ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Similar documents
En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Managing API Security in the Connected Digital Economy

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Sentinet for BizTalk Server SENTINET

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

DreamFactory Security Guide

Getting Started with AWS Security

API Best Practices. Managing APIs holistically across the enterprise

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Best Practices in Securing a Multicloud World

Verasys Enterprise Security and IT Guide

Oracle API Platform Cloud Service

AKAMAI CLOUD SECURITY SOLUTIONS

Securing Your Most Sensitive Data

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Securing Modern API and Microservice Based Applications by Design A closer look at security concerns for modern applications Farshad Abasi / Forward

Teradata and Protegrity High-Value Protection for High-Value Data

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Imperva Incapsula Website Security

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Security Readiness Assessment

Security and Privacy Overview

API Standard and Guidelines Part B - Technical. Version 1.0

ALIENVAULT USM FOR AWS SOLUTION GUIDE

ADC im Cloud - Zeitalter

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Cloud-Security: Show-Stopper or Enabling Technology?

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Warm Up to Identity Protocol Soup

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Enhanced Threat Detection, Investigation, and Response

CloudSOC and Security.cloud for Microsoft Office 365

Cloud-Based Data Security

Google Identity Services for work

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Cyber Security Updates and Trends Affecting the Real Estate Industry

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Cloud Customer Architecture for Securing Workloads on Cloud Services

locuz.com SOC Services

Solutions Business Manager Web Application Security Assessment

C1: Define Security Requirements

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

RAPID7 INSIGHT PLATFORM SECURITY

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Liferay Security Features Overview. How Liferay Approaches Security

Copyright

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

CipherCloud CASB+ Connector for ServiceNow

W H IT E P A P E R. Salesforce Security for the IT Executive

The Top 6 WAF Essentials to Achieve Application Security Efficacy

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

TIBCO Cloud Integration Security Overview

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Oracle Database Vault

Single Sign-On Best Practices

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Security Overview of the BGI Online Platform

The following chart provides the breakdown of exam as to the weight of each section of the exam.

A10 HARMONY CONTROLLER

Title: Planning AWS Platform Security Assessment?

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

TAKING THE MODULAR VIEW

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cloud Essentials for Architects using OpenStack

Introduction. The Safe-T Solution

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

The Oracle Trust Fabric Securing the Cloud Journey

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security

SYMANTEC DATA CENTER SECURITY

Security and Compliance at Mavenlink

SAP Security in a Hybrid World. Kiran Kola

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

HIPAA Regulatory Compliance

Office 365 Buyers Guide: Best Practices for Securing Office 365

Layer Security White Paper

Securing Office 365 with SecureCloud

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Securing Your Amazon Web Services Virtual Networks

AWS IoT Overview. July 2016 Thomas Jones, Partner Solutions Architect

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

Overview SENTINET 3.1

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

Transcription:

ISACA Silicon Valley APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Why Should You Care About APIs? Because cloud and mobile computing are built on APIs Because integration today is accomplished via APIs Because.

API Calls Per Day: Billions Served

APIs Are Big Business Expedia s affiliate network conducts > USD $2 billion worth of transactions per year via APIs alone

Programmable Web Tracks over 12,400 APIs publicly available to developers

An Example: Amazon Web Services EC2 alone has 148 APIs

International Usage of APIs ( > 300 million users) (Weibo microblog in Chinese; Chinese version of Twitter)

Something About Reduced Attack Surface? GmailFS Dropship

Popular Applications Hacked September 2012

Other Recent Hacks of APIs Snapchat API hack December 2013 Personal information breach Mass phone number harvesting Creation of bogus accounts Poised to become a mass spamming platform Bitly API hack May 2014 Personal information breach Users email addresses Encrypted passwords API keys OAuth tokens

Even More Recently Black Hat 2014 CLOUDBOTS: HARVESTING CRYPTO COINS LIKE A BOTNET FARMER What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service. We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!

Where to Begin? Do you even know what APIs your organization has or is using? Do you even know what data is being shared via APIs with your trusted and untrusted customers, partners, and / or vendors?

Consumption versus Exposure Consumption Mobile Apps All Apps Web Apps Social Apps API Tier Trust Boundary Persistence Security Orchestration Analytics Exposure App Servers ESB Backend Services

API Services Security Components Security for Consumption Security for Exposure Analytics Services Threat Protection Advanced API Services Apps Identity Services Threat Protection Partner Developers Authentication & Authorization Traffic Management Developer Security Developer Services Security & Identity Capabilities Identity Services Authentication & Authorization Logging & Auditing Security Analytics Backend Service

Needed: End-to-End Security Stakeholders API Exposure Security API Consumption Security DevOps App Developers IT security API architects Business owner End users API management solutions must address the security considerations of various stakeholders and consumers of APIs

Auditing, Logging, TLS End-to-End Security for App & API Developers Developer Services Developer Portal Token/API Key Management Logging & Auditing TLS Management Developer User Management RBAC Policy Management API Team Analytics Services Users Apps Developers APIs Systems API Services Basic/OA uth 3 rd Party Sign-in Token Management Delegated Auth (LDAP) Quota/Rate Limiting App Secure Reg Two-way TLS OAuth/SA ML Authorization RBAC for APIs Backend

Delivering a Secure App and API Infrastructure App to API (Consumption) API to Backend (Exposure) Authentication (TLS, OAuth, API key) API key and token management Two-way TLS Authorization (permission management) Runtime policy SLA enforcement Logging and auditing Analytics Security reports Run time detection reports (volume based, traffic properties) Authentication (TLS, OAuth, SAML) Two-way TLS Delegated authentication (LDAP, AD) Integration with custom identity providers Fine grain authorization Logging and auditing Threat Protection Identity Infrastructure Security and Compliance XML / JSON Poisoning / Injection SQL Injection DDoS/App-DoS Attacks Quota/Spike Arrest User provisioning RBAC management Groups Identity provider Cloud or on-premise Cloud-based security (AWS + other) SOC 2, PCI-DSS, HIPAA 24 x 7 organizational support IP based access restrictions

Security Architecture Identity & Management Developers Keys/token management Certificate management Policy management RBAC management User management IT security /architect API security Apps Authentication Authorization Policy enforcement Traffic management Logging & auditing Key store Policy store Log store Threat Protection TLS DDoS Rate limiting & quota Payload protection Analytics Compliance (SOC 2, PCI DSS, HIPAA) and cloud security

External Firewall Internal Firewall Built-in Security + Flexible Security Integration Identity OAuth X.509 API Key TLS ACL DDoS XML Threats Rate Limit Log & Audit TLS 3 rd Party Security Services (AAA, Logs, Analytics) Apps API management platform TLS HTTPS Backend Service Partner Identity LDAP RBAC X.509 Developers Identity X.509 SAML OAuth LDAP RBAC TLS Enterprise Identity Store

Authentication & Authorization Scenario Authentication Authorization Business to Business Trusted developers Untrusted developers HTML5 applications Identity tracking TLS Cert, API Key API Key, OAuth Token, IP Address SAML identity control policies Generate SAML Assertion Validate SAML Assertion API Key, OAuth Token SAML identity control policies Two-way TLS Identity-based access tracking policy Verify API Key OAuth 1.0a & OAuth 2.0 policies Client credentials grant (two-legged Oauth) OAuth 1.0a & OAuth 2.0 policies Resource owner password grant OAuth 1.0a & OAuth 2.0 policies Authorization code grant (three-legged OAuth) Implicit grant

Threats to APIs

API Threats What Is New? Spoofing of identity Denial of service by bad actors, inadvertent errors, and botnets Network eavesdropping in the communication chain between app and enterprise backend services Replay attacks Unauthorized access to management system and configuration data Man-in-the-middle attacks Velocity attack using legitimate API calls Elevation of privilege by applications and developers Data tampering and injection attacks that lead to information disclosure Disclosure of confidential data stored and processed in mobile, API, and backend services Theft of credentials, API keys, tokens, or encryption keys

Threat Protection Scenario Denial of Service attack Threat Protection Spike Arrest policy Protection against instantaneous bursts of traffic Access Control policy Imposing limits on who can access your API Injection and Scripting attacks Regular Expression Protection policy Allow you to scan payloads for SQL, JavaScript, etc. XML / JSON threats XML and JSON Threat Protection policies Keep malformed payloads out of your system

Identity Scenario User Provisioning RBAC Management Manage Groups Identity Provider Identity Configure fine-grain control of user access to data features and functionality. Flexible provisioning and management of users. Enhanced system security with out-of-the-box roles. Employ RBAC at every layer to protect sensitive information API keys TLS certificates OAuth tokens audit logs Convenient and practical grouping of users based on any number of criteria including location and interests. Integrate with any identity provider that: has an API supports SAML supports LDAP v3 (for on-premise only)

Infrastructure & Compliance Scenario Infrastructure Security & Compliance SOC 2 PCI-DSS, HIPAA You or your provider will almost certainly need this You or your provider might need this European Data Directive API health visibility If you or your provider are doing business in Europe, then this will be required Round-the-clock monitoring Real-time and historic API health visibility API security and compliance tracking Component and process monitoring

Use Case Secure Partner Collaboration Backend Service (Internal Domain) Data Analysts Dashboard All Interactions (events) Metrics Security Analytics Apps API Platform Security & Identity Insights Or Customer Analytics Service Backend Service (External Domain)

Use Case API Enabled Data Federation Tools API management platform Partners Analysts Multiple Access Levels Enforceable Data Store Integration API Fine Granular Access Control Diverse Data Stores

Security: More Than Securing a New Channel APIs are making it easier to integrate the customer experience across channels. Partner with developers and the business to build security into the API architecture Instrument security telemetry to seamlessly integrate with your existing Security Information Event Management System (SIEM) Protect customer PII data and prevent data breaches via API channels Secure not just the API communications layer but also the payload Build a security analytics program that will actually provide value and help mitigate new threats and manage risk to your enterprise

Questions?

End-to-End Security is Needed Consumption Exposure Flexible application level access control Consistent backend service protection Enable developers for security automation Enable API team to securely expose backend services Security for app-to-api Security for API-to-backend End-to-End Security User App Developer API API Team Backend

Do The Following Matter in App & API Security? Kerberos for authentication Kerberos is not suitable for Web services authentication and can be replaced with OAuth, OpenID connect for AuthN and AuthZ. XACML based policy management (AuthZ) XACML not suitable for cloud and mobile apps given the complexity, payload size and not friendly to developers who prefer lightweight mechanisms that promote agility. WS-* security services SOA centric and heavy weight for REST centric API architecture.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback