2. @Axway @SmartBear #APISecurity
The API Lifecycle – SmartBear approach
SmartBear Confidential and
Open source based and driven
Integrated tools for Dev/Test
across API lifecycle
Extendable and easily
integrated into API lifecycle
workflow
Data driven and automated
Protocol and runtime
independent
Leverage and reuse assets
across lifecycle
Democratize advanced dev/test
capabilities
3. @Axway @SmartBear #APISecurity
Axway technology manages
interactions between
applications, people and
communities.
Security and integration across
B2B (EDI, MFT, and APIs)
Positioned as a leader in
Gartner Magic Quadrants for
“On-Premises Application
Integration Suites” and for
“Application Services
Governance”
3
About Axway
4. @Axway @SmartBear #APISecurity
Webinar Attendee Statistics
3%
41%
56%
How important is API Security to
your organization?
Not important at
all
Growing
importance
Very important
23%
65%
12%
How much API Security testing
do you do today?
None
Some
Extensive
56% of attendees for this webinar responded that API security is
“very important,” and yet only 12% are doing extensive security
testing
5. @Axway @SmartBear #APISecurity
Security vulnerabilities related to APIs
Enabling account information exposure
(Snapchat)
5
APIs – A soft underbelly for security?
8. @Axway @SmartBear #APISecurity
Insecure APIs are often the source of
mobile app security issues
Sniffers can detect insecure API calls
8
Mobile App vulnerabilities are often
API vulnerabilities in disguise…
Source: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html
9. @Axway @SmartBear #APISecurity
Problem:
API Keys are often simply passed in URLs
&APIKey=123456
Vulnerable to sniffing and replay attacks
Amazon uses two keys:
Secret Key ID to perform HMAC signing
With detection of replay attacks
Access Key ID to identify the client
9
Beware Weak API Key Authentication
13. @Axway @SmartBear #APISecurity
Protective Security
Content-Level Threats (XDoS, XXE, etc)
WAF functionality (OWASP Top Ten, etc)
Throttling
Policy Decision and Enforcement Point
STS- Security Token Creation, Consumption, Mediation
Dynamic Authorization
Data Flow Introspection and Governance
Integration (lightweight ESB)
Heterogeneous, Vendor Agnostic
Multiple Protocol and Standard Support
Enterprise Architecture Intelligence and Protection
SSO Enablement
Architecture wide auditing and risk analysis
13
API Gateway – Security and more
14. @Axway @SmartBear #APISecurity
API Gateway protects against threats to Web Services / APIs
including:
Unauthorised Access
Parameter Manipulation and Data Harvesting
Network eaves dropping
Disclosure of sensitive customer data
Message replay
14
Security provide by API Gateways
Unauthorised
Access
Parameter
Manipulation
Virus
Insertion
Consumer
Network
Eavesdropping
Message
Replay
Firewall
API
Disclosure of
customer data
Standard network firewalls offer
no protection against these
threats
15. @Axway @SmartBear #APISecurity
Client Applications
REST API
SOAP/XML/REST/JSON
API Manager
Services
Applications
Data
Application
Developers
API Portal
API
API Registration
& Lifecycle
API Catalog
Partner & Policy
Administration
Self-Service API consumption
Build developer community
New channel to market brand
API Developers
API
Administrators
Self-register to resources
Browse and learn APIs
Manage application credentials
R
E
S
T
SOAP Web Services
POX, JMS, FTP
Integration with non-
REST API services
Policy
Enforcement
API Gateway
Register and manage API lifecycle
Perform partner, policy and process admin
Monitor and report API use
Policy
Developers
Create and extend policies
Integrate with applications
and infrastructure
API Gateways in API Management
16. @Axway @SmartBear #APISecurity
API breaches can result in:
Stolen data
Server attacks
Spoofing
IoT device tampering
16
API Security testing: Why is it so important?
17. @Axway @SmartBear #APISecurity
• We want to know as much as possible
about an API’s endpoints, messages,
parameters, behavior
• The more we know about the API’s
surface – the better we can target our
attack!
Thinking like a hacker
18. @Axway @SmartBear #APISecurity
OWASP.ORG
Identify the most likely “soft spots”
Run all the scans but automate & repeat
the most important ones
Don’t neglect payload analysis
Pay attention and respond quickly
18
Looking for vulnerabilities in your API
20. @Axway @SmartBear #APISecurity
Demo – Scenario
Bank Account API with
– One method for users get balance one of their accounts
– Vulnerable to SQL Injection
User authentication out of scope
– Focus on the SQL Injection attack
21. @Axway @SmartBear #APISecurity
Demo – Detecting API Threats
API
vulnerable to
SQL injections
Definition imported prior to demo
1. Normal request
2. scanning
GET http://<host>/account/balance?accnt=123456789 HTTP/1.1
SELECT balance FROM accountinfo WHERE account=123456789;
Returns the balance from account 123456789
GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1
SELECT balance FROM accountinfo WHERE account=1 OR 1=1;
Returns the balance from all accounts!
22. @Axway @SmartBear #APISecurity
Demo – Protecting Against API Threats
Threat Protection
API Gateway
Protected
API
API Manager
1. Normal request
2. scanning
API
vulnerable to
SQL injections
GET http://<host>/account/balance?accnt=123456789 HTTP/1.1
SELECT balance FROM accountinfo WHERE account=123456789;
Returns the balance from account 123456789
GET http://<host>/account/balance?accnt=1 OR 1=1 HTTP/1.1
Detected and Blocked by Axway API Gateway!
23. @Axway @SmartBear #APISecurity
Key Takeaways
API Protection
API Testing
Create APIs with Confidence
Put protection in place for your APIs
Apply throttling, input validation, threat detection
Block the full spectrum of attacks
OWASP.org is your friend
Focus on most likely vulnerabilities first
Build security testing into your dev plans
23
Self-service API consumption
Developers can browse APIs and register applications
Build a partner and developer community around the APIs
New channel to promote brand
API catalog
Browseable registry of APIs
API lifecycle management
Register, publish, version, deprecate
API administration
Client administration & policy management
Monitor & manage API usage
API policy enforcement
API proxy for enforcing common policies