Dealing with Application Programming Interface threats: Are you ready? cybersecurity & risk services

Similar documents
Wipro s Endur Test Automation Framework (W-ETAF) Reduces time and effort for the implementation and maintenance of an automated test solution.

Quantum cryptography for data heliocentric world

Virtual CPE (vcpe) Solution: A software defined virtualization platform to realize diverse networking functions with the click of a button

Audience This document is intended for all users who have undergone the Knowledge Capture training, and are beginning to use Harmony.

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Imperva Incapsula Website Security

DreamFactory Security Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

AKAMAI CLOUD SECURITY SOLUTIONS

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

API MANAGEMENT WITH WEBMETHODS

IBM Future of Work Forum

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

RSA INCIDENT RESPONSE SERVICES

A (sample) computerized system for publishing the daily currency exchange rates

Cyber Resilience: Developing a Shared Culture. Sponsor Guide

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Securing Your Digital Transformation

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

C1: Define Security Requirements

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Building Trust in the Internet of Things

WEB-APIs DRIVING DIGITAL INNOVATION

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Comprehensive Database Security

Security

RiskSense Attack Surface Validation for Web Applications

Automated, Real-Time Risk Analysis & Remediation

OWASP TOP OWASP TOP

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Copyright 2016 EMC Corporation. All rights reserved.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

RSA INCIDENT RESPONSE SERVICES

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Information Security Policy

Solutions Business Manager Web Application Security Assessment

The IBM MobileFirst Platform

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

5 Pillars of API. management

Security Solutions. Overview. Business Needs

Managed Application Security trends and best practices in application security

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

locuz.com SOC Services

Security by Default: Enabling Transformation Through Cyber Resilience

Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

CyberArk Privileged Threat Analytics

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Mitigating Security Breaches in Retail Applications WHITE PAPER

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Copyright

Accelerate Your Enterprise Private Cloud Initiative

epldt Web Builder Security March 2017

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Reserve Bank of India Cyber Security Framework

WHITE PAPER. Best Practices for Web Application Firewall Management

align security instill confidence

10 FOCUS AREAS FOR BREACH PREVENTION

YOUR WEAKEST IT SECURITY LINK?

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

One Hospital s Cybersecurity Journey

The Smart Enterprise. InGuard Application. 24/7/365 Protection from Toll Fraud Attack

CA Security Management

FOR FINANCIAL SERVICES ORGANIZATIONS

securing your network perimeter with SIEM

RSA NetWitness Suite Respond in Minutes, Not Months

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

CloudSOC and Security.cloud for Microsoft Office 365

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Secure access to your enterprise. Enforce risk-based conditional access in real time

Privileged Account Security: A Balanced Approach to Securing Unix Environments

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Additional Security Services on AWS

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

ShiftLeft. Real-World Runtime Protection Benchmarking

Top 5 NetApp Filer Incidents You Need Visibility Into

Penetration testing.

White Paper Securing and protecting enterprise data on mobile devices

BUILDING AND MAINTAINING SOC

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Securing Digital Transformation

NEXT GENERATION SECURITY OPERATIONS CENTER

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

IBM Security Access Manager

Incident Response Services

IT Consulting and Implementation Services

Sentinet for BizTalk Server SENTINET

Transcription:

Dealing with Application Programming Interface threats: Are you ready? cybersecurity & risk services

Protect your API from internet threat Iast couple of years, APIs have established themselves as an essential part of any enterprise architecture. Security plays a tremendous role in API management as the APIs expose enterprise assets directly to the Internet. However, there is a problem with the common approach to API security. It is highly focused on implementing OAuth and Op and tends to neglect other important aspects of a complete API security solution. The background John (hacker) has heard that the company Acme Corp. based out of HackMeLand, where Michael (Security Manager) works, has recently deployed the Application Programming Interface (API) version of some geo-location services they used to sell as a stand-alone application. Like many other Internet companies, such as Google, they realized that they can monetize the usage of their core service by making it available to developers for a fee as public API. This fictional story illustrates what happens when an individual decides to hack or exploit your APIs Governance Compliance & Standards Federation Threat Management Mobile Security Security Analytics Authentication Authorization Identity Propagation Kev Management Service Virtualization Monitoring & Reporting and how the IT security manager can counteract such a threat. Two fictitious characters, John (the hacker) and Michael (the security manager) will help us to shape up our simplified storyline. Multi-faceted aspects of API security While focusing on threat protection, it is equally important to understand that API security is a much broader topic. The table below summarizes all areas which should be considered as part of an end-to-end API security solution: John s guess (and hope) is that, as they are new to APIs, this first version of their API will be buggy and/or possibly not very well-protected. Although Michael is not an amateur in his business he is relatively new to API security. He understands that while it has much in common with Web applications security, it also has its peculiarities. Michael asks his trusted partner, ApiAcmeConsulting to help. 2

