Building a Secure PI Web API Environment

Similar documents
We will resume at 3:30 pm Enjoy your break!

fredag 7 september 12 OpenID Connect

How to Pick the Right PI Developer Technology for your Project

Connect. explained. Vladimir Dzhuvinov. :

FAS Authorization Server - OpenID Connect Onboarding

Creating relying party clients using the Nimbus OAuth 2.0 SDK with OpenID Connect extensions

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

openid connect all the things

What s new in PI System Security?

RKN 2015 Application Layer Short Summary

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

WHY CSRF WORKS. Implicit authentication by Web browsers

OAuth and OpenID Connect (IN PLAIN ENGLISH)

What s new in PI System Security?

Building an Identity federation using OpenID Connect. Roland Prague

Pulseway Security White Paper

CSRF in the Modern Age

How to Pick the Right PI Developer Technology for your Project

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

OpenID Connect 1.0 Guide

DreamFactory Security Guide

Securing APIs and Microservices with OAuth and OpenID Connect

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Technical Overview. Version March 2018 Author: Vittorio Bertola

HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE

Nordea e-identification Service description

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Authentication in the Cloud. Stefan Seelmann

Easily Secure your Microservices with Keycloak. Sébastien Blanc Red

FAS Authorization Server - OpenID Connect Onboarding

Robust Defenses for Cross-Site Request Forgery

There is REST and then there is REST. Radovan Semančík November 2017

EasyCrypt passes an independent security audit

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Solutions Business Manager Web Application Security Assessment

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Authentication CS 4720 Mobile Application Development

RSA SecurID Implementation

CS 494/594 Computer and Network Security

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Advanced API Security

Robust Defenses for Cross-Site Request Forgery

Warm Up to Identity Protocol Soup

WHITEPAPER. Security overview. podio.com

Content Security Policy

Security and Authentication

FAS Authorization Server - OpenID Connect Onboarding

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

OpenID Connect 1.0 Guide

Certified Secure Web Application Secure Development Checklist

Robust Defenses for Cross-Site Request Forgery Review

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

BIG-IP Application Security Manager : Implementations. Version 13.0

Web Application Security. Philippe Bogaerts

Sichere Software vom Java-Entwickler

DO NOT OPEN UNTIL INSTRUCTED

How to use or not use the AWS API Gateway for Microservices

Check to enable generation of refresh tokens when refreshing access tokens

OWASP Top 10 The Ten Most Critical Web Application Security Risks

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

ArcGIS Server and Portal for ArcGIS An Introduction to Security

API Gateway. Version 7.5.1

Real-time protocol. Chapter 16: Real-Time Communication Security

OpenID Connect Update

SECURING ASP.NET CORE APPLICATIONS

Welcome to the OWASP TOP 10

The Most Important Facts in a Nutshell Content Security User Interface Security Infrastructure Security In Detail...

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Evaluating the Security Risks of Static vs. Dynamic Websites

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Integrating with ClearPass HTTP APIs

OWASP TOP 10. By: Ilia

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

CS 142 Winter Session Management. Dan Boneh

Liferay Security Features Overview. How Liferay Approaches Security

GOING WHERE NO WAFS HAVE GONE BEFORE

(2½ hours) Total Marks: 75

Certificate-based authentication for data security

CS530 Authentication

Exposing The Misuse of The Foundation of Online Security

Ruby on Rails Secure Coding Recommendations

Nigori: Storing Secrets in the Cloud. Ben Laurie

Security Association Creation

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

StorageGRID Webscale 11.0 Tenant Administrator Guide

Managing API Security in the Connected Digital Economy

Business Logic Attacks BATs and BLBs

Expertise that goes beyond experience.

The Internet of Things. Steven M. Bellovin November 24,

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Transcription:

Building a Secure PI Web API Environment Presented by Mike Sloves Ray Verhoeff

User Conference 2017 Themes 2

What do we mean by secure? Basic summary of security concepts: Minimizing the Attack Vector Preventing various attacks Man in the Middle DDoS Etc. Staying inside your firewall does not make you immune What we are doing to help secure PI Web API? 3

What is PI Web API? (briefly ) RESTful Service Any client platform, language, etc. Modern method of supporting any device Away from your site using mobile 4

Methods of Securing PI Web API PI System Security Certificates Authentication Cross-Origin Resource Sharing (CORS) Cross-Site Request Forgery (CSRF) (Distributed) Denial of Service IT Resources 5

What is a Certificate? An electronic document used to prove the ownership of a public key Information about the key Information about its owner s identity Digital Signature of a verifying entity Does this all check out? YAY!!!! 6

My Bank is Secure! 7

Certificates How encryption works PI Web API has no HTTP option Why we insist on certificates But I m just doing development! Getting a certificate is not difficult 8

