Sqreen, profile picture
Uploaded bySqreen
467 views

Api days 2018 - API Security by Sqreen

The document discusses API security from an insider's perspective. It begins by introducing the speaker and their background in hacking. It then discusses the top 10 OWASP vulnerabilities and how they apply to APIs, including injection vulnerabilities, broken authentication, and using components with known vulnerabilities. The document emphasizes that many security issues occur in code and can be detected at runtime by hooking frameworks. It provides examples of detecting SQL injections, issues with authentication, monitoring business vulnerabilities, and checking for outdated dependencies. The overall message is that APIs can be secured by understanding where vulnerabilities may exist in code and deployments.

Embed presentation

Downloaded 21 times
API security: an insider’s point of view APIDays Paris • 2017/01/30
Jean-Baptiste Aviat CTO & Co-founder at Sqreen Former hacker at Apple (Red Team) jb@sqreen.io @jbaviat Who Am I?
What should I do for security?
You MUST do
 EVERYTHING, NOW!
You do that, right? Don’t you?
Just kidding.
Where should I even start?
The OWASP top 10
Web?! WTF I do APIs dude
No worries. This is security sanity. It works for APIs as well.
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
An HTTP server with a debugger
(byebug) thread list + 1 #<Thread:/webrick/server.rb:283 run> ... 2 #<WEBrick::TimeoutHandler::Thread/webrick/utils.rb:162 sleep> ... 3 #<Thread:sleep>/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], …) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight
OWASP: injections
SQL injection vulnerability •injection vuln = using data in an other context, without proper preparation
 
 
 
 
 •basically, anything can be retrieved from the database
(byebug) break ActiveRecord::SQLite3Adapter.exec_query [283, 292] in …/active_record/…/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, …) [...] (byebug) var local […] sql = SELECT * FROM posts WHERE id=3 Database access: from the inside
0 ActiveRecord::SQLite3Adapter.exec_query(sql#String, …) … 7 PostsController.set_post … 27 ActionController.dispatch(request#ActionDispatch::Request, …) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 76 WEBrick::GenericServer.start_thread(sock#TCPSocket, …) Database access: a closer look
(byebug) var local […] sql = SELECT * FROM posts WHERE id=3 UNION SELECT password from users params = { ‘q’ => ‘3 UNION SELECT password from users’} Database access: from the inside
Take aways •Injections vulnerabilities lies in your code •They can be detected at runtime, hooking e.g. SQL drivers •Ruby on Rails: ActiveRecord::ConnectionAdapters::AbstractAdapter::log
OWASP: broken authentication
class SessionsController < ApplicationController def create user = login(params[:email], params[:password]) JWT.encode(user.email, hmac_secret) end end User authentication
Take aways •Authentication related vulnerabilities happen (or lies) in the code •Many can be detected at runtime, hooking authentication frameworks •Ruby on Rails: Devise::Strategies::DatabaseAuthenticatable.authenticate!
OWASP: business vulnerabilities
Stripe::Charge.create( :amount => 2000, :currency => "usd", :description => "Charge for jb@sqreen.io“ ) Payment monitoring
Take aways •Business vulnerabilities… are triggered in your code! •Even if you have no vulnerability •They can be measured during runtime •And analysed (realtime or not) then •What to monitor? You know your business!
OWASP: Components with Known Vulnerabilities
irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies
Take aways •Defined in your code - or in your configuration files anyway •So important even GitHub does it nowadays •Runtime allows to check all deployments are fine
Meta take aways (OMG) •Bug happens •Some of them are security related •Be aware of in-code vulnerabilities •And business vulnerabilities •It will be on you (you, as an API builder) some day
Questions? OWASP top 10 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf CTO security checklist: https://cto-security-checklist.sqreen.io/

More Related Content

PDF
42Crunch Security Audit for WSO2 API Manager 3.1
byWSO2
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
PDF
Open source iam value, benefits, and risks
byWSO2
 
PDF
[OPD 2019] Threat modeling at scale
byOWASP
 
PDF
Building layers of defense for your application
byVMware Tanzu
 
PPTX
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
PDF
API Security In Cloud Native Era
byWSO2
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
42Crunch Security Audit for WSO2 API Manager 3.1
byWSO2
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
Open source iam value, benefits, and risks
byWSO2
 
[OPD 2019] Threat modeling at scale
byOWASP
 
Building layers of defense for your application
byVMware Tanzu
 
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
API Security In Cloud Native Era
byWSO2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 

What's hot

PDF
42crunch-API-security-workshop
by42Crunch
 
PPTX
OpenId Connect Protocol
byMichael Furman
 
PDF
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
byapidays
 
PDF
API Security: the full story
by42Crunch
 
PPTX
Security in microservices architectures
byinovia
 
PDF
Advanced API Security Patterns
by42Crunch
 
PDF
OAuth based reference architecture for API Management
byWSO2
 
PDF
Why upgrade your MFA to Adaptive Authentication?
byWSO2
 
PDF
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
byWSO2
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
PDF
Better API Security with Automation
by42Crunch
 
PDF
SecDevOps for API Security
by42Crunch
 
PPTX
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
byMike Schwartz
 
PDF
Microservices Security: dos and don'ts
byMinded Security
 
PDF
Identiverse - Microservices Security
byBertrand Carlier
 
PDF
[OPD 2019] Web Apps vs Blockchain dApps
byOWASP
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
byOpenIDFoundation
 
PDF
Using a Third Party Key Management System with WSO2 API Manager
byWSO2
 
PPTX
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
byapidays
 
PDF
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
byMike Schwartz
 
42crunch-API-security-workshop
by42Crunch
 
OpenId Connect Protocol
byMichael Furman
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
byapidays
 
API Security: the full story
by42Crunch
 
Security in microservices architectures
byinovia
 
Advanced API Security Patterns
by42Crunch
 
OAuth based reference architecture for API Management
byWSO2
 
Why upgrade your MFA to Adaptive Authentication?
byWSO2
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
byWSO2
 
Web security and OWASP
byIsuru Samaraweera
 
Better API Security with Automation
by42Crunch
 
SecDevOps for API Security
by42Crunch
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
byMike Schwartz
 
Microservices Security: dos and don'ts
byMinded Security
 
Identiverse - Microservices Security
byBertrand Carlier
 
[OPD 2019] Web Apps vs Blockchain dApps
byOWASP
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
byOpenIDFoundation
 
Using a Third Party Key Management System with WSO2 API Manager
byWSO2
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
byapidays
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
byMike Schwartz
 

Similar to Api days 2018 - API Security by Sqreen

PDF
Rails Security
byWen-Tien Chang
 
ODP
Security on Rails
byDavid Paluy
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPT
Ruby Security
bySHC
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PDF
Enhancing your Security APIs
byApigee | Google Cloud
 
PDF
Application Security from the Inside - OWASP
bySqreen
 
PDF
PwnSchool: Exploiting Web APIs
byThreatReel Podcast
 
PDF
APIDays Paris Security Workshop
by42Crunch
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PDF
WebApp_to_Container_Security.pdf
byAnna Pasupathy, CISSP
 
PDF
owasp_meetup_12_10
bysean_todd
 
PDF
Securing Rails
byAlex Payne
 
PDF
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
byIMMUNIO
 
PDF
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
bySV Ruby on Rails Meetup
 
PDF
Designing Secure APIs
bySteven Chen
 
PDF
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
byDevSecCon
 
PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PDF
How to code securely: a crash course for non-coders
byJaap Karan Singh
 
Rails Security
byWen-Tien Chang
 
Security on Rails
byDavid Paluy
 
API SECURITY
byTubagus Rizky Dharmawan
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Ruby Security
bySHC
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
Enhancing your Security APIs
byApigee | Google Cloud
 
Application Security from the Inside - OWASP
bySqreen
 
PwnSchool: Exploiting Web APIs
byThreatReel Podcast
 
APIDays Paris Security Workshop
by42Crunch
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
WebApp_to_Container_Security.pdf
byAnna Pasupathy, CISSP
 
owasp_meetup_12_10
bysean_todd
 
Securing Rails
byAlex Payne
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
byIMMUNIO
 
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
bySV Ruby on Rails Meetup
 
Designing Secure APIs
bySteven Chen
 
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
byDevSecCon
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
How to code securely: a crash course for non-coders
byJaap Karan Singh
 

More from Sqreen

PDF
Writing a Python C extension
bySqreen
 
PDF
NoSQL Injections in Node.js - The case of MongoDB
bySqreen
 
PDF
Instrument Rack to visualize
 Rails requests processing
bySqreen
 
PDF
Tune your App Perf (and get fit for summer)
bySqreen
 
PDF
Serverless security - how to protect what you don't see?
bySqreen
 
PDF
Ruby on Rails security in your Continuous Integration
bySqreen
 
PDF
Protecting against injections at scale
bySqreen
 
Writing a Python C extension
bySqreen
 
NoSQL Injections in Node.js - The case of MongoDB
bySqreen
 
Instrument Rack to visualize
 Rails requests processing
bySqreen
 
Tune your App Perf (and get fit for summer)
bySqreen
 
Serverless security - how to protect what you don't see?
bySqreen
 
Ruby on Rails security in your Continuous Integration
bySqreen
 
Protecting against injections at scale
bySqreen
 

Recently uploaded

PPTX
PyMOL: A Step-by-Step Guide to Creating Publication-Quality Molecular Visuali...
bygenz9514
 
PPTX
Blood_Supply_to_Eyeball_Vaibhav.pptx eye
byrachurivaibhav
 
PPTX
Transcription (Introduction, transcription unit, substrates required, Prokary...
byRashmiMG2
 
PPTX
AI Enabled Futuristic Self Charging Driverless Car
byabhijithskrishnan27
 
PDF
To study the presence of oxalate ions in guava fruit (P).pdf
byvinitsingh5589
 
PPTX
PCR-variants & applications; RFLP, RAPD AFLP techniques.pptx
byDr Showkat Ahmad Wani
 
PPTX
microbiology aerobic.presentation .pptx pre
byAmri559698
 
PPTX
Assignment I-Natural Disaster_Punjab FLOODS
byhayareesha99
 
PPTX
Interpret Earthquake Hazard Mappppp.pptx
byJonathanOlegario1
 
PPTX
microbiology.pptx biochem nothing don't use this
byAmri559698
 
PDF
Cognitive Reserve Can Be Induced Through Environmental Enrichment in Aged Org...
byedvaldosoares15
 
PPT
How animals SurviveHow animals SurviveHow animals Survive.ppt
byDandy56681
 
PPTX
04.-Changes-of-state-of-matter.pptx IGCSE
bylavgi22
 
PDF
Svalbard Global Seed Vault: The Doomsday Vault for Global Crop Diversity Cons...
bySatyam Sharma
 
PPTX
Understanding the Sources, Structure, and Biological Roles of Bioactive Carbo...
byrituparnas
 
PPTX
Heterospory and seed habit in Pteridophytes.pptx
byRashmiMG2
 
PPTX
Two Types of Force- Grade 7- Science
bycrisel7
 
PPTX
PPT Penalaran Deduktif dan Induktif.pptx
byFathir46
 
PDF
Hybridization in Plants – History, Types, Importance & Development
bySatyam Sharma
 
PDF
INTERPERSONAL ATTRACTION, INTERNAL AND EXTERNAL SOURCES OF ATTRACTION AND FOR...
bymokhsha
 
PyMOL: A Step-by-Step Guide to Creating Publication-Quality Molecular Visuali...
bygenz9514
 
Blood_Supply_to_Eyeball_Vaibhav.pptx eye
byrachurivaibhav
 
Transcription (Introduction, transcription unit, substrates required, Prokary...
byRashmiMG2
 
AI Enabled Futuristic Self Charging Driverless Car
byabhijithskrishnan27
 
To study the presence of oxalate ions in guava fruit (P).pdf
byvinitsingh5589
 
PCR-variants & applications; RFLP, RAPD AFLP techniques.pptx
byDr Showkat Ahmad Wani
 
microbiology aerobic.presentation .pptx pre
byAmri559698
 
Assignment I-Natural Disaster_Punjab FLOODS
byhayareesha99
 
Interpret Earthquake Hazard Mappppp.pptx
byJonathanOlegario1
 
microbiology.pptx biochem nothing don't use this
byAmri559698
 
Cognitive Reserve Can Be Induced Through Environmental Enrichment in Aged Org...
byedvaldosoares15
 
How animals SurviveHow animals SurviveHow animals Survive.ppt
byDandy56681
 
04.-Changes-of-state-of-matter.pptx IGCSE
bylavgi22
 
Svalbard Global Seed Vault: The Doomsday Vault for Global Crop Diversity Cons...
bySatyam Sharma
 
Understanding the Sources, Structure, and Biological Roles of Bioactive Carbo...
byrituparnas
 
Heterospory and seed habit in Pteridophytes.pptx
byRashmiMG2
 
Two Types of Force- Grade 7- Science
bycrisel7
 
PPT Penalaran Deduktif dan Induktif.pptx
byFathir46
 
Hybridization in Plants – History, Types, Importance & Development
bySatyam Sharma
 
INTERPERSONAL ATTRACTION, INTERNAL AND EXTERNAL SOURCES OF ATTRACTION AND FOR...
bymokhsha
 

Api days 2018 - API Security by Sqreen