The battlefield To begin with, ApiAcmeConsulting provides Michael with the whole picture. To protect something, it is important to understand the different layers between the hacker and the Let us take a closer look at the most common ones. Malformed XML request The attack consists of malformed or recurring XML requests that throw off the XML parser. Developers Legitimate Users Partners Cloud or customer DMZ Customer Cloud SaaaS Applications API GW Hacker Clients Customer Network Back-end Services Figure 1: The hacking battleground valuable assets (in the case of Acme Corp., their geo-location database) and from where the attack can arrive. The diagram below reproduces a common scenario. The hacker s weapons John has a long and despicable record of Web application hacking, during which he has developed a few techniques. The OWASP (Open Web Application Security Project) organization is the established authority in Web application security-related matters. It keeps track of the vulnerabilities and attacks occurring on the Internet, on their website. The list of top 10 Internet threats can be found here 1. Malicious Code Injection The objective of this attack is to exploit uncontrolled input process flow to inject 2 harmful SQL, LDAP, XPATH, or XQuery code along legitimate instructions. For instance, incorrect filtering, malicious query code string. Cross-Site Scripting (XSS) This attack consists of malicious code into content that is delivered from the compromised site. XSS attack 3 is so dangerous that the tainted content arrives at the API from a trusted source. A great example is getting high-level access-privileges to confidential data and cookies from high-profiles sites. 3

The security manager s ammunitions Michael and ApiAcme Consulting decide to sit together to elaborate a strategy to counter internet threats. ApiAcmeConsulting suggested to work on the gateway configuration, to enforce physical security and to activate all security policies designed to address the threats described in the previous section. The API gateways implement the gateway architectural pattern.the objective is to avoid API Gateways security rules called policies. Policies can be activated on proxies and implement specific controls to address the different threats.proxies are logical containers for all the pre- and post-processing of client requests and might be required before they reach the service itself. As per ApiAcmeConsulting s suggestion, Michael also instructs his team to integrate the API gateway with their SOC (Security Operating Center) incident management tool. This Clients REST HTTP Request REST HTTP Respose Cloud or customer DMZ Request Pre-Processing API Gateway Response Pre-Processing Service Request Service Response Customer Network Backend Service Figure 2: The API gateway is also a security gateway direct access to the Web services and rather have a mediation layer. From a security point of view, this makes much sense, as with the gateway we have a single point of security policy enforcement, another common security pattern. As per the mentioned security pattern, the gateway is policy enforcement point (PEP), policy administration point (PAP) and policy decision point (PDP) in one single component (although different vendors might have different modules for those logical blocks). will ensure that anomalous behaviour is detected and (depending on the gravity) an alarm is triggered. The battle Assuming he has previously managed to get some valid API keys, John sends a malicious request with recurring XML structures. The gateway checks the request before passing it over to the background geo-location service as part of the normal in-transit policy processing. One of the configured security policies detects that the 4

References request is malformed, drops the call and sends an alarm to the incident management tool, which in turn alerts the SOC team. As a first measure, the team can deactivate those keys, block the requestor. Off-line, Michael will work with the API business manager to investigate the case further. Some of the improvements and best practices ApiConsultingAcme could recommend to their customers are: [Reference1] https://www.owasp.org/index.php/category:owa SP_Top_Ten_Project [Reference 2] https://www.owasp.org/index.php/top_10_2013- A1-Injection [Reference 3] https://www.owasp.org/index.php/cross-site_sc ripting_(xss) Enforce all security policies on the API gateway to prevent attacks from the Internet Periodically review the security policies and make sure they are in line with your security strategy Log all traffic flowing through the gateway Connect your gateway with the incident management tools of your SOC (Security Operations Center) or equivalent Perform analytics on the collected data to detect more sophisticated attacks, which can circumvent the existing policies The way ahead APIs give businesses a wealth of new and unforseen opportunities to amplify their reach by empowering the larger community of application developers. API security however is not an option, neither should it be treated as stand-alone. Rather, the security team has to own it and make sure that API security is aligned, in terms of policies and controls, to the company's overall security strategy. 5

About the authors Vamshidhar Babu Seetha is a Cloud Security Architect at Wipro. Vamshi has over 16 years of Security experience in the IT Industry and has expertise in Cloud Security and Enterprise Security Solutions design and implementation, across various industry verticals and across multiple regions. He can be reached at Vamshidhar.seetha@wipro.com Nicola Venditti is a Principal Security Consultant at Wipro Technologies, based in Zurich, Switzerland. Nicola has over 15 years of experiences in the IT security industry and has worked on large engagements across the EMEA region. He can be reached at nicola.venditti@wipro.com 6

Wipro Limited Doddakannelli, Sarjapur Road, Bangalore-560 035, India Tel: +91 (80) 2844 0011 Fax: +91 (80) 2844 0256 wipro.com Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO) is a leading global information technology, consulting and business process services company. We harness the power of cognitive computing, hyper-automation, robotics, cloud, analytics and emerging technologies to help our clients adapt to the digital world and make them successful. A company recognized globally for its comprehensive portfolio of services, strong commitment to sustainability and good corporate citizenship, we have a dedicated workforce of over 170,000, serving clients across six continents. Together, we discover ideas and connect the dots to build a better and a bold new future. For more information, please write to us at info@wipro.com IND/BRD/JUN2017-MAY2018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback