Deep Dive: Secure API ManagementSubra Kumaraswamy & Chris Von See
youtube.com/apigee
slideshare.net/apigee
@SubrakSubra Kumaraswamy
Chris Von See
Agenda
• API threats and Protection
• API Access Control Considerations
• Demo – OAuth “Hello, World!”
• Operational Considerations
• Demo – Handling Compromised Applications
• Securing sensitive run-time data
• Demo – Apigee Vault
• Threat protection from the OWASP perspective
• Demo – SQL Injection Attack
• SSL/TLS configuration considerations
• Certificate management
• Key Takeaways
• Questions
5
API Security Stakeholders
6
Product Manager
How can I release features with
built-in security?
How I can reduce the release
cycle?
Business owner
How to reduce risk while
expanding API exposure?
How to meet compliance?
Ops
How do I enforce consistent
security policy across APIs?
What controls I have to mitigate
attacks like DoS?
Developer
What options I have to secure
data in rest and transit?
How can I securely manage keys?
Security & Privacy Team
How do I manage the PII life cycle of
data exposed via APIs
How do I govern APIs exposed to internal
and external developers?
API Threat Modeling
Threat Modeling and API/infrastructure Design
• Your APIs are vulnerable to the typical Web application
security attacks – Think OWASP Top 10 attacks
• In addition you have to worry about:
– API abuse via API key theft
– Hackers reverse engineering Apps to access private APIs
– Traffic spike protection by way of Bots or DoS attacks
– Identity tracking across API sessions
– XML/JSON injection type attacks
– Token harvesting due to insecure communication or storage
8
Threat Modeling - APIs9
Threat Modeling – Apigee Edge10
API Deployment Architecture
Edge
Exte
rnal F
irew
all
Backend
Service
Enterprise
Identity
Store
3rd Party Security
Services (AAA,
Logs, Analytics)
TLS
HTTPS
(Management
services)
TLS
TLS
TLS
External
Developers
Apps
Inte
rnal F
irew
all
Partner
• Identity
• SAML
• RBAC
• LDAP
• ACL
• DDoS
• XML/JSON
Threats
• Rate Limit
• Log & Audit
• Identity
• OAuth
• X.509
• API Key
• Identity
• SAML
• RBAC
• X.509
Internal
Developers
Access Control
Identity for end-to-end security
App
DeveloperUser APIApp Backend
API Developer
IT Manager
Business User
Authentication
Authorization, Auditing
(AAA) Services
• OpenID
Connect
• Social Login
• 2FA
• X.509 Cert
Enterprise
Identity
Stores
• App Identity
• OAuth
• TLS
• Key protection
• Identity
• SSO
• RBAC
• API Key
• Threat
Protection
• Credential
Mediation
• Secure Token
Storage
• SAML/OAuth
• Identity
• SSO
• RBAC
• SAML
• Audit
Demo: Hello World App
(OAuth Client Credentials grant type)
14
Operationalization Considerations
Thinking about security from an operational
perspective • How can I structure my Apigee instance to optimize access controls?
• How do I know if an application has been compromised?
• How do I mitigate risks from compromised applications?
• How do I manage sensitive back-end system credentials?
• How do I protect information from both internal and external threats
while it’s in-flight?
• Can I segregate and control access to content hosted on my
Developer Portal?
• Can I control access to entities in the Apigee system?
• What options do I have for auditing API requests? for auditing Apigee
management requests?
16
Logical partitioning through organizations and
environments
17
Web
Point of Sale
Partner
Mobile
Backend
Dev Environment
Organization
Test Environment
Prod Environment
Developers Applications API Team
Mitigating risks from compromised applications
• How do you know you have a problem?
– Strange source addresses
– Unusual request types
– Unusual request rates
– Custom analytics showing unusual traffic for particular users
• Actions you can take to mitigate impact:
– Revoke/re-approve/delete an API key
– Regenerate API keys and secrets
– Revoke/re-approve/delete some or all active OAuth access and refresh tokens
– Dynamic invalidation via code in API proxies, based on user IDs, device identifiers or other criteria
18
When this happens…
What do you do?
