SlideShare uma empresa Scribd logo

Designing Secure APIs

S
Steven Chen

APIs are the building blocks of interoperability on the web and are a key component of scalable and successful technology companies. As externally-consumable APIs expose more information and functionality, ensuring privacy and security of customer data is an increasingly risky proposition. In this session, we’ll talk about some of Slack’s learnings around building Developer APIs and best practices for keeping your APIs safe. Slides originally for a presentation at the Rocky Mountain Technology Summit. Slightly reduced content.

Software
1 de 53
Baixar para ler offline
Steven Chen, Engineering Manager, Slack Designing Secure APIs Photo: Steve McClanahan
 Locks at Auckland Harbour Bridge
I am a petrolhead.
I am an API nerd.
Every API needs security. PUBLIC In endeavoring to expose functionality to third-parties you blur the perimeters of your service and openly expose your data assets and business capabilities. INTERNAL / PRIVATE Without the intention of exposing your interfaces to third-parties, you might work under the illusion of security. You are still at risk.
OPEN APIS 68.8% of organizations are exposing APIs to the public and their partners. 
 HUGE SURFACE AREA On average, companies manage 363 different public- facing APIs. SPECIALIZATION GAP 1 in 4 companies do not treat API security any differently than web security. Wehaveanopenissue.
The internet isahostile environment. Public by default. Gives everyone access to over 200MM transactions. Venmo An exposed and unauthenticated API let anyone access the personal account details of any customer with just their cell phone number.  Facebook Cambridge Analytica acquired user data through a Facebook app developer. $37B drop in market cap. T-Mobile
Security first. Your customers do not understand it, but they demand it.
COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Ittakesasecurity firstmindset.
COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
SAY NO TO PLAIN-TEXT It is 2018. There is no excuse. ALWAYS HASH THEM Hashing provides a one-way transformation of text. You store the resulting hash and when a user attempts to authenticate the comparison is done by a hash on the input. DO NOT ROLL YOUR OWN Argon2, scrypt, bcrypt. There are many libraries out there. Unless you are a cryptography expert do not attempt to roll your own. Encrypt yourpasswords. 🤫 USE A SLOW HASH Password hashes should be slow to protect against a “dictionary attack”. The slower the hash, the longer it takes to run through a dictionary.
HTTPS ALL THE THINGS It is 2018. There is no excuse. HTTP traffic can be read by anyone with network access. HTTPS traffic can only be decrypted by the certificate owner. LET’S ENCRYPT IF ON A BUDGET Let's Encrypt is a free, automated, open-source certificate authority. Encrypt trafficusingTLS/SSL. 🔐
ENCRYPTION AT REST OR BY DEFAULT Data stored on servers is considered “at rest”. This protects against physical theft, but also protect against any unauthorized access to data. STRICTLY MANAGE ACCESS Many small or startup companies give everyone direct production access. While this eases administration and overhead it is simple to make mistakes. STORE THE MINIMUM AMOUNT OF DATA To borrow from the old software adage… YAGNI. You Ain’t Gonna Need It. Store only the data you really need to reduce risk. ENCRYPTION / SECURITY CAN BE EASY Many database servers can provide application-level encryption. Google Cloud Platform encrypts customer data stored at rest by default. Besmartaboutdataatrest. 💤
1. INJECTION An injection of code happens when an attacker sends invalid data to the application with the intention of it making an action other than what was designed. 3. SENSITIVE DATA EXPOSURE Sensitive data may be compromised without extra protection, such as encryption at rest or in transit. 4. XML EXTERNAL ENTITIES (XXE) External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. KnowtheOWASPTopTen. 🎳 2. BROKEN AUTHENTICATION Weak or broken authentication mechanisms allow an attacker to gain control over passwords, keys, or tokens – or even worse – to gain complete control over entire systems.
5. BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. 7. CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data without proper validation or escaping or updates an existing web page with user-supplied data. 8. INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. KnowtheOWASPTopTen. 🎳 6. SECURITY MISCONFIGURATION This is commonly a result of leaving default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages.
9. USING COMPONENTS WITH KNOWN VULNERABILITIES Libraries, frameworks, and other components run with the same privileges as the application. They need to be kept up-to-date and secure. 11. CHECK PREVIOUS ISSUANCES AND STAY UP-TO-DATE The Open Web Application Security Project updates the top 10 every few years. There are still gems in the previous notices and there will be more to come. Security is a full-time and constant concern. KnowtheOWASPTopTen. 🎳 10. INSUFFICIENT LOGGING AND MONITORING Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
