SlideShare a Scribd company logo

Better API Security With A SecDevOps Approach

Nordic APIs, profile picture
Nordic APIs

The document discusses API security, emphasizing the importance of automated security measures and the evolution of common vulnerabilities as reported by OWASP from 2010 to 2017. It stresses the need for organizations to know their APIs, validate inputs, and implement fine-grained authorization while outlining strategies for vulnerability detection and protection. Key recommendations include the use of OpenAPI specifications, automated analysis tools, and continuous monitoring for improved API security.

Software
Related topics:
API Security Insights Nordic APIs
1 of 33
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER ISABELLE@42CRUNCH.COM BETTER SECURITY WITH AN AUTOMATED APPROACH
OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring *= API related
3By 2022 APIs will become the most common attack vector - Gartner
HOW DID WE GET THERE? 4
WE ARE HUMANS! 5
6
COVERING THE BASICS 7
8
KNOW YOUR APIS 9 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
VALIDATE AND SANITIZE INPUT 10 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
VALIDATE JWT TOKENS 11 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 3 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
FINE-GRAIN AUTHORIZATION 12 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution (XACML!) 4
FINDING VULNERABILITIES 13
START EARLY: SHIFT LEFT ! 14 DeploymentTestingDevelopmentDesign
15 Development Security Operations Business
COVER THE BASICS 16 Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
HACK YOURSELVES! 17 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
18 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 19 MONITOR AND ANALYZE 4
JOIN THE MAILING LIST ! APISECURITY.IO NEWS AND TOOLS FOR BETTER API SECURITY
ADDITIONAL INFORMATION 21
PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS 22 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
CONTENT INJECTION: WORDPRESS API 23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 24
25 https://www.talosintelligence.com/reports/TALOS-2018-0539/
26 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
N26 CONTINUED… 27
28 Failed to properly validate that you can’t input any other number than yours!
UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 29
AND OF COURSE …. EQUIFAX FOR A9 30
JWT TOKEN VALIDATION 31 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32
RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 33

More Related Content

PDF
Better API Security with Automation
42Crunch
 
PDF
APIDays Paris Security Workshop
42Crunch
 
PDF
SecDevOps for API Security
42Crunch
 
PDF
42crunch-API-security-workshop
42Crunch
 
PDF
API Security: the full story
42Crunch
 
PDF
Advanced API Security Patterns
42Crunch
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PDF
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Better API Security with Automation
42Crunch
 
APIDays Paris Security Workshop
42Crunch
 
SecDevOps for API Security
42Crunch
 
42crunch-API-security-workshop
42Crunch
 
API Security: the full story
42Crunch
 
Advanced API Security Patterns
42Crunch
 
OWASP API Security Top 10 Examples
42Crunch
 
Guidelines to protect your APIs from threats
Isabelle Mauny
 

What's hot (20)

PDF
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
PPT
Spring Security Introduction
Mindfire Solutions
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
PDF
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
PPTX
Owasp webgoat
Zakaria SMAHI
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
PPTX
Microservices Security
Aditi Anand
 
PPTX
DevSecCon Tel Aviv 2018 - Serverless Security
Avi Shulman
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PPTX
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
PDF
Spring Security
Sumit Gole
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PPTX
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Spring Security Introduction
Mindfire Solutions
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Secure coding guidelines
Zakaria SMAHI
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Owasp 2017 oveview
Shreyas N
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Owasp webgoat
Zakaria SMAHI
 
Owasp top 10 security threats
Vishal Kumar
 
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Microservices Security
Aditi Anand
 
DevSecCon Tel Aviv 2018 - Serverless Security
Avi Shulman
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
Spring Security
Sumit Gole
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
Ad

Similar to Better API Security With A SecDevOps Approach (20)

PPTX
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
PDF
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
PPTX
Azure App Gateway and Log Analytics under Penetration Tests
Roy Kim
 
PPT
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
PDF
Security in the cloud protecting your cloud apps
Cenzic
 
PDF
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
PPT
OWASP an Introduction
alessiomarziali
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
Outpost24 webinar - Api security
Outpost24
 
PPTX
DevSecOps - automating security
John Staveley
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
 
Azure App Gateway and Log Analytics under Penetration Tests
Roy Kim
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Security in the cloud protecting your cloud apps
Cenzic
 
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
OWASP an Introduction
alessiomarziali
 
The path of secure software by Katy Anton
DevSecCon
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Outpost24 webinar - Api security
Outpost24
 
DevSecOps - automating security
John Staveley
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
Ad

More from Nordic APIs (20)

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 

Recently uploaded (20)

PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
System and Network Administration Chapter 2
jaramharo
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 