Demo: Handling Compromised Applications
19
Securing sensitive runtime
information
Sensitive data storage using Apigee Vault
21
Dev Environment
Organization
Test Environment
Prod Environment
Environment-specific vaults for back-end system
credentials or other sensitive information that
varies as proxies move through the development
lifecycle
Organization-specific vaults for sensitive
information that is global to all environments or
APIs
Vaults are encrypted storage areas accessible for write access via the Management API
and for read access by the Node.js runtime
Demo: Apigee Vault
22
Threat protection: the OWASP perspective
OWASP Top 10 Protection
24
OWASP Top 10 Threats Apigee Edge
A1 – Injection Threat Protection Policy
A2 – Broken Authentication TLS, Standard OAuth protection, LDAP,
AD
A3 – Cross-Site Scripting (XSS) Consistent JSON transformation
A4 – Insecure Direct Object References Sanitize API
A5 – Security Misconfiguration Hardened API Management Platform
A6 – Sensitive Data Exposure Data Masking, Encryption, Key Mgmt
A7 – Missing Function Level Access RBAC, OAuth Scope
A8 – Cross-Site Request Forgery Use of tokens in API header, OAuth
State Parameter
A9 – Using Known Vulnerable
Components
Hardened API platform
A10 – Unvalidated Redirects and
Forwards
API transformation with sanity checks
API Specific Threats
25
Threats to API Apigee Edge
DoS Attacks Rate Limiting Policy
Developer Abuse Quota Policy
Token Harvesting 2-way TLS (Inbound and
Outbound)
Key Theft Secure Key Storage
XML/JSON Bombs XML/JSON Injection policy
Run-time Privilege escalation OAuth with API Products
Management Privilege escalation RBAC for Management Team
Demo: Mitigating OWASP Top 10 Threats
26
SSL/TLS Configuration
Inbound Security – App to Edge
Apigee Edge
Threat
Protectio
n
Policy
Trust
Store
Key
Store
2-Way
TLSBackend
All Channels
TLS
Cipher
Config
SSL/TLS configuration – App to Edge
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VirtualHost name="secure">
<HostAliases>
<HostAlias>apiconnect.yourdomain.com</HostAlias>
</HostAliases>
<Interfaces/>
<Port>443</Port>
<SSLInfo>
<Ciphers>
<Cipher>TLS_RSA_WITH_AES_128_CBC_SHA</Cipher>
<Cipher>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Cipher>
<Cipher>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Cipher>
<Cipher>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Cipher>
<Cipher>SSL_DHE_DSS_WITH_DES_CBC_SHA</Cipher>
<Cipher>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</Cipher>
<Cipher>TLS_KRB5_WITH_DES_CBC_SHA</Cipher>
</Ciphers>
<ClientAuthEnabled>True</ClientAuthEnabled>
<Enabled>true</Enabled>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
<KeyAlias>mycorp</KeyAlias>
<KeyStore>mycorp</KeyStore>
<Protocols><Protocol>TLSv1.1</Protocol>
<Protocol>TLSv1.12</Protocol>
</Protocols></SSLInfo>
</VirtualHost>
29
Outbound Security – Edge to API
Apigee Edge
Threat
Protectio
n
Policy
Trust
Store
Key
Store
Backend
TLS
Cipher
Config
2-Way
TLS
SSL/TLS configuration – Gateway to Backend
(Southbound) - -
<HTTPTargetConnection>
<URL>http://mycorp.com</URL>
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>myKeystore</KeyStore>
<KeyAlias>myKey</KeyAlias>
<TrustStore>myTruststore</TrustStore>
<Ciphers/>
<Protocols/>
</SSLInfo>
</HTTPTargetConnection>
31
Certificate management
• View keystore and trust store
certificates in the UI
• Add and manage keystore and trust
store certificates via the Management
API
32
Certificate management
• View keystore and trust store
certificates in the UI
• Add and manage keystore and trust
store certificates via the Management
API
33
Key Takeaways
• Follow API Threat Model and Security Operations best practice
• Protect your backend from OWASP Top 10, DoS and API
specific threats using threat protection policies
• Build apps with built-in access control policies (OAuth, SAML,
Cert)
• Leverage built-in TLS to secure communications end-to-end
• Prepared to respond to the next threat using API security
configurations
34
Questions?
Thank you
Security Architecture
Policy Store Log Store
API Run-time Security
Authentication AuthorizationTraffic
Management
Logging &
Auditing
API Management Security
User ManagementRBAC
Management
Policy
Management
Certificate
Management
Keys/Token
Management
Threat Protection
TLS DDoSRate Limiting &
QuotaPayload Protection Analytics
Compliance (SOC 2, PCI DSS, HIPAA) and Cloud Security
Developers
Apps
IT Security /Architect
Key Store
Policy
Enforcement