the a<ack vector of choice for hackers to disrupt your service or gain
access to private informaIon
API
7 © 2015 CA. ALL RIGHTS RESERVED.
When an API is hacked . . .
§ API vulnerabiliCes surface – When exploits are discovered by the API publisher
– When discovered by 3rd party
– When an organizaCon is actually hacked
§ Exploits are rarely documented
§ Public APIs are most scruCnized
§ Private/Hidden APIs are also vulnerable
8 © 2015 CA. ALL RIGHTS RESERVED.
Top-‐5 vulnerabiliCes/miCgaCons
§ Most common/current vulnerabiliCes and miCgaCons for securing your API – Client impersonaCon – Phishing – Brute force – InjecCons – Unauthorized access/compromised secrets
9 © 2015 CA. ALL RIGHTS RESERVED.
Client impersonaCon
§ An aBacker reverse-‐engineers a secret assigned to an app and uses it to call an API pretending to be the legiCmate app
§ E.g. TwiBer OAuth Keys Leaked – March 2013
§ E.g. Snapchat – December 2013
10 © 2015 CA. ALL RIGHTS RESERVED.
Client impersonaCon miCgaCon #1
§ It’s either confidenCal, or it isn’t – Don’t ‘hide’ a secret on a public app store or render it on a web page
§ Learn to ‘let go’ of your app once published – Design security mechanisms assuming public clients
– Don’t grant access to resource based solely on the app idenCty (require user auth)
11 © 2015 CA. ALL RIGHTS RESERVED.
Client impersonaCon miCgaCon #2
§ Call API from actual confidenCal client – Use frameworks that let you authoritaCvely assess devices, apps – From server-‐side web app vs browser-‐side script – Provision app-‐level secret post-‐installaCon as part of a registraCon step – Private app stores
API
12 © 2015 CA. ALL RIGHTS RESERVED.
Phishing aBacks
§ Risk associated with redirecCon-‐based handshakes – Malicious ‘applicaCon’ pretends to be legiCmate
– Inserts its own endpoint in callback address – Gets token
§ *E.g. Facebook February 2013
GET /authorize?response_type=token&client_id=legitimate&redirect_uri=[malicious]
Do you authorize Legi%mate app to access API on your behalf? [X] Yes [ ] No
Tricked you
*hBp://threatpost.com/facebook-‐patches-‐oauth-‐authenCcaCon-‐vulnerability-‐022613/77563
API
13 © 2015 CA. ALL RIGHTS RESERVED.
Phishing miCgaCon 101
§ Register and validate redirecCon URIs
§ Strict validaCon (not parCal)
§ Never skip consent step
GET /authorize?response_type=token&client_id=legitimate&redirect_uri=[malicious]
Error Invalid callback
foiledL
(out-‐of-‐band) Register LegiCmate app Callback=foo API
14 © 2015 CA. ALL RIGHTS RESERVED.
Brute force
§ E.g. snapchat find_friend exploit – December 2013
App Contacts
Get list of phone numbers from local
contacts
API
Is contact a member? [for each local
contact]
Is member? [for every possible phone number]
Steal all phone numbers of members
API
15 © 2015 CA. ALL RIGHTS RESERVED.
Brute force miCgaCon
Rate LimiCng, Quotas, SLAs
§ Targeted rate limiCng specific aBack vectors – Limit access to any resource granted without direct ownership
– Limit failed authenCcaCon, limit password resets
§ Detect brute force paBern and block
§ Correlate idenCty, locaCon, concurrency
§ Rate limit to protect backend API – Global limits to prevent DoS
§ Apply rate-‐limiCng with applicaCon level awareness – Limit for a specific operaCon for each user/applicaCon
– Limit for a specific input for each user/applicaCon
Captcha?
SupporCng headless clients
16 © 2015 CA. ALL RIGHTS RESERVED.
InjecCon
§ InjecCon aBacks, parCcularly in public clients scenario is at the core of the most common exploits – SQL/LDAP/Xpath/Xquery/Code injecCons
§ *E.g. InjecCon in query parameters
GET /history?transactionid=123456 select from table where id=‘[ ]’
GET /history?transactionid=%27+OR+%271%27%3D%271
select from table where id=‘’ or ‘1’=‘1’
*hBp://forums.sugarcrm.com/f6/rest-‐api-‐sql-‐injecCon-‐exploit-‐89589/
17 © 2015 CA. ALL RIGHTS RESERVED.
InjecCon MiCgaCon
§ Input saniCzaCon – Parse input parameters (payload/transport) – Apply paBern validaCon – JSON Path, XPath, XSD, JSON Schema, RegEx, … – Own and Cghten your metadata – Code-‐level saniCzaCon (e.g. Prepared Statements)
§ Signature-‐based threat detecCon – Look for injecCon paBerns in payload and at transport level
18 © 2015 CA. ALL RIGHTS RESERVED.
Unauthorized access
§ E.g. Unsecured API
§ E.g. AuthenCcated client can access resource that should be restricted
§ E.g. Session secret compromised
Balancing UX and Security
More Convenience More Risk
Less Convenience Less Risk
No credenCals Device Passcode App security
19 © 2015 CA. ALL RIGHTS RESERVED.
Unauthorized Access MiCgaCon
§ AuthenCcaCon – Local auth, integraCon into exisCng idenCty providers
– Social provider integraCon – FederaCon, SAML
§ Token issuing, lifecycle management – OAuth, OpenID Connect – JWT/JWS – Token refresh, revocaCon
§ Assert user/app/device idenCCes § Scope
– User-‐granted permissions
§ Resource Server – Map token idenCCes and resource ownership
§ IdenCty mapping – SAML/OAuth/local/Kerberos/… – RunCme mapping internal/external
21 © 2015 CA. ALL RIGHTS RESERVED.
CA API Management Manages & Secures APIs @ Design & RunCme
CA API GATEWAY …
MOBILE DEVELOPERS
MOBILE APPS
CA API DEVELOPER PORTAL
API
API
Design Time
RunCme
§ Discover APIs
§ Self-‐register
§ Collaborate & test
§ AdaptaCon, mediaCon
§ ThroBling, caching
§ Policy & access control
§ Create & publish APIs
§ API Plans & pricing
§ Monitoring & analyCcs
§ Embed app security
§ SSO, social, risk
§ OAuth 2.0, OpenID
Connect, UMA
22 © 2015 CA. ALL RIGHTS RESERVED.
On-‐Premise
Hybrid
SaaS
The Gateway and Portal – Flexible Delivery Models
§ Soyware ownership § Highly customizable to match business needs § Control over infrastructure and upgrades
§ Flexible combinaCon of on/off premise soluCons
§ Provides business and compliance flexibility § Includes integraCon
§ Faster deployment/less customizaCon § Reduced infrastructure/upgrade costs § Simple scalability § Growing set of funcConality
Flexibility for iniIal investment and in the rate/extent of migraIon to the
cloud
23 © 2015 CA. ALL RIGHTS RESERVED.
Goals of the business, employee and consumer To move seamlessly and securely between apps and devices
24 © 2015 CA. ALL RIGHTS RESERVED.
App Context IdenCty
A B C D
2. User provides Enterprise credenCals
1. User taps one of the four enterprise apps
3. User can seamlessly switch between the four enterprise apps
25 © 2015 CA. ALL RIGHTS RESERVED.
Discuss Q4 targets with Bob. Don’t forget to
Discuss Q4 targets with Bob. Don’t forget to cover incenCves.
1. Phone detects it is close to tablet using Bluetooth Low Energy
2. Session migrates to tablet so user does not have to reenter credenCals
App Context
3. App session context pushed to secure cloud storage
Source
Target
4. Context can be pushed to different target apps § Email § Notes § …etc.
IdenCty
26 © 2015 CA. ALL RIGHTS RESERVED.
Latest analyst reviews: CA API Management is a leader
“CA Technologies has strong API security, integraIon, and mobile app support. With Layer 7’s long history as an SOA applicaCon gateway provider, CA’s soluCon has among the best API security, message transformaCon, and integraCon features in our evaluaCon. Among the tradiConal gateway vendors, Layer 7 was an early mover into the API management space, which has given CA a head start to round out the features of its portal and tooling for API product managers. The gateway’s mobile app support is also among the best in our evaluaCon ..”
The Forrester Wave: API Management SoluIons, Q3 2014.
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representaCon of Forrester's call on a market and is ploBed using a detailed spreadsheet with exposed scores, weighCngs, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. InformaCon is based on best available resources. Opinions reflect judgment at the Cme and are subject to change
Forrester Research Inc., “Forrester Wave: API Management SoluCons, Q3 2014”, September 29, 2014
27 © 2015 CA. ALL RIGHTS RESERVED.
Summary
§ Protect your APIs – But support developers – Do not sacrifice UX
§ Leverage API infrastructure to implement API security best pracCces
Director API Management Product MarkeCng [email protected]
Tyson Whi<en
ca.com/api
Sr Director, Technical Strategy [email protected]
Jaime Ryan
30 © 2015 CA. ALL RIGHTS RESERVED.
Legal NoCce
© Copyright CA 2015. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respecCve companies. No unauthorized use, copying or distribuCon permiBed.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the informaCon. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connecCon with this presentaCon, including, without limitaCon, lost profits, lost investment, business interrupCon, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.