test and protect your api

@Axway @SmartBear #APISecurity

Test & Protect Your APIPractical Tips to Achieve API Security Nirvana with Axway & Ready! API

1


The API Lifecycle – SmartBear approach

SmartBear Confidential and Proprietary

Design Build Test Deploy/ Manage Monitor

Open source based and driven

Integrated tools for Dev/Test across API lifecycle

Extendable and easily integrated into API lifecycle workflow

Data driven and automated

Protocol and runtime independent

Leverage and reuse assets across lifecycle

Democratize advanced dev/test capabilities


Axway technology manages interactions between applications, people and communities.

Security and integration across B2B (EDI, MFT, and APIs)

Positioned as a leader in Gartner Magic Quadrants for “On-Premises Application Integration Suites” and for “Application Services Governance”

3

About Axway


Webinar Attendee Statistics

3%

41%56%

How important is API Se-curity to your organiza-

tion?

Not important at all

Growing impor-tance

Very important

24%

65%

12%

How much API Security testing do you do today?

None Some

Extensive

56% of attendees for this webinar responded that API security is “very important,” and yet only 12% are doing

extensive security testing


Security vulnerabilities related to APIs

Enabling account information exposure (Snapchat)

5

APIs – A soft underbelly for security?

@Axway @SmartBear #APISecurity 6

IRS Data Breach

Insecure API Access


And more security vulnerabilities…


Insecure APIs are often the source of mobile app security issues

Sniffers can detect insecure API calls

8

Mobile App vulnerabilities are often API vulnerabilities in disguise…

Source: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html


Problem: API Keys are often simply passed in

URLs &APIKey=123456

Vulnerable to sniffing and replay attacks

Amazon uses two keys: Secret Key ID to perform HMAC

signing With detection of replay attacks

Access Key ID to identify the client9

Beware Weak API Key Authentication


The solution – API Management

Configure API Keys

Configure OAuth


Managing usage quotas for APIs to prevent misuse of DoS

11

Quota Management for APIs

Configure Quotas


The Role of the API Gateway


Protective Security Content-Level Threats (XDoS, XXE, etc) WAF functionality (OWASP Top Ten, etc) Throttling

Policy Decision and Enforcement Point STS- Security Token Creation, Consumption, Mediation Dynamic Authorization Data Flow Introspection and Governance

Integration (lightweight ESB) Heterogeneous, Vendor Agnostic Multiple Protocol and Standard Support

Enterprise Architecture Intelligence and Protection SSO Enablement Architecture wide auditing and risk analysis

13

API Gateway – Security and more


API Gateway protects against threats to Web Services / APIs including: Unauthorised Access Parameter Manipulation and Data Harvesting Network eaves dropping Disclosure of sensitive customer data Message replay

14

Security provide by API Gateways

Unauthorised Access

Parameter Manipulatio

nVirus

Insertion

Consumer

Network Eavesdroppin

gMessageReplay

Firewall

API

Disclosure of customer

data

Standard network firewalls offer no protection against these threats


Client Applications

REST API

SOAP/XML/REST/JSON

API Manager

Services

Applications

Data

Application Developers

API PortalAPI

API Registration & Lifecycle

API Catalog

Partner & Policy Administration

Self-Service API consumptionBuild developer community

New channel to market brand

API Developers

API Administrators

Self-register to resourcesBrowse and learn APIs

Manage application credentials

REST

SOAP Web ServicesPOX, JMS, FTP

Integration with non-REST API services

Policy Enforcement

API Gateway

Register and manage API lifecyclePerform partner, policy and process admin

Monitor and report API use

Policy Developers

Create and extend policiesIntegrate with applications

and infrastructure

API Gateways in API Management


API breaches can result in: Stolen data Server attacks Spoofing IoT device tampering

16

API Security testing: Why is it so important?


• We want to know as much as possible about an API’s endpoints, messages, parameters, behavior

• The more we know about the API’s surface – the better we can target our attack!

Thinking like a hacker


OWASP.ORG Identify the most likely “soft spots” Run all the scans but automate &

repeat the most important ones Don’t neglect payload analysis Pay attention and respond quickly

18

Looking for vulnerabilities in your API

http://owasp.org/


Show Me How to Protect My API

19


Demo – Scenario

Bank Account API with– One method for users get balance one of their accounts– Vulnerable to SQL Injection

User authentication out of scope– Focus on the SQL Injection attack


Demo – Detecting API Threats

APIvulnerable to SQL injections

Definition imported prior to demo

1. Normal request

2. scanning

GET http://<host>/account/balance?accnt=123456789 HTTP/1.1 SELECT balance FROM accountinfo WHERE account=123456789; Returns the balance from account 123456789

GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1 SELECT balance FROM accountinfo WHERE account=1 OR 1=1; Returns the balance from all accounts!

Always true!


Demo – Protecting Against API Threats

Threat Protection

API Gateway

Protected API

API Manager

1. Normal request

2. scanning

VirtualizeImport definitions using the Axway Plug-in

APIvulnerable to SQL injections

GET http://<host>/account/balance?accnt=123456789 HTTP/1.1 SELECT balance FROM accountinfo WHERE account=123456789; Returns the balance from account 123456789

GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1 Detected and Blocked by Axway API Gateway!


Key TakeawaysAPI Protection

API Testing

Create APIs with Confidence

Put protection in place for your APIs Apply throttling, input validation, threat detection Block the full spectrum of attacks

OWASP.org is your friend Focus on most likely vulnerabilities first Build security testing into your dev plans

23


Try For Free

FREE TRIAL FREE TRIAL

http://smartbear.com/product/ready-api/free-trial/



https://www.axway.com/en/trial-test

test and protect your api

Software