What Hackers Don’t Want You To Know: How to Maximize Your API Security

Information about What Hackers Don’t Want You To Know: How to Maximize Your API Security

Published on June 21, 2019

Author: AaronLieberman5

Source: slideshare.net



2. All contents © MuleSoft Inc. Agenda 2 • 6:00PM – Doors open • 6:00PM - 6:30PM – Network, Eat, and Socialize • 6:30PM - 6:35PM – Introductions • 6:35PM - 7:30PM – Presentation/Demo • 7:30PM - 7:45PM – Q&A • 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and Speakers

3. All contents © MuleSoft Inc. Introductions 3 • About the organizer: – Big Compass • About the presenters: – Aaron Lieberman – Tyler Reynolds

4. • MuleSoft API Lifecycle • MuleSoft API Management • Securing a MuleSoft API • PingIntelligence with MuleSoft APIs MuleSoft API Management and Security

5. All contents © MuleSoft Inc. API Lifecycle 5 • Design • Build • Test • Deploy • Manage

6. Demo API Lifecycle

7. With MuleSoft API Manager security policies, what is the difference between rate limiting and request throttling? Giveaway!

8. All contents © MuleSoft Inc. MuleSoft API Management 8 • API Manager – Creating an API – SLA Tiers – Contracts – Alerts – Policies • Out of the box policies • Custom Policy from API Manager • Develop Custom Policy in Anypoint Studio • Secure your APIs! – Monitoring

9. All contents © MuleSoft Inc. Securing APIs in MuleSoft With API Manager 9 • Specific to one API – New feature of automated policies to apply same set of policies to many APIs • Common Policies in API Manager – Basic authentication – IP whitelist/blacklist – Client ID Enforcement – OAuth 2.0 – SLA based rate limiting and throttling

10. Demo MuleSoft API Management/Security and Attacking a MuleSoft API

11. All contents © MuleSoft Inc. MuleSoft Anypoint Security 11 • Secure all applications deployed to your Runtime Fabric with Edge Policies • Implement a Web Application Firewall (WAF) • Other policies – IP whitelist – Denial of service – HTTP limits

12. All contents © MuleSoft Inc. MuleSoft + WAF Security 12 • Protects against many common attacks – SQL Injection – Cross Site Scripting – Body scanning – OWASP Top 10 attacks – These are known vulnerabilities!

13. All contents © MuleSoft Inc. Security Policies + WAF Protection 13 • What do security policies + WAF actually protect against? – Basic attacks (authentication, rate limiting, SQL injection, etc.) • What are the vulnerabilities? – Advanced API attacks from authenticated hackers – No way to detect authenticated attacks • Google took 2.5 years to detect a breach • How do we protect against these vulnerabilities?

14. All contents © MuleSoft Inc. MuleSoft + WAF Security Demo Architecture 14

15. Demo MuleSoft API + WAF Security and Attacking an API Behind a WAF

16. How long did it take Google to detect an ongoing breach on their API? A.0-6 Months B.6-12 Months C.12-24 Months D.2+ Years Giveaway!

17. All contents © MuleSoft Inc. Current API Landscape 17 • APIs steadily increasing • Attacks steadily increasing

18. All contents © MuleSoft Inc. Current API Security Landscape 18 Reactive -> Proactive Average Time to Detect First Breach 2018 Verizon DBIR • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all APIs API Security Survey:

19. All contents © MuleSoft Inc. API Security – A Difficult Problem! 19 IP Geolocation Time /Day Session Length ... API 1 API 2 API 3 API 4 • High number of sessions across many APIs • High velocity connections • Large mix of inbound client types and activity – Legitimate clients – High velocity attackers disrupt services, access content, etc. – Hackers with valid credentials blend in while maliciously accessing API services • Looking for a needle in a haystack

20. All contents © MuleSoft Inc. 20 API Login and API DDoS Attacks •Brute force login attacks •Stolen identifiers: cookies and tokens •API specific DoS and API DDoS attacks Compromised Account / Insider Attacks •Account take over •Data theft •Application control Hackers using Machine Learning •Every attack looks different •Every blocked attack leads to a new attack … How vulnerable are APIs to attacks?

21. All contents © MuleSoft Inc. Answer: Leverage AI MODEL • Learn from API traffic • Build model for legit apps DETECT • Inspect runtime traffic • Look for deviations from model BLOCK • Block compromised tokens • Notify/alert

22. All contents © MuleSoft Inc. PingIntelligence For APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs • Deep API Visibility – Dynamically discover APIs across all environments – Monitor all API activity including every command and method used throughout a session • Automated threat detection and blocking – Detect and stop attacks that use APIs to compromise data and applications – Use API honeypots to instantly detect probing hackers and prevent access to production APIs • Self Learning – Use AI to discover expected behavior for each API in API gateway and app server environment – Eliminate the need to write and manage policies and update API attack signatures

23. All contents © MuleSoft Inc. • You can’t fully trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level – Client app, user, 3rd party identities Phishing +token Stolen token User data <api> >collections _ GitHub leaking client secrets Password reuse Zero Trust

24. All contents © MuleSoft Inc. Comprehensive Security: MuleSoft + PingIntelligence Foundational API Security Content Injection JSON, XML, SQL injection protection, XSS Flow Control Throttling, Metering, Quota Management, Circuit- breakers Access Control AuthN, AuthZ, Token Management, Microgateway AI-Powered Cyberattacks Detection Automated Cyber Attack Blocking Blocks stolen tokens/cookies, Bad IP’s & API keys API Deception & Honeypot Instant hacking detection and blocking Deep API Traffic Visibility & Reporting Monitor & report on all API activity Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs PingIntelligence for APIs

25. All contents © MuleSoft Inc. PingIntelligence Augments API Security Web Application FirewallsPingIntelligence for APIsAPI Gateways Complementary to API Gateways and WAFs OWASP Top 10 Protection + + Authenticated users Advanced attacks API Management Security Policies

26. All contents © MuleSoft Inc. 26 Hacker Deception

27. All contents © MuleSoft Inc. • API Breaches go undetected for months or years • Enterprises need incorporate zero-trust for API Strategy • Gartner: “by 2022, API abuses will be the most frequent attack vector that result in breaches” • Many attacks can’t be detected with traditional API security • Help is here from MuleSoft and PingIntelligence your customer your org Attack Landscape Summary

28. All contents © MuleSoft Inc. MuleSoft + WAF + PingIntelligence Architecture Full Lifecycle API Mgmt. Design, Create, Publish APIs Content Inspection Content Validation Session Management Policy Based Security enforcement Rate Limiting API Visibility & Protection Deep Visibility & Reporting Unique API Behavioral models Automated Attack Blocking API Discovery API Deception Self Learning – no rules or Policies Web Application Security WAF Positive Security Model OWASP Top 10 Protection DDoS Prevention RASP Content Filtering Rate Limiting Signature Based Detection

29. Demo Attacking a MuleSoft Security+ WAF + PingIntelligence Protected API

30. All contents © MuleSoft Inc. References and Documentation 30 • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_ Guide_pingintel_32/page/pingintelligence_product_deployment.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white- papers/2018/evolving-api-security-landscape.html

31. All contents © MuleSoft Inc. References and Documentation 31 • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/

32. Questions?

33. All contents © MuleSoft Inc. What’s Next? 33 • Share: – Tweet your pictures with the hashtag #MuleMeetup – Invite your network to join: https://meetups.mulesoft.com/denver/ • Feedback: – Contact your organizer [email protected] or [email protected] to suggest topics – Contact MuleSoft at [email protected] for ways to improve the program • Our next meetup: – Date: August 2019 – Location: TBD – Topic: TBD

34. See you next time Please send topic suggestions to the organizer

#mulemeetup presentations

Mumbai MuleSoft Meetup 13
12. 09. 2020

Mumbai MuleSoft Meetup 13

Mumbai MuleSoft Meetup 12
02. 08. 2020

Mumbai MuleSoft Meetup 12

Mumbai MuleSoft Meetup 11
14. 06. 2020

Mumbai MuleSoft Meetup 11

Related presentations

Other presentations created by AaronLieberman5