Secure APIs for Finance

Lessons from API security successes and failures

Greg Brail Apigee May 2016

Agenda What Happens to Insecure APIs

API Security Fundamentals

Why APIs are less risky

The Result: Effective API Security

No API Security

Bad things happen

I have an API!

©2015 Apigee Corp. All Rights Reserved.

But I Don’t Have an API!

Of Course You Have an API!

6

Wired, 9/22/15

www.ifc0nfig.com, 1/5/15

troyhunt.com, 2/24/16

Everything with a URI has an API

Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password;

OAuth secret in GitHub ProgrammableWeb

Snapchat No authentication; no rate limit Gibson Security

Multiple Kardashian Apps

No authentication or authorization Wired

MoonPig No authentication or authorization www.ifc0nfig.com

Facebook Graph API Users can delete other users’ photos; Improper authorization check

ProgrammableWeb

IRS GetTranscript Application

Password reset mechanism relied on personal data

IRS

Instagram Malicious app was stealing passwords; no approval process

Daily Dot

Nissan Leaf VIN number only security credential on API Troy Hunt

Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere

Nissan Leaf

•  http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

•  No authentication on some APIs

•  Climate control, battery status

•  Only VIN number required

•  User ID leaked by some of those APIs

•  No rate limit on request to get friends by phone number

•  Hard-coded encryption key

•  Weak cipher

•  http://gibsonsec.org/snapchat/

Snapchat

Mobile Banking Apps •  Security researcher Ariel Sanchez examined 20 iOS

banking apps from banks around the world

•  More than 30% used non-TLS-encrypted links for at least part of the app

•  Down from 90% two years ago

•  Demonstrated JavaScript interception of some apps’ “login” page to gather passwords

10

Ariel Sanchez, blog.ioactive.com

A South Asian Bank •  Security researcher Sathya Prakash tested the security of the app

he used for one of his bank accounts

•  Found many major flaws and one huge one

•  All validation of account numbers for funds transfers was performed in the mobile app only – not on the server

11

SWIFT •  Over $900 million in fraudulent transfer requests due to compromise at a member bank

•  Became $81 million due to a typo

BAE Systems Applied Intelligence

APIs for Finance

Applying security lessons

APIs for Controlled Access •  APIs provide a controlled way for third parties to access a

service

•  Not having an API means that third parties will find another way

•  That’s why JPMC is considering this:

Federated Security is a Must

Systems like OAuth and OpenID exist for the purpose of managing secure access without sharing passwords

-- JPMorgan Chase, 2015 letter to shareholders

Trusted Endpoints Aren’t

•  API security must assume untrusted endpoints

•  User authentication

•  Fraud detection

•  Application-level authentication

Fundamental API Security

What every developer should know

©2015 Apigee Corp. All Rights Reserved.

You Have an API

What You Need to Do •  Prevent unauthorized applications

•  Prevent unauthorized users

•  Prevent excessive traffic

•  Prevent content attacks

•  Watch for trouble

•  React to trouble

What Do Apigee Customers Do?

74% OAuth

78% Spike Arrest

78% Spike Arrest

72% Threat

Protection

What do Others Do? •  A wide variety of solutions out there

•  87% percent have “API management”

•  83% are “concerned” about API security

Prevent Unauthorized Applications •  Application Authorization is a fundamental part of API security

•  Best way to stop runaway applications

•  Only options for certain types of apps (anonymous API access)

•  Requirement for all forms of OAuth

•  Best practices

•  Use different credentials for each version of each app

•  Makes it easier to pull a bad version

•  Hide the app credentials as best you can

•  Realize that they still can be stolen

•  Have an approval process for apps

Prevent Unauthorized Users •  Authenticate all end users for critical apps

•  Only way to keep security credentials outside the app

•  Use OAuth carefully

•  Use caution around “password” grant type

•  Only as good as identity management

•  For instance, dodgy password reset practices

•  Can you get identity a service?

Don’t Make It Up •  OAuth 1.0: Bug

•  OAuth 1.0a: Better

•  OAuth 2.0 authorization code grant type: Attack identified

•  RFC 7636 (PKCE) fixes it

•  Would you have discovered this on your own?

Prevent Excessive Traffic •  Protect APIs that are vulnerable to brute force

•  Validating password

•  Validating anything

•  Anything where the only ID is in a small space

•  Protect from runaway applications

•  Denial of service is also an attack

•  Excessive usage may mean data is being harvested

•  Not always an attack – developers make mistakes

Prevent Content Attacks •  Accepting JSON over the Internet?

•  Excessive identifier length

•  Excessive nesting

•  Large arrays and elements

•  Accepting XML over the Internet?

•  All that and more

•  Are you sure there can’t be SQL injection?

•  Regular expression checks

Watch for Trouble •  Monitor the API

•  Usage patterns

•  Usage patterns by application

•  Latency

•  Error rate

•  Monitor the world too

•  Unusual tweets?

•  Other social media?

Example: Bot Detection •  Traffic comes from unusual places:

•  iPads in Amazon data centers

•  US-only retailers with many “customers” in Eastern Europe

•  Or unusual patterns:

•  Sequential scans of identifiers

•  API traffic faster than a human can generate

•  Identify suspected “bots”

•  Heuristics, machine learning

•  Block them by IP or otherwise

React to Trouble •  Do you have application-level authentication?

•  Revoke app credentials

•  Change rate limit

•  Redirect app to another URL

•  No application-level authentication?

•  Insert additional logic

•  Worst cast: shut down the API until it’s fixed

API Management Can Help

Effective API Security

API == Contract == Security

An API is a Contract

What is an API, really?

The “API Stack” is Small •  Simple

•  Ubiquitous

•  Widely-understood

•  Universally implemented

API Contracts are Simple •  Since API technology is simple,

•  So is the contract:

•  URIs

•  JSON schemas

•  Query parameters

•  Authentication

•  Simpler contracts are:

•  simpler to validate

•  simpler to test

•  simpler to prove

Simpler Means More Secure •  Don’t agree? Let’s look at web apps:

•  Cross-site scripting

•  Insecure URIs in links

•  Cross-site request forgery

•  Insecure redirects

•  Insecure third-party pages

•  Insecure and malicious JavaScript

Simpler is Better

•  Well-known URI pattern

•  Documented schemas

•  Well-known authentication model

•  Well-known authorization model

•  One way to secure all API calls

•  Totally dynamic URI pattern is harder to test

•  Specified inputs and outputs can be tested

•  Haphazard authentication hard to test

•  Haphazard authorization hard to test

•  Multiple implementations hard to test

Summing it Up

APIs are essentail for security’ Security is essential to APIs’ APIs risk is well-understood.

Conclusion •  We saw lots of places where APIs were compromised

•  Many of these had nothing to do with an “API”

•  Biggest vulnerability is having an API and not realizing it

•  Everything with a URL has an API

•  Well-defined APIs can be secured

•  Lots of widely-known techniques and technology

•  A properly-secured API is verifiable

•  Use it!

Thank You