Published on June 21, 2019
1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO MAXIMIZE YOUR API SECURITY June 20, 2019 Denver MuleSoft Meetup Group
2. All contents © MuleSoft Inc. Agenda 2 • 6:00PM – Doors open • 6:00PM - 6:30PM – Network, Eat, and Socialize • 6:30PM - 6:35PM – Introductions • 6:35PM - 7:30PM – Presentation/Demo • 7:30PM - 7:45PM – Q&A • 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and Speakers
3. All contents © MuleSoft Inc. Introductions 3 • About the organizer: – Big Compass • About the presenters: – Aaron Lieberman – Tyler Reynolds
4. • MuleSoft API Lifecycle • MuleSoft API Management • Securing a MuleSoft API • PingIntelligence with MuleSoft APIs MuleSoft API Management and Security
5. All contents © MuleSoft Inc. API Lifecycle 5 • Design • Build • Test • Deploy • Manage
6. Demo API Lifecycle
7. With MuleSoft API Manager security policies, what is the difference between rate limiting and request throttling? Giveaway!
8. All contents © MuleSoft Inc. MuleSoft API Management 8 • API Manager – Creating an API – SLA Tiers – Contracts – Alerts – Policies • Out of the box policies • Custom Policy from API Manager • Develop Custom Policy in Anypoint Studio • Secure your APIs! – Monitoring
9. All contents © MuleSoft Inc. Securing APIs in MuleSoft With API Manager 9 • Specific to one API – New feature of automated policies to apply same set of policies to many APIs • Common Policies in API Manager – Basic authentication – IP whitelist/blacklist – Client ID Enforcement – OAuth 2.0 – SLA based rate limiting and throttling
10. Demo MuleSoft API Management/Security and Attacking a MuleSoft API
11. All contents © MuleSoft Inc. MuleSoft Anypoint Security 11 • Secure all applications deployed to your Runtime Fabric with Edge Policies • Implement a Web Application Firewall (WAF) • Other policies – IP whitelist – Denial of service – HTTP limits
12. All contents © MuleSoft Inc. MuleSoft + WAF Security 12 • Protects against many common attacks – SQL Injection – Cross Site Scripting – Body scanning – OWASP Top 10 attacks – These are known vulnerabilities!
13. All contents © MuleSoft Inc. Security Policies + WAF Protection 13 • What do security policies + WAF actually protect against? – Basic attacks (authentication, rate limiting, SQL injection, etc.) • What are the vulnerabilities? – Advanced API attacks from authenticated hackers – No way to detect authenticated attacks • Google took 2.5 years to detect a breach • How do we protect against these vulnerabilities?
14. All contents © MuleSoft Inc. MuleSoft + WAF Security Demo Architecture 14
15. Demo MuleSoft API + WAF Security and Attacking an API Behind a WAF
16. How long did it take Google to detect an ongoing breach on their API? A.0-6 Months B.6-12 Months C.12-24 Months D.2+ Years Giveaway!
17. All contents © MuleSoft Inc. Current API Landscape 17 • APIs steadily increasing • Attacks steadily increasing
18. All contents © MuleSoft Inc. Current API Security Landscape 18 Reactive -> Proactive Average Time to Detect First Breach 2018 Verizon DBIR • 45% not confident in ability to detect malicious API access • 51% not confident in security team’s awareness of all APIs API Security Survey:
19. All contents © MuleSoft Inc. API Security – A Difficult Problem! 19 IP Geolocation Time /Day Session Length ... API 1 API 2 API 3 API 4 • High number of sessions across many APIs • High velocity connections • Large mix of inbound client types and activity – Legitimate clients – High velocity attackers disrupt services, access content, etc. – Hackers with valid credentials blend in while maliciously accessing API services • Looking for a needle in a haystack
20. All contents © MuleSoft Inc. 20 API Login and API DDoS Attacks •Brute force login attacks •Stolen identifiers: cookies and tokens •API specific DoS and API DDoS attacks Compromised Account / Insider Attacks •Account take over •Data theft •Application control Hackers using Machine Learning •Every attack looks different •Every blocked attack leads to a new attack … How vulnerable are APIs to attacks?
21. All contents © MuleSoft Inc. Answer: Leverage AI MODEL • Learn from API traffic • Build model for legit apps DETECT • Inspect runtime traffic • Look for deviations from model BLOCK • Block compromised tokens • Notify/alert
22. All contents © MuleSoft Inc. PingIntelligence For APIs PingIntelligence for APIs ® App Servers API Discovery Attack Blocking Deep Reporting APIs APIs APIs • Deep API Visibility – Dynamically discover APIs across all environments – Monitor all API activity including every command and method used throughout a session • Automated threat detection and blocking – Detect and stop attacks that use APIs to compromise data and applications – Use API honeypots to instantly detect probing hackers and prevent access to production APIs • Self Learning – Use AI to discover expected behavior for each API in API gateway and app server environment – Eliminate the need to write and manage policies and update API attack signatures
23. All contents © MuleSoft Inc. • You can’t fully trust your own tokens! • Bearer tokens are vulnerable (but necessary) • Vulnerabilities at other vectors are exploited at API level – Client app, user, 3rd party identities Phishing +token Stolen token User data <api> >collections _ GitHub leaking client secrets Password reuse Zero Trust
24. All contents © MuleSoft Inc. Comprehensive Security: MuleSoft + PingIntelligence Foundational API Security Content Injection JSON, XML, SQL injection protection, XSS Flow Control Throttling, Metering, Quota Management, Circuit- breakers Access Control AuthN, AuthZ, Token Management, Microgateway AI-Powered Cyberattacks Detection Automated Cyber Attack Blocking Blocks stolen tokens/cookies, Bad IP’s & API keys API Deception & Honeypot Instant hacking detection and blocking Deep API Traffic Visibility & Reporting Monitor & report on all API activity Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs PingIntelligence for APIs
25. All contents © MuleSoft Inc. PingIntelligence Augments API Security Web Application FirewallsPingIntelligence for APIsAPI Gateways Complementary to API Gateways and WAFs OWASP Top 10 Protection + + Authenticated users Advanced attacks API Management Security Policies
26. All contents © MuleSoft Inc. 26 Hacker Deception
27. All contents © MuleSoft Inc. • API Breaches go undetected for months or years • Enterprises need incorporate zero-trust for API Strategy • Gartner: “by 2022, API abuses will be the most frequent attack vector that result in breaches” • Many attacks can’t be detected with traditional API security • Help is here from MuleSoft and PingIntelligence your customer your org Attack Landscape Summary
28. All contents © MuleSoft Inc. MuleSoft + WAF + PingIntelligence Architecture Full Lifecycle API Mgmt. Design, Create, Publish APIs Content Inspection Content Validation Session Management Policy Based Security enforcement Rate Limiting API Visibility & Protection Deep Visibility & Reporting Unique API Behavioral models Automated Attack Blocking API Discovery API Deception Self Learning – no rules or Policies Web Application Security WAF Positive Security Model OWASP Top 10 Protection DDoS Prevention RASP Content Filtering Rate Limiting Signature Based Detection
29. Demo Attacking a MuleSoft Security+ WAF + PingIntelligence Protected API
30. All contents © MuleSoft Inc. References and Documentation 30 • OWASP – https://www.owasp.org/index.php/Main_Page • PingIntelligence + MuleSoft Integration – https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html • PingIntelligence – https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_ Guide_pingintel_32/page/pingintelligence_product_deployment.html • Undisturbed REST – https://www.mulesoft.com/lp/ebook/api/restbook • API Security – Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper • https://www.pingidentity.com/en/resources/client-library/white- papers/2018/evolving-api-security-landscape.html
31. All contents © MuleSoft Inc. References and Documentation 31 • MuleSoft Documentation – API Manager • https://docs.mulesoft.com/api-manager/2.x/ – Anypoint Security • https://docs.mulesoft.com/anypoint-security/
33. All contents © MuleSoft Inc. What’s Next? 33 • Share: – Tweet your pictures with the hashtag #MuleMeetup – Invite your network to join: https://meetups.mulesoft.com/denver/ • Feedback: – Contact your organizer [email protected] or [email protected] to suggest topics – Contact MuleSoft at [email protected] for ways to improve the program • Our next meetup: – Date: August 2019 – Location: TBD – Topic: TBD
34. See you next time Please send topic suggestions to the organizer