How Certificates are used Client and Server negotiate: SSL/TLS version Ciphersuite Compression (if any) Client confirms that the Server s certificate is valid Client and Server exchange keys to use for encryption 9

How to Get a Certificate Self-signed Buy one from a certificate vendor Verisign Geotrust Comodo Digicert Lots of others Look it up, we did Letsencrypt.com Free certificates! Becoming more popular Windows Domain Certificate 10

Authentication Anonymous Basic Kerberos And introducing 11

Claims-Based Authentication Login using an external Identity Provider No need to expose corporate AD credentials OpenID Connect PI Web API Claims ID Provider Active Directory PI3, WCF PI System Business Network Business Partner/Cloud/Mobile Network 13

Claims-Based Authentication Login using an external Identity Provider No need to expose corporate AD credentials PI Web API OpenID Connect Claims ID Provider Active Directory PI Server PI3, WCF Business Network Business Partner/Cloud/Mobile Network 14

How we did it OpenID Connect An Authentication layer on top of OAuth 2.0 Controlled by the OpenID Foundation RESTful HTTP API using JSON format Wide acceptance in the industry 16

Response from /.well-known/openid-configuration { "authorization_endpoint":"https://login.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/oauth2/authorize", "token_endpoint":"https://login.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/oauth2/token", "token_endpoint_auth_methods_supported":[ "client_secret_post", "private_key_jwt" ], "jwks_uri":"https://login.windows.net/common/discovery/keys", "id_token_signing_alg_values_supported":[ "RS256" ], "http_logout_supported":true, "frontchannel_logout_supported":true, "end_session_endpoint":"https://login.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/oauth2/logout", "response_types_supported":[ "code", "id_token", "code id_token", "token id_token", "token" ], "scopes_supported":[ "openid" ], "issuer":"https://sts.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/", "claims_supported":[ "sub", "iss", "cloud_instance_name", "aud", "exp", "iat", "auth_time", "acr", "amr", "nonce", "email", "given_name", "family_name", "nickname" ], } 17

Cross-Origin Resource Sharing (CORS) https://fire.web.net https://rain.web.net/piwebapi No CORS GET HTML CSS JavaScript XMLHttpRequest ` Browser 19

Cross-Origin Resource Sharing (CORS) https://fire.web.net https://rain.web.net/piwebapi CorsOrigins: https://fire.web.net GET HTML CSS JavaScript XMLHttpRequest ` Browser data 20

Cross-Site Request Forgery (CSRF) You log into a legitimate website Your browser keeps the authentication token You are tricked into visiting a bad website JavaScript containing evil code downloaded JavaScript executes Your authentication token is used Evil code does damage to your legitimate website! 22

CSRF Attack https://bank.net login token ` Browser token Subject: Read bank.net s new white paper! https://evil.net HTML CSS JavaScript POST bank.net/transfer 23

Cross-Site Request Forgery (CSRF) Existing applications may need to be updated! Good News: GET is fine Bad News: POST, PATCH, DELETE need attention Add Header: X-Requested-With: XMLHttpRequest Good News (after the Bad) Modern browsers do this for you 24

Custom Headers HTTP defines a long list of request and response headers Some instruct browser on which rules to enforce and how Example: Referer: strict-origin 25

Custom Headers PI Web API 2017 R2 introduces custom headers You can create your own custom headers with values Your settings override ours Don t use this to disable security settings! Example: Content-Security-Policy: unsafe-eval 26

Online Security Audit Tools https://observatory.mozilla.org/ https://securityheaders.io/ 27

(Distributed) Denial of Service Throughput limits implemented in PI Web API configuration: RateLimitMaxRequests RateLimitDuration MaxReturnedItemsPerCall Set PI Web API to read-only: DisableWrites configuration item 28

**YOUR** IT Department (not ours ) VPN Secure Communications Disable Writes POST restriction in PI Web API configuration Use Load Balancers/Routers/Switches to limit connectivity 29

Which method should I use? 31

Checklist Intranet Certificate CORS CSRF Authentication Model Target Platforms Denial of Service defenses 32

Checklist Extranet Everything in the Intranet Checklist, plus: Authenticate: Basic or Claims-Based Either way: a local Windows Domain Controller is needed to support your user community 33

Have an idea how to improve our products? OSIsoft wants to hear from you! https://feedback.osisoft.com/

Thank You

Questions Please wait for the microphone before asking your questions Please remember to Complete the Online Survey for this session State your name & company http://bit.ly/uc2017-app 36

Contact Information Mike Sloves msloves@osisoft.com Group Leader OSIsoft, LLC Ray Verhoeff ray@osisoft.com Product Manager OSIsoft, LLC 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback