ZendCon 2018 - Practical API Security
0 likes314 views
This document discusses practical API security. It recommends implementing defense in depth with techniques like transport layer security, rate limiting, authentication, data validation, data encryption, logging, and access control. It provides examples of implementing rate limiting and replay prevention using unique request identifiers stored in an in-memory or local datastore. It also covers validating requests, responses, and data as well as encrypting data at rest and in transit. The document emphasizes the importance of logging all actions in a structured format to help identify security issues.
ZendCon 2018 - Practical API Security
- 1. @adam_englander Practical API Security Adam Englander, Software Architect iovation
- 2. @adam_englander Let's set some expectations...
- 3. @adam_englander What are we protecting against?
- 5. @adam_englander How do we provide that protection?
- 7. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 8. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 10. @adam_englander
- 11. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 12. @adam_englander Replay prevention requires unique requests
- 13. @adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json
- 14. @adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json X-Nonce: 5ed518e8c5c51a64638b2b50c192242d
- 15. @adam_englander Store that unique value in a datastore so you can verify you don't see it again
- 16. @adam_englander Use the add function on the cache to prevent race conditions
- 17. @adam_englander Cache Example if ($token === null) { throw new AuthorizationRequiredException(); } elseif (!$this->cache->add(hash('sha512', $token), 1, 10)) { throw new InvalidRequestException(); }
- 18. @adam_englander Use insert on unique index for RDBMS to prevent race conditions
- 19. @adam_englander Rate limiting requires unique identification for restrictions
- 21. @adam_englander Use the add and increment functions of the cache to prevent race conditions
- 22. @adam_englander Cache Example $key = sprintf("%s|root-post|%s", $userId, $timeSlice); $this->cache->add($key, 0, 1); $total = $this->cache->increment($key);
- 23. @adam_englander Use insert with unique index and update returning in RDBMS to prevent race conditions
- 24. @adam_englander Data stores can be done in three ways.
- 28. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 29. @adam_englander Do not make authentication part of the body
- 30. @adam_englander Use the Authorization header
- 31. @adam_englander HTTP Basic Authentication Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
- 32. @adam_englander HTTP Digest Authentication DO NOT USE!
- 33. @adam_englander HTTP Bearer Authentication Authorization: Bearer mF_9.B5f-4.1JqM
- 35. @adam_englander Many APIs do this
- 36. @adam_englander What about never rolling your own crypto?
- 38. @adam_englander No auth service required
- 39. @adam_englander Can use existing JWT libraries to create and validate
- 40. @adam_englander Can be extended beyond auth to provide data validation and MITM protection
- 41. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 42. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 45. @adam_englander Method Validation GET /user/abc HTTP/1.1 Accept: application/json
- 46. @adam_englander Method Validation DELETE /user/abc HTTP/1.1 Accept: application/json
- 47. @adam_englander Path Validation GET /user/abc HTTP/1.1 Accept: application/json
- 48. @adam_englander Path Validation GET /user/def HTTP/1.1 Accept: application/json
- 49. @adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "[email protected]"}
- 50. @adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "[email protected]"}
- 52. @adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
- 53. @adam_englander Status Code Validation HTTP/1.1 400 Invalid Request Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
- 54. @adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
- 55. @adam_englander Status Code Validation HTTP/1.1 301 Moved Content-Type: application/json; charset=UTF-8 Content-Length: 21 Location: https://bad.actor.com {"expected": "value"}
- 56. @adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: no-cache {"expected": "value"}
- 57. @adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: max-age=99999999 {"expected": "value"}
- 58. @adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": false}
- 59. @adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": true}
- 61. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 62. @adam_englander Encrypt Data at Rest
- 63. @adam_englander Use a structure format that allows for in-place key rotation and nonce storage
- 64. @adam_englander COSE CBOR Object Signing and Encryption (COSE) Concise Binary Object Representation (CBOR)
- 66. @adam_englander Encrypt Data in Transit
- 69. @adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
- 71. @adam_englander Log in a structured format for easier parsing
- 72. @adam_englander Log all pertinent actions
- 73. @adam_englander Include all data regarding state. Anonymize sensitive data.
- 74. @adam_englander Include origin data to identify bad actors.
- 75. @adam_englander Utilize tools like ELK or Greylog to aggregate logs
- 76. @adam_englander Determine anomalous conditions and alert on those conditions.
- 77. @adam_englander And now we code…