Better API Security With A SecDevOps Approach

  • 1. The API Security Platform for the Enterprise ISABELLE MAUNY - CHIEF PRODUCT OFFICER & CO-FOUNDER [email protected] BETTER SECURITY WITH AN AUTOMATED APPROACH
  • 2. OWASP : FROM 2010 THROUGH 2017 2 TOP 10 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Top 10 2017 A1: Injection* A2: Broken Authentication A3: Sensitive Data Exposure* A4: XML External Entities (XXE)* A5: Broken Access Control* A6: Security Misconfiguration* A7: Cross-Site Scripting (XSS)* A8: Insecure Deserialization* A9: Using Components with Known Vulnerabilities* A10: Insufficient Logging&Monitoring *= API related
  • 3. 3By 2022 APIs will become the most common attack vector - Gartner
  • 4. HOW DID WE GET THERE? 4
  • 6. 6
  • 8. 8
  • 10. VALIDATE AND SANITIZE INPUT 10 URL validation Verb validation ✓ Reject if not valid Query params validation ✓ Min / Max / Pattern-based matching Content-Type validation ✓ Don’t accept as-is! Accept Header validation ✓ Don’t copy into Content-Type Data inbound ✓ Format ✓ Message Size and complexity Data outbound ✓ Data Leakage ✓ Exception Leakage ✓ Use rules against data dictionary 2 OPENAPI SPECIFICATION to the RESCUE !
  • 11. VALIDATE JWT TOKENS 11 Don’t trust the incoming token! Validate algorithm (the one you chose!) ✓ HS256 ✓ RS256 (recommended) Reject None! Validate signature ✓ Prefer digital signatures over HMAC ✓ If not, be careful of key exchange Validate standard claims and your own claims See details Learn the best practices for keeping your JWTs secure. 3 OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
  • 12. FINE-GRAIN AUTHORIZATION 12 Who is calling ? ✓ Is it your own app ? ✓ Is it a trusted user ? What can they do ? Example: T-Mobile number Scopes are often not enough ! ✓ Need ABAC solution (XACML!) 4
  • 14. START EARLY: SHIFT LEFT ! 14 DeploymentTestingDevelopmentDesign
  • 16. COVER THE BASICS 16 Automated Analysis Static code analysis 3rd party libraries validation (CVEs), e.g. NPS / Snyk for Node.js GitHub dependencies graph Manual Analysis Code reviews 1
  • 17. HACK YOURSELVES! 17 API Scanning/Fuzzing ✓ Veracode, Coverity ✓ 42Crunch (coming soon!) Transport analysis ✓ SSL Labs ✓ Hardenize Further Analysis ✓ Bug Bounty ✓ Pen Testing 2
  • 18. 18 PROTECT YOUR APIS 3 Protect all APIs ( public, private, SaaS) AUTOMATICALLY deploy security measures such as API Security Gateways/Firewalls ✓ Enforce Rate Limiting • Brute force attacks (see N26!) • DOS attacks ✓ Data Validation / JWT Validation / Auth / Azn ✓ Serves as Virtual Patching (as a WAF does for applications) ✓ Deploy at the edge and/or close to APIs (microservices architecture)
  • 19. Use Development ticketing system for tracking issues Analyse runtime behaviour and raise issues automatically 19 MONITOR AND ANALYZE 4
  • 20. JOIN THE MAILING LIST ! APISECURITY.IO NEWS AND TOOLS FOR BETTER API SECURITY
  • 22. PROPOSAL FOR A DEV-SEC-OPS CYCLE FOR APIS 22 Monitor Assess Protect Test Develop Deploy Monitor Security Vulnerabilities and runtime behavior Continuous API hardening including API fuzzing Deploy to containerized PEP Configure and apply security policies from assessed risk Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
  • 23. CONTENT INJECTION: WORDPRESS API 23https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  • 24. TITLE TEXT Remote Command Execution (A1) SQL Injection (A1) JSON injection (A1) Information Leakage (A3) Broken Access Control (A5) Check: https://blog.talosintelligence.com/2018/07/ samsung-smartthings-vulns.html 24
  • 26. 26 Information Leakage (A3) Broken Access Control (A5) Check: https://www1.cs.fau.de/ filepool/projects/n26/n26-roots.pdf
  • 28. 28 Failed to properly validate that you can’t input any other number than yours!
  • 29. UNPROTECTED API ! (A6) Remote Command Execution SQL Injection Buffer Overflow JSON injection Information Leakage Check: https://blog.talosintelligence.com/2018/07/samsung- smartthings-vulns.html 29
  • 30. AND OF COURSE …. EQUIFAX FOR A9 30
  • 31. JWT TOKEN VALIDATION 31 Failed to properly validate JWT token (A5) Algorithm (set to None) Claims (audience)
  • 32. RESOURCES OWASP Top 10 ✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project OWASP DevSlop Project ✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project Chaos Engineering ✓ http://principlesofchaos.org ✓ https://github.com/dastergon/awesome-chaos-engineering OWASP ZAP ✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Source Code Analysis ✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools Code Security reviews ✓ https://www.owasp.org/index.php/Code_Review_Introduction Systems Scans ✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Security Methodology ✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 32
  • 33. RESOURCES SSL Setup Scan ✓ https://hardenize.com ✓ https://securityheaders.io ✓ https://www.ssllabs.com/ssltest/ Threat Modelling ✓ https://www.owasp.org/index.php/Application_Threat_Modeling Attacks Type Information ✓ XSS: https://excess-xss.com ✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo ✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc ✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc Pixi / DevSlop ✓ https://github.com/DevSlop/Pixi ✓ https://devslop.co JWT as session data ✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens 33