test and protect your api
TRANSCRIPT
@Axway @SmartBear #APISecurity
Test & Protect Your APIPractical Tips to Achieve API Security Nirvana with Axway & Ready! API
1
@Axway @SmartBear #APISecurity
The API Lifecycle – SmartBear approach
SmartBear Confidential and Proprietary
Design Build Test Deploy/ Manage Monitor
Open source based and driven
Integrated tools for Dev/Test across API lifecycle
Extendable and easily integrated into API lifecycle workflow
Data driven and automated
Protocol and runtime independent
Leverage and reuse assets across lifecycle
Democratize advanced dev/test capabilities
@Axway @SmartBear #APISecurity
Axway technology manages interactions between applications, people and communities.
Security and integration across B2B (EDI, MFT, and APIs)
Positioned as a leader in Gartner Magic Quadrants for “On-Premises Application Integration Suites” and for “Application Services Governance”
3
About Axway
@Axway @SmartBear #APISecurity
Webinar Attendee Statistics
3%
41%56%
How important is API Se-curity to your organiza-
tion?
Not important at all
Growing impor-tance
Very important
24%
65%
12%
How much API Security testing do you do today?
None Some
Extensive
56% of attendees for this webinar responded that API security is “very important,” and yet only 12% are doing
extensive security testing
@Axway @SmartBear #APISecurity
Security vulnerabilities related to APIs
Enabling account information exposure (Snapchat)
5
APIs – A soft underbelly for security?
@Axway @SmartBear #APISecurity 6
IRS Data Breach
Insecure API Access
@Axway @SmartBear #APISecurity 7
And more security vulnerabilities…
@Axway @SmartBear #APISecurity
Insecure APIs are often the source of mobile app security issues
Sniffers can detect insecure API calls
8
Mobile App vulnerabilities are often API vulnerabilities in disguise…
Source: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html
@Axway @SmartBear #APISecurity
Problem: API Keys are often simply passed in
URLs &APIKey=123456
Vulnerable to sniffing and replay attacks
Amazon uses two keys: Secret Key ID to perform HMAC
signing With detection of replay attacks
Access Key ID to identify the client9
Beware Weak API Key Authentication
@Axway @SmartBear #APISecurity 10
The solution – API Management
Configure API Keys
Configure OAuth
@Axway @SmartBear #APISecurity
Managing usage quotas for APIs to prevent misuse of DoS
11
Quota Management for APIs
Configure Quotas
@Axway @SmartBear #APISecurity 12
The Role of the API Gateway
@Axway @SmartBear #APISecurity
Protective Security Content-Level Threats (XDoS, XXE, etc) WAF functionality (OWASP Top Ten, etc) Throttling
Policy Decision and Enforcement Point STS- Security Token Creation, Consumption, Mediation Dynamic Authorization Data Flow Introspection and Governance
Integration (lightweight ESB) Heterogeneous, Vendor Agnostic Multiple Protocol and Standard Support
Enterprise Architecture Intelligence and Protection SSO Enablement Architecture wide auditing and risk analysis
13
API Gateway – Security and more
@Axway @SmartBear #APISecurity
API Gateway protects against threats to Web Services / APIs including: Unauthorised Access Parameter Manipulation and Data Harvesting Network eaves dropping Disclosure of sensitive customer data Message replay
14
Security provide by API Gateways
Unauthorised Access
Parameter Manipulatio
nVirus
Insertion
Consumer
Network Eavesdroppin
gMessageReplay
Firewall
API
Disclosure of customer
data
Standard network firewalls offer no protection against these threats
@Axway @SmartBear #APISecurity
Client Applications
REST API
SOAP/XML/REST/JSON
API Manager
Services
Applications
Data
Application Developers
API PortalAPI
API Registration & Lifecycle
API Catalog
Partner & Policy Administration
Self-Service API consumptionBuild developer community
New channel to market brand
API Developers
API Administrators
Self-register to resourcesBrowse and learn APIs
Manage application credentials
REST
SOAP Web ServicesPOX, JMS, FTP
Integration with non-REST API services
Policy Enforcement
API Gateway
Register and manage API lifecyclePerform partner, policy and process admin
Monitor and report API use
Policy Developers
Create and extend policiesIntegrate with applications
and infrastructure
API Gateways in API Management
@Axway @SmartBear #APISecurity
API breaches can result in: Stolen data Server attacks Spoofing IoT device tampering
16
API Security testing: Why is it so important?
@Axway @SmartBear #APISecurity
• We want to know as much as possible about an API’s endpoints, messages, parameters, behavior
• The more we know about the API’s surface – the better we can target our attack!
Thinking like a hacker
@Axway @SmartBear #APISecurity
OWASP.ORG Identify the most likely “soft spots” Run all the scans but automate &
repeat the most important ones Don’t neglect payload analysis Pay attention and respond quickly
18
Looking for vulnerabilities in your API
@Axway @SmartBear #APISecurity
Show Me How to Protect My API
19
@Axway @SmartBear #APISecurity
Demo – Scenario
Bank Account API with– One method for users get balance one of their accounts– Vulnerable to SQL Injection
User authentication out of scope– Focus on the SQL Injection attack
@Axway @SmartBear #APISecurity
Demo – Detecting API Threats
APIvulnerable to SQL injections
Definition imported prior to demo
1. Normal request
2. scanning
GET http://<host>/account/balance?accnt=123456789 HTTP/1.1 SELECT balance FROM accountinfo WHERE account=123456789; Returns the balance from account 123456789
GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1 SELECT balance FROM accountinfo WHERE account=1 OR 1=1; Returns the balance from all accounts!
Always true!
@Axway @SmartBear #APISecurity
Demo – Protecting Against API Threats
Threat Protection
API Gateway
Protected API
API Manager
1. Normal request
2. scanning
VirtualizeImport definitions using the Axway Plug-in
APIvulnerable to SQL injections
GET http://<host>/account/balance?accnt=123456789 HTTP/1.1 SELECT balance FROM accountinfo WHERE account=123456789; Returns the balance from account 123456789
GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1 Detected and Blocked by Axway API Gateway!
@Axway @SmartBear #APISecurity
Key TakeawaysAPI Protection
API Testing
Create APIs with Confidence
Put protection in place for your APIs Apply throttling, input validation, threat detection Block the full spectrum of attacks
OWASP.org is your friend Focus on most likely vulnerabilities first Build security testing into your dev plans
23
@Axway @SmartBear #APISecurity
Try For Free
FREE TRIAL FREE TRIAL