Practical API Security - PyCon 2019

@adam_englander Practical API Security Adam Englander, Engineering Manager iovation

@adam_englander And now, the morning announcements…

@adam_englander Break will be at 10:15 in the lobby

@adam_englander Lunch will be from 12:20 - 1:20 In the Gerard Ballroom AB

@adam_englander There is as much as PyCon could afford Please share power

@adam_englander Please rate this… https://www.surveymonkey.com/r/YHSX9MC

@adam_englander Let's set some expectations...

@adam_englander What are we protecting against?

@adam_englander How do we provide that protection?

@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging/Tracing Access Control

@adam_englander Replay prevention requires unique requests

@adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json

@adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json X-Nonce: 5ed518e8c5c51a64638b2b50c192242d

@adam_englander Store that unique value in a datastore so you can verify you don't see it again

@adam_englander Use the add function on the cache to prevent race conditions

@adam_englander Cache Example if ($token === null) { throw new AuthorizationRequiredException(); } elseif (!$this->cache->add(hash('sha512', $token), 1, 10)) { throw new InvalidRequestException(); }

@adam_englander Use insert on unique index for RDBMS to prevent race conditions

@adam_englander Rate limiting requires unique identiﬁcation for restrictions

@adam_englander api-user-id|create-widget|20:01 ebf4e1d4bb33e5f6028e8443d6a1d6aa

@adam_englander Use the add and increment functions of the cache to prevent race conditions

@adam_englander Cache Example $key = sprintf("%s|root-post|%s", $userId, $timeSlice); $this->cache->add($key, 0, 1); $total = $this->cache->increment($key);

@adam_englander Use insert with unique index and update returning in RDBMS to prevent race conditions

@adam_englander Data stores can be done in three ways.

@adam_englander In Memory Datastore

@adam_englander Local Datastore

@adam_englander Global Datastore

@adam_englander Do not make authentication part of the body

@adam_englander Use the Authorization header

@adam_englander HTTP Basic Authentication Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

@adam_englander HTTP Digest Authentication Authorization: Digest username="Awesome", realm=“example@10x.wtf", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri=“/", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"

@adam_englander HTTP Bearer Authentication Authorization: Bearer mF_9.B5f-4.1JqM

@adam_englander Many APIs do this

@adam_englander What about never rolling your own crypto?

@adam_englander Single Use JWT

@adam_englander No auth service required

@adam_englander Can use existing JWT libraries to create and validate

@adam_englander Can be extended beyond auth to provide data validation and MITM protection

@adam_englander Message Validation

@adam_englander Request Validation

@adam_englander Method Validation GET /user/abc HTTP/1.1 Accept: application/json

@adam_englander Method Validation DELETE /user/abc HTTP/1.1 Accept: application/json

@adam_englander Path Validation GET /user/abc HTTP/1.1 Accept: application/json

@adam_englander Path Validation GET /user/def HTTP/1.1 Accept: application/json

@adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "valid@user.com"}

@adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "pwned@hkr.com"}

@adam_englander Response Validation

@adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}

@adam_englander Status Code Validation HTTP/1.1 400 Invalid Request Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}

@adam_englander Status Code Validation HTTP/1.1 301 Moved Content-Type: application/json; charset=UTF-8 Content-Length: 21 Location: https://bad.actor.com {"expected": "value"}

@adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: no-cache {"expected": "value"}

@adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: max-age=99999999 {"expected": "value"}

@adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": false}

@adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": true}

@adam_englander Validation of request data

@adam_englander Encrypt Data at Rest

@adam_englander Use a structure format that allows for in-place key rotation and nonce storage

@adam_englander COSE CBOR Object Signing and Encryption (COSE) Concise Binary Object Representation (CBOR)

@adam_englander Roll Your Own keyid|nonce|encrypted-data

@adam_englander Encrypt Data in Transit

@adam_englander JSON Web Encryption

@adam_englander Log Everything

@adam_englander Log in a structured format for easier parsing

@adam_englander Log all pertinent actions

@adam_englander Include all data regarding state. Anonymize sensitive data.

@adam_englander Include origin data to identify bad actors.

@adam_englander Utilize OpenTracing tools to track all the pertinent things

@adam_englander Utilize tools like ELK or Greylog to aggregate logs

@adam_englander Determine anomalous conditions and alert on those conditions.

@adam_englander And now we code…

Practical API Security - PyCon 2019

More Related Content

What's hot

Similar to Practical API Security - PyCon 2019

More from Adam Englander

Recently uploaded

Practical API Security - PyCon 2019