Stormpath, profile picture
Uploaded byStormpath
PPTX, PDF218,941 views

Secure Your REST API (The Right Way)

The document outlines best practices for securing REST APIs, focusing on user management, authentication methods, and security workflows. It emphasizes using OAuth 1.0a or OAuth 2 with MAC, avoiding basic authentication, and implementing proper authorization checks along with secure API key management. Additionally, it covers the importance of TLS, configuration management, and efficient storage of sensitive data to protect against vulnerabilities.

Software
Related topics:
API Security Insights

Embed presentation

Downloaded 3,258 times
Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
.com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
HTTP Authentication...
... is all about the headers Learn more at Stormpath.com
1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
Status Codes Learn more at Stormpath.com
401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
HTTP Authorization Learn more at Stormpath.com
HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
Best Practices Learn more at Stormpath.com
API Keys Learn more at Stormpath.com
API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
Identifiers Learn more at Stormpath.com
Identifiers /accounts/x2b4jX3l31uiL Good Not So Good /accounts/1234 Why? Learn more at Stormpath.com
Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
Query Injection Learn more at Stormpath.com
Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
Redirects and Forwards Learn more at Stormpath.com
Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
TLS Learn more at Stormpath.com
TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
Configuration Learn more at Stormpath.com
Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
Storage Learn more at Stormpath.com
Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
.com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com

More Related Content

PPTX
Rest API Security
byStormpath
 
PPTX
Token Authentication for Java Applications
byStormpath
 
ODP
Mohanraj - Securing Your Web Api With OAuth
byfossmy
 
PPTX
Build A Killer Client For Your REST+JSON API
byStormpath
 
PDF
The Ultimate Guide to Mobile API Security
byStormpath
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
Securty Testing For RESTful Applications
bySource Conference
 
PDF
Secure Web Services
byRob Daigneau
 
Rest API Security
byStormpath
 
Token Authentication for Java Applications
byStormpath
 
Mohanraj - Securing Your Web Api With OAuth
byfossmy
 
Build A Killer Client For Your REST+JSON API
byStormpath
 
The Ultimate Guide to Mobile API Security
byStormpath
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
Securty Testing For RESTful Applications
bySource Conference
 
Secure Web Services
byRob Daigneau
 

What's hot

PPTX
Api security
byteodorcotruta
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PPTX
REST API Design for JAX-RS And Jersey
byStormpath
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PPTX
Build a Node.js Client for Your REST+JSON API
byStormpath
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PPTX
Browser Security 101
byStormpath
 
PDF
Authentication: Cookies vs JWTs and why you’re doing it wrong
byDerek Perkins
 
PPTX
Instant Security & Scalable User Management with Spring Boot
byStormpath
 
PPTX
Elegant Rest Design Webinar
byStormpath
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
OAuth - Open API Authentication
byleahculver
 
PPTX
D@W REST security
byGaurav Sharma
 
PPTX
Making Sense of API Access Control
byCA API Management
 
PPTX
Securing RESTful Payment APIs Using OAuth 2
byJonathan LeBlanc
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
Api security
byteodorcotruta
 
Securing Web Applications with Token Authentication
byStormpath
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
REST API Design for JAX-RS And Jersey
byStormpath
 
Single-Page-Application & REST security
byIgor Bossenko
 
Build a Node.js Client for Your REST+JSON API
byStormpath
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
Browser Security 101
byStormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
byDerek Perkins
 
Instant Security & Scalable User Management with Spring Boot
byStormpath
 
Elegant Rest Design Webinar
byStormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
OAuth - Open API Authentication
byleahculver
 
D@W REST security
byGaurav Sharma
 
Making Sense of API Access Control
byCA API Management
 
Securing RESTful Payment APIs Using OAuth 2
byJonathan LeBlanc
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 

Similar to Secure Your REST API (The Right Way)

PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PDF
Best Practices in Building an API Security Ecosystem
byWSO2
 
PDF
Pentesting RESTful webservices
byMohammed A. Imran
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PDF
REST API Authentication Methods.pdf
byRubersy Ramos García
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PPTX
API Security - Null meet
byvinoth kumar
 
PPTX
HTTP Services & REST API Security
byTaiseer Joudeh
 
PDF
Getting Started with Public APIs
byEryn O'Neil
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
byCA API Management
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPTX
Building Secure User Interfaces With JWTs
byrobertjd
 
