ISACA Silicon Valley APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems
Why Should You Care About APIs? Because cloud and mobile computing are built on APIs Because integration today is accomplished via APIs Because.
API Calls Per Day: Billions Served
APIs Are Big Business Expedia s affiliate network conducts > USD $2 billion worth of transactions per year via APIs alone
Programmable Web Tracks over 12,400 APIs publicly available to developers
An Example: Amazon Web Services EC2 alone has 148 APIs
International Usage of APIs ( > 300 million users) (Weibo microblog in Chinese; Chinese version of Twitter)
Something About Reduced Attack Surface? GmailFS Dropship
Popular Applications Hacked September 2012
Other Recent Hacks of APIs Snapchat API hack December 2013 Personal information breach Mass phone number harvesting Creation of bogus accounts Poised to become a mass spamming platform Bitly API hack May 2014 Personal information breach Users email addresses Encrypted passwords API keys OAuth tokens
Even More Recently Black Hat 2014 CLOUDBOTS: HARVESTING CRYPTO COINS LIKE A BOTNET FARMER What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service. We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!
Where to Begin? Do you even know what APIs your organization has or is using? Do you even know what data is being shared via APIs with your trusted and untrusted customers, partners, and / or vendors?
Consumption versus Exposure Consumption Mobile Apps All Apps Web Apps Social Apps API Tier Trust Boundary Persistence Security Orchestration Analytics Exposure App Servers ESB Backend Services
API Services Security Components Security for Consumption Security for Exposure Analytics Services Threat Protection Advanced API Services Apps Identity Services Threat Protection Partner Developers Authentication & Authorization Traffic Management Developer Security Developer Services Security & Identity Capabilities Identity Services Authentication & Authorization Logging & Auditing Security Analytics Backend Service
Needed: End-to-End Security Stakeholders API Exposure Security API Consumption Security DevOps App Developers IT security API architects Business owner End users API management solutions must address the security considerations of various stakeholders and consumers of APIs
Auditing, Logging, TLS End-to-End Security for App & API Developers Developer Services Developer Portal Token/API Key Management Logging & Auditing TLS Management Developer User Management RBAC Policy Management API Team Analytics Services Users Apps Developers APIs Systems API Services Basic/OA uth 3 rd Party Sign-in Token Management Delegated Auth (LDAP) Quota/Rate Limiting App Secure Reg Two-way TLS OAuth/SA ML Authorization RBAC for APIs Backend
Delivering a Secure App and API Infrastructure App to API (Consumption) API to Backend (Exposure) Authentication (TLS, OAuth, API key) API key and token management Two-way TLS Authorization (permission management) Runtime policy SLA enforcement Logging and auditing Analytics Security reports Run time detection reports (volume based, traffic properties) Authentication (TLS, OAuth, SAML) Two-way TLS Delegated authentication (LDAP, AD) Integration with custom identity providers Fine grain authorization Logging and auditing Threat Protection Identity Infrastructure Security and Compliance XML / JSON Poisoning / Injection SQL Injection DDoS/App-DoS Attacks Quota/Spike Arrest User provisioning RBAC management Groups Identity provider Cloud or on-premise Cloud-based security (AWS + other) SOC 2, PCI-DSS, HIPAA 24 x 7 organizational support IP based access restrictions
Security Architecture Identity & Management Developers Keys/token management Certificate management Policy management RBAC management User management IT security /architect API security Apps Authentication Authorization Policy enforcement Traffic management Logging & auditing Key store Policy store Log store Threat Protection TLS DDoS Rate limiting & quota Payload protection Analytics Compliance (SOC 2, PCI DSS, HIPAA) and cloud security
External Firewall Internal Firewall Built-in Security + Flexible Security Integration Identity OAuth X.509 API Key TLS ACL DDoS XML Threats Rate Limit Log & Audit TLS 3 rd Party Security Services (AAA, Logs, Analytics) Apps API management platform TLS HTTPS Backend Service Partner Identity LDAP RBAC X.509 Developers Identity X.509 SAML OAuth LDAP RBAC TLS Enterprise Identity Store
Authentication & Authorization Scenario Authentication Authorization Business to Business Trusted developers Untrusted developers HTML5 applications Identity tracking TLS Cert, API Key API Key, OAuth Token, IP Address SAML identity control policies Generate SAML Assertion Validate SAML Assertion API Key, OAuth Token SAML identity control policies Two-way TLS Identity-based access tracking policy Verify API Key OAuth 1.0a & OAuth 2.0 policies Client credentials grant (two-legged Oauth) OAuth 1.0a & OAuth 2.0 policies Resource owner password grant OAuth 1.0a & OAuth 2.0 policies Authorization code grant (three-legged OAuth) Implicit grant
Threats to APIs
API Threats What Is New? Spoofing of identity Denial of service by bad actors, inadvertent errors, and botnets Network eavesdropping in the communication chain between app and enterprise backend services Replay attacks Unauthorized access to management system and configuration data Man-in-the-middle attacks Velocity attack using legitimate API calls Elevation of privilege by applications and developers Data tampering and injection attacks that lead to information disclosure Disclosure of confidential data stored and processed in mobile, API, and backend services Theft of credentials, API keys, tokens, or encryption keys
Threat Protection Scenario Denial of Service attack Threat Protection Spike Arrest policy Protection against instantaneous bursts of traffic Access Control policy Imposing limits on who can access your API Injection and Scripting attacks Regular Expression Protection policy Allow you to scan payloads for SQL, JavaScript, etc. XML / JSON threats XML and JSON Threat Protection policies Keep malformed payloads out of your system
Identity Scenario User Provisioning RBAC Management Manage Groups Identity Provider Identity Configure fine-grain control of user access to data features and functionality. Flexible provisioning and management of users. Enhanced system security with out-of-the-box roles. Employ RBAC at every layer to protect sensitive information API keys TLS certificates OAuth tokens audit logs Convenient and practical grouping of users based on any number of criteria including location and interests. Integrate with any identity provider that: has an API supports SAML supports LDAP v3 (for on-premise only)
Infrastructure & Compliance Scenario Infrastructure Security & Compliance SOC 2 PCI-DSS, HIPAA You or your provider will almost certainly need this You or your provider might need this European Data Directive API health visibility If you or your provider are doing business in Europe, then this will be required Round-the-clock monitoring Real-time and historic API health visibility API security and compliance tracking Component and process monitoring
Use Case Secure Partner Collaboration Backend Service (Internal Domain) Data Analysts Dashboard All Interactions (events) Metrics Security Analytics Apps API Platform Security & Identity Insights Or Customer Analytics Service Backend Service (External Domain)
Use Case API Enabled Data Federation Tools API management platform Partners Analysts Multiple Access Levels Enforceable Data Store Integration API Fine Granular Access Control Diverse Data Stores
Security: More Than Securing a New Channel APIs are making it easier to integrate the customer experience across channels. Partner with developers and the business to build security into the API architecture Instrument security telemetry to seamlessly integrate with your existing Security Information Event Management System (SIEM) Protect customer PII data and prevent data breaches via API channels Secure not just the API communications layer but also the payload Build a security analytics program that will actually provide value and help mitigate new threats and manage risk to your enterprise
Questions?
End-to-End Security is Needed Consumption Exposure Flexible application level access control Consistent backend service protection Enable developers for security automation Enable API team to securely expose backend services Security for app-to-api Security for API-to-backend End-to-End Security User App Developer API API Team Backend
Do The Following Matter in App & API Security? Kerberos for authentication Kerberos is not suitable for Web services authentication and can be replaced with OAuth, OpenID connect for AuthN and AuthZ. XACML based policy management (AuthZ) XACML not suitable for cloud and mobile apps given the complexity, payload size and not friendly to developers who prefer lightweight mechanisms that promote agility. WS-* security services SOA centric and heavy weight for REST centric API architecture.