The most secureAPI isonethat doesnotexist. ASK WHAT THE USE CASE IS What problems are you trying to solve and what functionality are you trying to expose. Having an API for the sake of having one is an insecure proposition. EXPOSE ONLY WHAT YOU NEED Just as you should store only the data that you need for those who need it. Your API should only expose information necessary to meet the use case.
Ask your clientsfor clean requests. MAKE IT HARDER FOR CLIENTS TO MAKE A MISTAKE Provide clean documentation, URLs that do not ask for potentially sensitive information, ask for timestamps, and consider publishing a spec such as OpenAPI. VERIFY TOWARDS THE TOP Never trust user input. Never assume that someone else has verified either the request or some level of authorization. Make these checks at the highest levels possible.
IT IS SECURE UNTIL IT IS NOT Even if your API is meant to be for internal use or for special clients, you should verify who that client is. CONSIDER OAUTH OAuth allows clients to authenticate from another service without sharing their password and allows API providers to grant granular permissions. AVOID SESSIONS WHERE POSSIBLE Sessions leave open windows for attackers to impersonate a real user. This state is stored somewhere on the client where you as an API have little control. Alwaysauthenticate. AT LEAST USE BASIC AUTHENTICATION If you are exposing an internal API and want the bare minimum consider basic authentication with TLS / SSL. This is kind of awful, but better than nothing!
SCOPE REQUEST ACCESS Setup granular permissions for your API that are scoped only to specific resources or functionality. EXPLICITLY GRANT PRIVILEGES A client’s default access level to any resource in the system should be DENIED unless they are explicitly granted a PERMIT. SEPARATION OF PRIVILEGE Where logical, a client’s permissions should not be based on a single condition, but rather a combination of conditions. Alwaysauthorize. PRINCIPLE OF LEAST PRIVILEGE Similarly, every client must only be able to access the resources and functionality that are minimally necessary for their purpose.
Aboutthose keys and tokens. DO NOT ASK FOR THEM IN THE REQUEST Keys and tokens being passed around in URLs are ripe for being sniffed out. Always use a POST request when transmitting secrets over HTTP. ENSURE THEY ARE NON- SEQUENTIAL This might seem silly, but use a hard to guess key or token with a random component.
A TOKEN IS JUST THAT Once your tokens hit the database they should have no other use other than access. Do not reuse them as another identifier. WATCH THE LOGS If you employ an aggressive logging strategy (you should) be sure to redact any secrets in monitoring or logs. BURN EXPOSED TOKENS Actively pursue your rogue tokens. When you find them delete them. NEVER COMMIT CREDENTIALS INSIDE CODE. EVER. Tokensafety. DELETE UNUSED TOKENS If a token is no longer in use disable or delete it. This reduces the chance that an attacker that finds a token can do anything malicious with it.
TOKEN NUKER At Slack, we methodically seek out and invalidate customers’ API tokens that have been accidentally posted publicly. This happens nearly every day. WATCH THE LOGS Most of the time a customer will ask if a token has been used since published. But you’re logging all the things so it’s fine. SAVE YOUR USERS FROM THEMSELVES Security is hard but you can make it easier for your users by staying on top of all attack vectors. Nuke‘em. AUTOMATE IT Token discovery is automated as is the follow- up notification to the customer.
Deliver clean responses. PUBLISH A SPEC Standards, specs, and consistency help API authors and consumers alike in sending intentional responses as well as accepting only the information necessary. MIND THE HEADERS People often focus on the actual payload of responses, but a lot of hidden information goes in to HTTP Headers. Be sure you know what is being included all the way at the other end.
KISS Keep it simple Steven. Clear and concise errors are the most helpful for clients. They also happen to be the most secure. DO NOT LEAK YOUR DATA MODELS A well designed API is focused on client or developer use cases, not exposing your underlying architecture. DO NOT LEAK YOUR STACK TRACES If you are using a framework, overwrite the default error pages and make sure you are running in production mode and not exposing the underlying code. Respondwith simple andintentionalerrors. HIDE YOUR CLUES Those errors are secure of course, only if you do not provide hints to a would be attacker looking for clues.
Log and Audit ALLTHE THINGS. SERIOUSLY, EVERYTHING Having a continuous and detailed stream of events helps not only in detecting anomalies, but responding to a potential incident with speed. STRUCTURE IS HELPFUL Consider structured logging (JSON perhaps) to help aide in searching for the right data.
Rate Limit ALLTHE THINGS. USAGE QUOTAS The most basic rate limiting schemes limit clients by allowing clients to send “x requests per second”. RESOURCE QUOTAS More advanced strategies for rate limiting include throttling based on the expense of the request or the frequency of need for the use case.
Donotforget aboutyour ownlimits. EVERYTHING IN MODERATION Many APIs today include event-driven interfaces such as webhooks or other streams. A sudden forced burst of activity in your service can easily take down your service or leave it in an otherwise degraded state.
IP WHITELISTING At Slack, we allow customers to configure a set of static IPs from which we will know that they are sending traffic. MUTUAL TLS If you can run your own TLS-terminating server, you can obtain a shared secret with another individual organization to verify their identity. INTERNAL BLACKLISTING Over time you can collect a list of bad actors and immediately reject their traffic. This is a necessarily a cat and mouse game but there are smart ways to respond. Provide methodstotrusttraffic. REQUEST SIGNING You can use a pre-determined shared secret to hash a request against.
COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
Test
 Test Test AUTOMATE ANYTHING YOU CAN Test your APIs constantly and preferably at their furthest stage from production. A spec like OpenAPI and following a JSON Schema can help you detect changes to your API and unintended exposure of data.
SERVER BASICS Lock down your ports and server access. API security depends on overall security of your entire stack. NETWORK FIREWALL Tune and configure your connectivity policies to monitor and protect your application servers. WEB APPLICATION FIREWALL Use IaaS or other software to monitor and block traffic and protect against DDoS attacks. DeploysmartinfratoshieldyourAPIs. API GATEWAY Isolate your API traffic. This can either be done by code architecture or putting another layer of abstraction in front of the rest of your infrastructure.
COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL FACTORS Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
Donotroll yourown. LEAN ON OPEN SOURCE There are a plethora of Open Source tools and libraries that relate to secure implementations and to ensure API security. The community at large shares expertise, helps find bugs, and wider usage helps test in the wild. Don’t forget to keep these tools and libraries up-to-date. Use with caution of course…
Enforce policies ina consistentand timely manner. POLICY AND LEGAL At Slack, our Policy and Legal teams are also included in the Developer Platform and Security cross-functional groups. Terms of Services and Acceptable Use Case policies are increasingly important as you expose more data. Action needs to be taken swiftly and applied consistently.
Partner acrossthe organization. SECURITY DEVELOPMENT LIFECYCLE Our product and infrastructure engineering teams have partnered with the security org to review projects. This is both procedural and educational! SECURITY WEEK Once a year, Slack holds a security week where we compete in Capture The Flag, a security training platform, and hold other classes like lock-picking.
APP DIRECTORY REVIEW This is a requirement of listing. It is a combination of automated scanning processes, limiting scopes, and manual reviews of architecture, authentication, and misuse. SHARE BEST PRACTICES We come across common mistakes and patterns and these go in to not only our documentation, but in hands-on help at our developer focused events. Partnerwithyourdevelopers. CHECK AGAIN We regularly follow up with scans and employ external vendors to also do periodic reviews.
XSS TLS Config Info Disclosure 0 6.75 13.5 20.25 27 Mostcommonvulnerabilities foundinSlack Appsecurity review.
REAL ATTACKS Even if you have an internal security organization, it is always to get real help from the outside. Outside pen-testing vendors try to expose real vulnerabilities without inside knowledge. BE PREPARED AND WORK CLOSELY The best case scenario is that you have paid a vendor money and they have found nothing. They will certainly try. The worst case is you will need to be prepared to respond. MULTIPLE VENDORS The strengths, quality, and speed of reporting and assessment varies widely. If you have the budget, compare multiple pen-testing vendors. Asktobehacked. SAFE ATTACKS Generally external security testing vendors will run automation in non-critical business hours or will limit the speed of their automation. Their exploits will also be relatively “safe”.
BUG BOUNTY Real vulnerabilities and reports from external security researchers. Slack is listed on HackerOne. PAY Over the last 4 years, Slack has paid out over $300k in rewards. You can set the tiers and payouts. ESTABLISH SLAS Once bugs come in, make sure there is accountability in getting security issues resolved expediently. Asktobehackedmore. RESPOND We judge the quality of our communication with researchers by our response times. In addition to accountability, it builds overall trust in the community.
Plan your response. HAVE A RUNBOOK Have step-by-step procedures with Directly Responsible Individuals and communication plans. Hopefully you will never need this but it will be crucial if you do. PRACTICE MAKES PERFECT Runbooks are only useful when you’re running. Consider running drills for incidents, whether operational or security to make sure you work out those response muscles.
Security first. Your customers do not understand it, but they demand it.
Know the basics and lean on the community and experts to fill in the gaps.
There is no perfectly secure system. Provide multiple defenses and gauge your risk.
Make it easy by providing security by default and free ways of increasing security.
Advocate for Security First across the organization. Sometimes the “enemy” is within.
THanks! SCHEN@SLACK-CORP.COM SVENCHEN.COM @PISTEVO

Recomendados

OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
Tomek Cejner
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
phanleson
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 

Recomendados

OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
Tomek Cejner
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
phanleson
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
Pawel Rzepa
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
Isabelle Mauny
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
skimil
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hamzaaqqa7
 

Mais conteúdo relacionado

Mais procurados

Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 

Mais procurados (20)

Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
Five Principles to API Security
Five Principles to API SecurityFive Principles to API Security
Five Principles to API Security
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.API Security Guidelines: Beyond SSL and OAuth.
API Security Guidelines: Beyond SSL and OAuth.
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 

Semelhante a Designing Secure APIs

hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hamzaaqqa7
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 

Semelhante a Designing Secure APIs (20)

Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the Cloud
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security Checklist
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
cyber security presentation 1234567.pptx
cyber security presentation 1234567.pptxcyber security presentation 1234567.pptx
cyber security presentation 1234567.pptx
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 

Último

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Último (20)

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 

Designing Secure APIs

  • 1. Steven Chen, Engineering Manager, Slack Designing Secure APIs Photo: Steve McClanahan
 Locks at Auckland Harbour Bridge
  • 2. I am a petrolhead.
  • 3. I am an API nerd.
  • 4. Every API needs security. PUBLIC In endeavoring to expose functionality to third-parties you blur the perimeters of your service and openly expose your data assets and business capabilities. INTERNAL / PRIVATE Without the intention of exposing your interfaces to third-parties, you might work under the illusion of security. You are still at risk.
  • 5. OPEN APIS 68.8% of organizations are exposing APIs to the public and their partners. 
 HUGE SURFACE AREA On average, companies manage 363 different public- facing APIs. SPECIALIZATION GAP 1 in 4 companies do not treat API security any differently than web security. Wehaveanopenissue.
  • 6. The internet isahostile environment. Public by default. Gives everyone access to over 200MM transactions. Venmo An exposed and unauthenticated API let anyone access the personal account details of any customer with just their cell phone number.  Facebook Cambridge Analytica acquired user data through a Facebook app developer. $37B drop in market cap. T-Mobile
  • 7.
  • 8.
  • 9. Security first. Your customers do not understand it, but they demand it.
  • 10. COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Ittakesasecurity firstmindset.
  • 11. COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
  • 12. SAY NO TO PLAIN-TEXT It is 2018. There is no excuse. ALWAYS HASH THEM Hashing provides a one-way transformation of text. You store the resulting hash and when a user attempts to authenticate the comparison is done by a hash on the input. DO NOT ROLL YOUR OWN Argon2, scrypt, bcrypt. There are many libraries out there. Unless you are a cryptography expert do not attempt to roll your own. Encrypt yourpasswords. 🤫 USE A SLOW HASH Password hashes should be slow to protect against a “dictionary attack”. The slower the hash, the longer it takes to run through a dictionary.
  • 13. HTTPS ALL THE THINGS It is 2018. There is no excuse. HTTP traffic can be read by anyone with network access. HTTPS traffic can only be decrypted by the certificate owner. LET’S ENCRYPT IF ON A BUDGET Let's Encrypt is a free, automated, open-source certificate authority. Encrypt trafficusingTLS/SSL. 🔐
  • 14. ENCRYPTION AT REST OR BY DEFAULT Data stored on servers is considered “at rest”. This protects against physical theft, but also protect against any unauthorized access to data. STRICTLY MANAGE ACCESS Many small or startup companies give everyone direct production access. While this eases administration and overhead it is simple to make mistakes. STORE THE MINIMUM AMOUNT OF DATA To borrow from the old software adage… YAGNI. You Ain’t Gonna Need It. Store only the data you really need to reduce risk. ENCRYPTION / SECURITY CAN BE EASY Many database servers can provide application-level encryption. Google Cloud Platform encrypts customer data stored at rest by default. Besmartaboutdataatrest. 💤
  • 15.
  • 16. 1. INJECTION An injection of code happens when an attacker sends invalid data to the application with the intention of it making an action other than what was designed. 3. SENSITIVE DATA EXPOSURE Sensitive data may be compromised without extra protection, such as encryption at rest or in transit. 4. XML EXTERNAL ENTITIES (XXE) External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. KnowtheOWASPTopTen. 🎳 2. BROKEN AUTHENTICATION Weak or broken authentication mechanisms allow an attacker to gain control over passwords, keys, or tokens – or even worse – to gain complete control over entire systems.
  • 17. 5. BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. 7. CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data without proper validation or escaping or updates an existing web page with user-supplied data. 8. INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. KnowtheOWASPTopTen. 🎳 6. SECURITY MISCONFIGURATION This is commonly a result of leaving default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages.
  • 18. 9. USING COMPONENTS WITH KNOWN VULNERABILITIES Libraries, frameworks, and other components run with the same privileges as the application. They need to be kept up-to-date and secure. 11. CHECK PREVIOUS ISSUANCES AND STAY UP-TO-DATE The Open Web Application Security Project updates the top 10 every few years. There are still gems in the previous notices and there will be more to come. Security is a full-time and constant concern. KnowtheOWASPTopTen. 🎳 10. INSUFFICIENT LOGGING AND MONITORING Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
  • 19. COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
  • 20. The most secureAPI isonethat doesnotexist. ASK WHAT THE USE CASE IS What problems are you trying to solve and what functionality are you trying to expose. Having an API for the sake of having one is an insecure proposition. EXPOSE ONLY WHAT YOU NEED Just as you should store only the data that you need for those who need it. Your API should only expose information necessary to meet the use case.
  • 21. Ask your clientsfor clean requests. MAKE IT HARDER FOR CLIENTS TO MAKE A MISTAKE Provide clean documentation, URLs that do not ask for potentially sensitive information, ask for timestamps, and consider publishing a spec such as OpenAPI. VERIFY TOWARDS THE TOP Never trust user input. Never assume that someone else has verified either the request or some level of authorization. Make these checks at the highest levels possible.
  • 22. IT IS SECURE UNTIL IT IS NOT Even if your API is meant to be for internal use or for special clients, you should verify who that client is. CONSIDER OAUTH OAuth allows clients to authenticate from another service without sharing their password and allows API providers to grant granular permissions. AVOID SESSIONS WHERE POSSIBLE Sessions leave open windows for attackers to impersonate a real user. This state is stored somewhere on the client where you as an API have little control. Alwaysauthenticate. AT LEAST USE BASIC AUTHENTICATION If you are exposing an internal API and want the bare minimum consider basic authentication with TLS / SSL. This is kind of awful, but better than nothing!
  • 23. SCOPE REQUEST ACCESS Setup granular permissions for your API that are scoped only to specific resources or functionality. EXPLICITLY GRANT PRIVILEGES A client’s default access level to any resource in the system should be DENIED unless they are explicitly granted a PERMIT. SEPARATION OF PRIVILEGE Where logical, a client’s permissions should not be based on a single condition, but rather a combination of conditions. Alwaysauthorize. PRINCIPLE OF LEAST PRIVILEGE Similarly, every client must only be able to access the resources and functionality that are minimally necessary for their purpose.
  • 24. Aboutthose keys and tokens. DO NOT ASK FOR THEM IN THE REQUEST Keys and tokens being passed around in URLs are ripe for being sniffed out. Always use a POST request when transmitting secrets over HTTP. ENSURE THEY ARE NON- SEQUENTIAL This might seem silly, but use a hard to guess key or token with a random component.
  • 25. A TOKEN IS JUST THAT Once your tokens hit the database they should have no other use other than access. Do not reuse them as another identifier. WATCH THE LOGS If you employ an aggressive logging strategy (you should) be sure to redact any secrets in monitoring or logs. BURN EXPOSED TOKENS Actively pursue your rogue tokens. When you find them delete them. NEVER COMMIT CREDENTIALS INSIDE CODE. EVER. Tokensafety. DELETE UNUSED TOKENS If a token is no longer in use disable or delete it. This reduces the chance that an attacker that finds a token can do anything malicious with it.
  • 26. TOKEN NUKER At Slack, we methodically seek out and invalidate customers’ API tokens that have been accidentally posted publicly. This happens nearly every day. WATCH THE LOGS Most of the time a customer will ask if a token has been used since published. But you’re logging all the things so it’s fine. SAVE YOUR USERS FROM THEMSELVES Security is hard but you can make it easier for your users by staying on top of all attack vectors. Nuke‘em. AUTOMATE IT Token discovery is automated as is the follow- up notification to the customer.
  • 27. Deliver clean responses. PUBLISH A SPEC Standards, specs, and consistency help API authors and consumers alike in sending intentional responses as well as accepting only the information necessary. MIND THE HEADERS People often focus on the actual payload of responses, but a lot of hidden information goes in to HTTP Headers. Be sure you know what is being included all the way at the other end.
  • 28. KISS Keep it simple Steven. Clear and concise errors are the most helpful for clients. They also happen to be the most secure. DO NOT LEAK YOUR DATA MODELS A well designed API is focused on client or developer use cases, not exposing your underlying architecture. DO NOT LEAK YOUR STACK TRACES If you are using a framework, overwrite the default error pages and make sure you are running in production mode and not exposing the underlying code. Respondwith simple andintentionalerrors. HIDE YOUR CLUES Those errors are secure of course, only if you do not provide hints to a would be attacker looking for clues.
  • 29. Log and Audit ALLTHE THINGS. SERIOUSLY, EVERYTHING Having a continuous and detailed stream of events helps not only in detecting anomalies, but responding to a potential incident with speed. STRUCTURE IS HELPFUL Consider structured logging (JSON perhaps) to help aide in searching for the right data.
  • 30. Rate Limit ALLTHE THINGS. USAGE QUOTAS The most basic rate limiting schemes limit clients by allowing clients to send “x requests per second”. RESOURCE QUOTAS More advanced strategies for rate limiting include throttling based on the expense of the request or the frequency of need for the use case.
  • 31. Donotforget aboutyour ownlimits. EVERYTHING IN MODERATION Many APIs today include event-driven interfaces such as webhooks or other streams. A sudden forced burst of activity in your service can easily take down your service or leave it in an otherwise degraded state.
  • 32.
  • 33. IP WHITELISTING At Slack, we allow customers to configure a set of static IPs from which we will know that they are sending traffic. MUTUAL TLS If you can run your own TLS-terminating server, you can obtain a shared secret with another individual organization to verify their identity. INTERNAL BLACKLISTING Over time you can collect a list of bad actors and immediately reject their traffic. This is a necessarily a cat and mouse game but there are smart ways to respond. Provide methodstotrusttraffic. REQUEST SIGNING You can use a pre-determined shared secret to hash a request against.
  • 34. COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL TOOLING Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
  • 35. Test
 Test Test AUTOMATE ANYTHING YOU CAN Test your APIs constantly and preferably at their furthest stage from production. A spec like OpenAPI and following a JSON Schema can help you detect changes to your API and unintended exposure of data.
  • 36. SERVER BASICS Lock down your ports and server access. API security depends on overall security of your entire stack. NETWORK FIREWALL Tune and configure your connectivity policies to monitor and protect your application servers. WEB APPLICATION FIREWALL Use IaaS or other software to monitor and block traffic and protect against DDoS attacks. DeploysmartinfratoshieldyourAPIs. API GATEWAY Isolate your API traffic. This can either be done by code architecture or putting another layer of abstraction in front of the rest of your infrastructure.
  • 37. COVER THE BASICS Captain Obvious saves the da-ta. Take the straight-forward steps to not be an easy target. 01 APPLICATION INTERFACE The actual APIs need to be developed with security in mind throughout its lifecycle. 02 EXTERNAL FACTORS Expertise often sits outside of your office and often the “enemy” is a simple mistake. 04 INFRASTRUCTURE LAYER Your data is bundled up in to small packages. Keep them well packed to ward off would be thieves. 03 Designing SecureAPIs Haveasecurity firstmindsetat everylayer.
  • 38. Donotroll yourown. LEAN ON OPEN SOURCE There are a plethora of Open Source tools and libraries that relate to secure implementations and to ensure API security. The community at large shares expertise, helps find bugs, and wider usage helps test in the wild. Don’t forget to keep these tools and libraries up-to-date. Use with caution of course…
  • 39. Enforce policies ina consistentand timely manner. POLICY AND LEGAL At Slack, our Policy and Legal teams are also included in the Developer Platform and Security cross-functional groups. Terms of Services and Acceptable Use Case policies are increasingly important as you expose more data. Action needs to be taken swiftly and applied consistently.
  • 40.
  • 41. Partner acrossthe organization. SECURITY DEVELOPMENT LIFECYCLE Our product and infrastructure engineering teams have partnered with the security org to review projects. This is both procedural and educational! SECURITY WEEK Once a year, Slack holds a security week where we compete in Capture The Flag, a security training platform, and hold other classes like lock-picking.
  • 42. APP DIRECTORY REVIEW This is a requirement of listing. It is a combination of automated scanning processes, limiting scopes, and manual reviews of architecture, authentication, and misuse. SHARE BEST PRACTICES We come across common mistakes and patterns and these go in to not only our documentation, but in hands-on help at our developer focused events. Partnerwithyourdevelopers. CHECK AGAIN We regularly follow up with scans and employ external vendors to also do periodic reviews.
  • 43. XSS TLS Config Info Disclosure 0 6.75 13.5 20.25 27 Mostcommonvulnerabilities foundinSlack Appsecurity review.
  • 44. REAL ATTACKS Even if you have an internal security organization, it is always to get real help from the outside. Outside pen-testing vendors try to expose real vulnerabilities without inside knowledge. BE PREPARED AND WORK CLOSELY The best case scenario is that you have paid a vendor money and they have found nothing. They will certainly try. The worst case is you will need to be prepared to respond. MULTIPLE VENDORS The strengths, quality, and speed of reporting and assessment varies widely. If you have the budget, compare multiple pen-testing vendors. Asktobehacked. SAFE ATTACKS Generally external security testing vendors will run automation in non-critical business hours or will limit the speed of their automation. Their exploits will also be relatively “safe”.
  • 45. BUG BOUNTY Real vulnerabilities and reports from external security researchers. Slack is listed on HackerOne. PAY Over the last 4 years, Slack has paid out over $300k in rewards. You can set the tiers and payouts. ESTABLISH SLAS Once bugs come in, make sure there is accountability in getting security issues resolved expediently. Asktobehackedmore. RESPOND We judge the quality of our communication with researchers by our response times. In addition to accountability, it builds overall trust in the community.
  • 46.
  • 47. Plan your response. HAVE A RUNBOOK Have step-by-step procedures with Directly Responsible Individuals and communication plans. Hopefully you will never need this but it will be crucial if you do. PRACTICE MAKES PERFECT Runbooks are only useful when you’re running. Consider running drills for incidents, whether operational or security to make sure you work out those response muscles.
  • 48. Security first. Your customers do not understand it, but they demand it.
  • 49. Know the basics and lean on the community and experts to fill in the gaps.
  • 50. There is no perfectly secure system. Provide multiple defenses and gauge your risk.
  • 51. Make it easy by providing security by default and free ways of increasing security.
  • 52. Advocate for Security First across the organization. Sometimes the “enemy” is within.