PPTX
Securing Single Page Applications with Token Based Authentication
byStefan Achtsnit
 
PDF
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
PPTX
Beautiful REST and JSON APIs - Les Hazlewood
byjaxconf
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
API SECURITY
byTubagus Rizky Dharmawan
 
Best Practices in Building an API Security Ecosystem
byWSO2
 
Pentesting RESTful webservices
byMohammed A. Imran
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
REST API Authentication Methods.pdf
byRubersy Ramos García
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
API Security - Null meet
byvinoth kumar
 
HTTP Services & REST API Security
byTaiseer Joudeh
 
Getting Started with Public APIs
byEryn O'Neil
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
byCA API Management
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
Securing RESTful API
byMuhammad Zbeedat
 
Building Secure User Interfaces With JWTs
byrobertjd
 
Securing Single Page Applications with Token Based Authentication
byStefan Achtsnit
 
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
Beautiful REST and JSON APIs - Les Hazlewood
byjaxconf
 
When and Why Would I use Oauth2?
byDave Syer
 

More from Stormpath

PPTX
Design Beautiful REST + JSON APIs
byStormpath
 
PPTX
Token Authentication in ASP.NET Core
byStormpath
 
PDF
Building Beautiful REST APIs with ASP.NET Core
byStormpath
 
PPTX
Spring Boot Authentication...and More!
byStormpath
 
PPTX
Beautiful REST+JSON APIs with Ion
byStormpath
 
PDF
Building Beautiful REST APIs in ASP.NET Core
byStormpath
 
PPTX
Multi-Tenancy with Spring Boot
byStormpath
 
PPTX
So long scrum, hello kanban
byStormpath
 
PDF
Getting Started With Angular
byStormpath
 
PPTX
How to Use Stormpath in angular js
byStormpath
 
PDF
Build a REST API for your Mobile Apps using Node.js
byStormpath
 
PDF
Mobile Authentication for iOS Applications - Stormpath 101
byStormpath
 
PPTX
Secure API Services in Node with Basic Auth and OAuth2
byStormpath
 
PPTX
JWTs for CSRF and Microservices
byStormpath
 
PPTX
Stormpath 101: Spring Boot + Spring Security
byStormpath
 
PDF
JWTs in Java for CSRF and Microservices
byStormpath
 
PPTX
Custom Data Search with Stormpath
byStormpath
 
PPTX
Storing User Files with Express, Stormpath, and Amazon S3
byStormpath
 
Design Beautiful REST + JSON APIs
byStormpath
 
Token Authentication in ASP.NET Core
byStormpath
 
Building Beautiful REST APIs with ASP.NET Core
byStormpath
 
Spring Boot Authentication...and More!
byStormpath
 
Beautiful REST+JSON APIs with Ion
byStormpath
 
Building Beautiful REST APIs in ASP.NET Core
byStormpath
 
Multi-Tenancy with Spring Boot
byStormpath
 
So long scrum, hello kanban
byStormpath
 
Getting Started With Angular
byStormpath
 
How to Use Stormpath in angular js
byStormpath
 
Build a REST API for your Mobile Apps using Node.js
byStormpath
 
Mobile Authentication for iOS Applications - Stormpath 101
byStormpath
 
Secure API Services in Node with Basic Auth and OAuth2
byStormpath
 
JWTs for CSRF and Microservices
byStormpath
 
Stormpath 101: Spring Boot + Spring Security
byStormpath
 
JWTs in Java for CSRF and Microservices
byStormpath
 
Custom Data Search with Stormpath
byStormpath
 
Storing User Files with Express, Stormpath, and Amazon S3
byStormpath
 

Recently uploaded

PPTX
The OpenChain China Mini-Summit at COSCON 2025
byShane Coughlan
 
PPTX
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
PDF
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
PDF
Maverick Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
PDF
Intro to advanced databases sql lectures.pdf
byomransalah1
 
PDF
MGA Insurance Product Launch Acceleration
byOpenkoda
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
PDF
Core PHP vs Laravel Which is Better for Backend Development.pdf
byPixlogix Infotech
 
PDF
Overleaf and LaTeX Workshop for CSE Students at University of Moratuwa - Dece...
byChanukaWijayakoon1
 
PDF
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
PDF
2025_12_17 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Gamified Engagement Guide | Gamification Software by Captain Up
byCaptain Up
 
PPTX
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
PDF
Integrating Risk Buffers Into Your Critical Path When & How
byOrangescrum
 
PDF
AI in Odoo 19: Driving Business Growth in 2025
byEnvertis Software Solutions
 
PPTX
AI-Powered Clinic Management Software for Psychology Clinics Enhancing Mental...
byEasy Clinic
 
PDF
PeopleSoft Lift and Shift to Oracle Cloud Infrastructure.pdf
byAstuteBusiness
 
PDF
Custom Software Development for Startups A Practical Guide.pdf
byNet-Craft.com
 
PDF
Strengthen Data Security with SOC 2 Compliance Solutions
bySoclyio
 
DOCX
Best Construction ERP Solution in India for Smarter Project Management.docx
byInniti software
 
The OpenChain China Mini-Summit at COSCON 2025
byShane Coughlan
 
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
Maverick Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
Intro to advanced databases sql lectures.pdf
byomransalah1
 
MGA Insurance Product Launch Acceleration
byOpenkoda
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
Core PHP vs Laravel Which is Better for Backend Development.pdf
byPixlogix Infotech
 
Overleaf and LaTeX Workshop for CSE Students at University of Moratuwa - Dece...
byChanukaWijayakoon1
 
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
2025_12_17 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Gamified Engagement Guide | Gamification Software by Captain Up
byCaptain Up
 
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
Integrating Risk Buffers Into Your Critical Path When & How
byOrangescrum
 
AI in Odoo 19: Driving Business Growth in 2025
byEnvertis Software Solutions
 
AI-Powered Clinic Management Software for Psychology Clinics Enhancing Mental...
byEasy Clinic
 
PeopleSoft Lift and Shift to Oracle Cloud Infrastructure.pdf
byAstuteBusiness
 
Custom Software Development for Startups A Practical Guide.pdf
byNet-Craft.com
 
Strengthen Data Security with SOC 2 Compliance Solutions
bySoclyio
 
Best Construction ERP Solution in India for Smarter Project Management.docx
byInniti software
 

Secure Your REST API (The Right Way)

  • 1.
    Les Hazlewood @lhazlewood ApacheShiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
  • 2.
    .com • User Managementand Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
  • 3.
  • 4.
    ... is allabout the headers Learn more at Stormpath.com
  • 5.
    1. Request GET /accounts/x2b4jX3l31uiLHTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
  • 6.
    2. Challenge Response HTTP/1.1401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
  • 7.
    3. Resubmit Request GET/accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
  • 8.
    Authorization Header Format GET/accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
  • 9.
    4. Successful Response HTTP/1.1200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
  • 10.
    Example: Oauth 1.0a GET/accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
  • 11.
    Example: Oauth 2 GET/accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
  • 12.
    Example: Oauth 2MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
  • 13.
    Ok, now that’sout of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
  • 14.
    Status Codes Learn moreat Stormpath.com
  • 15.
    401 vs 403 •401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
  • 16.
  • 17.
    HTTP Authorization • Afterauthc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
  • 18.
    HTTP Authorization: OAuth •OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
  • 19.
    HTTP Authorization: OAuth •When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
  • 20.
    HTTP Authorization: JWT •JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
  • 21.
    Best Practices Learn moreat Stormpath.com
  • 22.
    API Keys Learn moreat Stormpath.com
  • 23.
    API Keys, NotPasswords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
  • 24.
    API Keys cont’d •Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
  • 25.
  • 26.
  • 27.
    Identifiers • Should beopaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
  • 28.
  • 29.
    Query Injection Vulnerable URL: foo.com/accounts?acctId=‘or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
  • 30.
    Redirects and Forwards Learnmore at Stormpath.com
  • 31.
    Redirects and Forwards •Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
  • 32.
    TLS Learn more atStormpath.com
  • 33.
    TLS • Use TLSfor everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
  • 34.
    TLS Cont’d • Configureyour SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
  • 35.
  • 36.
    Configuration • CI: SecurityTesting • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
  • 37.
    Storage Learn more atStormpath.com
  • 38.
    Storage • Sensitive dataencrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
  • 39.
    Thank You! • les@stormpath.com •Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
  • 40.
    .com • Free fordevelopers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com