Más contenido relacionado La actualidad más candente (20) Similar a What Hackers Don’t Want You To Know: How to Maximize Your API Security (20) Más de AaronLieberman5 (11) What Hackers Don’t Want You To Know: How to Maximize Your API Security1. WHAT HACKERS DON’T WANT YOU TO KNOW: HOW TO
MAXIMIZE YOUR API SECURITY
June 20, 2019
Denver MuleSoft Meetup Group
2. All contents © MuleSoft Inc.
Agenda
2
• 6:00PM – Doors open
• 6:00PM - 6:30PM – Network, Eat, and Socialize
• 6:30PM - 6:35PM – Introductions
• 6:35PM - 7:30PM – Presentation/Demo
• 7:30PM - 7:45PM – Q&A
• 7:45PM - 8:00PM – Open Floor, Suggestions for Future Topics and
Speakers
3. All contents © MuleSoft Inc.
Introductions
3
• About the organizer:
– Big Compass
• About the presenters:
– Aaron Lieberman
– Tyler Reynolds
4. • MuleSoft API Lifecycle
• MuleSoft API Management
• Securing a MuleSoft API
• PingIntelligence with MuleSoft APIs
MuleSoft API Management
and Security
5. All contents © MuleSoft Inc.
API Lifecycle
5
• Design
• Build
• Test
• Deploy
• Manage
7. With MuleSoft API Manager security policies, what
is the difference between rate limiting and
request throttling?
Giveaway!
8. All contents © MuleSoft Inc.
MuleSoft API Management
8
• API Manager
– Creating an API
– SLA Tiers
– Contracts
– Alerts
– Policies
• Out of the box policies
• Custom Policy from API Manager
• Develop Custom Policy in Anypoint
Studio
• Secure your APIs!
– Monitoring
9. All contents © MuleSoft Inc.
Securing APIs in MuleSoft With API Manager
9
• Specific to one API
– New feature of automated policies
to apply same set of policies to
many APIs
• Common Policies in API
Manager
– Basic authentication
– IP whitelist/blacklist
– Client ID Enforcement
– OAuth 2.0
– SLA based rate limiting and
throttling
11. All contents © MuleSoft Inc.
MuleSoft Anypoint Security
11
• Secure all applications deployed
to your Runtime Fabric with Edge
Policies
• Implement a Web Application
Firewall (WAF)
• Other policies
– IP whitelist
– Denial of service
– HTTP limits
12. All contents © MuleSoft Inc.
MuleSoft + WAF Security
12
• Protects against many common
attacks
– SQL Injection
– Cross Site Scripting
– Body scanning
– OWASP Top 10 attacks
– These are known vulnerabilities!
13. All contents © MuleSoft Inc.
Security Policies + WAF Protection
13
• What do security policies + WAF
actually protect against?
– Basic attacks (authentication, rate
limiting, SQL injection, etc.)
• What are the vulnerabilities?
– Advanced API attacks from
authenticated hackers
– No way to detect authenticated
attacks
• Google took 2.5 years to detect a breach
• How do we protect against these
vulnerabilities?
14. All contents © MuleSoft Inc.
MuleSoft + WAF Security Demo Architecture
14
16. How long did it take Google to detect an ongoing
breach on their API?
A.0-6 Months
B.6-12 Months
C.12-24 Months
D.2+ Years
Giveaway!
17. All contents © MuleSoft Inc.
Current API Landscape
17
• APIs steadily increasing
• Attacks steadily increasing
18. All contents © MuleSoft Inc.
Current API Security Landscape
18
Reactive -> Proactive
Average Time to Detect First Breach
2018 Verizon DBIR
• 45% not confident in ability to detect malicious API access
• 51% not confident in security team’s awareness of all APIs
API Security Survey:
19. All contents © MuleSoft Inc.
API Security – A Difficult Problem!
19
IP
Geolocation Time /Day
Session Length
...
API 1
API 2
API 3
API 4
• High number of sessions across
many APIs
• High velocity connections
• Large mix of inbound client types
and activity
– Legitimate clients
– High velocity attackers disrupt
services, access content, etc.
– Hackers with valid credentials blend in
while maliciously accessing API
services
• Looking for a needle in a haystack
20. All contents © MuleSoft Inc. 20
API Login and API DDoS Attacks
•Brute force login attacks
•Stolen identifiers: cookies and tokens
•API specific DoS and API DDoS attacks
Compromised Account / Insider Attacks
•Account take over
•Data theft
•Application control
Hackers using Machine Learning
•Every attack looks different
•Every blocked attack leads to a new attack …
How vulnerable are APIs to attacks?
21. All contents © MuleSoft Inc.
Answer: Leverage AI
MODEL
• Learn from API traffic
• Build model for legit
apps
DETECT
• Inspect runtime
traffic
• Look for deviations
from model
BLOCK
• Block compromised
tokens
• Notify/alert
22. All contents © MuleSoft Inc.
PingIntelligence For APIs
PingIntelligence for APIs ®
App
Servers
API Discovery Attack Blocking Deep Reporting
APIs APIs APIs
• Deep API Visibility
– Dynamically discover APIs across all
environments
– Monitor all API activity including every command
and method used throughout a session
• Automated threat detection and blocking
– Detect and stop attacks that use APIs to
compromise data and applications
– Use API honeypots to instantly detect probing
hackers and prevent access to production APIs
• Self Learning
– Use AI to discover expected behavior for each
API in API gateway and app server environment
– Eliminate the need to write and manage policies
and update API attack signatures
23. All contents © MuleSoft Inc.
• You can’t fully trust your own tokens!
• Bearer tokens are vulnerable (but necessary)
• Vulnerabilities at other vectors are exploited at API level
– Client app, user, 3rd party identities
Phishing
+token
Stolen token
User data
<api>
>collections
_
GitHub leaking client
secrets
Password
reuse
Zero Trust
24. All contents © MuleSoft Inc.
Comprehensive Security: MuleSoft + PingIntelligence
Foundational API Security
Content Injection
JSON, XML, SQL injection protection, XSS
Flow Control
Throttling, Metering, Quota Management, Circuit-
breakers
Access Control
AuthN, AuthZ, Token Management, Microgateway
AI-Powered Cyberattacks Detection
Automated Cyber Attack Blocking
Blocks stolen tokens/cookies, Bad IP’s & API keys
API Deception & Honeypot
Instant hacking detection and blocking
Deep API Traffic Visibility & Reporting
Monitor & report on all API activity
Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs
PingIntelligence
for APIs
25. All contents © MuleSoft Inc.
PingIntelligence Augments API Security
Web Application FirewallsPingIntelligence for APIsAPI Gateways
Complementary to API Gateways and WAFs
OWASP Top 10 Protection
+ +
Authenticated users
Advanced attacks
API Management
Security Policies
27. All contents © MuleSoft Inc.
• API Breaches go undetected for months or
years
• Enterprises need incorporate zero-trust for API
Strategy
• Gartner: “by 2022, API abuses will be the
most frequent attack vector that result in
breaches”
• Many attacks can’t be detected with traditional
API security
• Help is here from MuleSoft and PingIntelligence
your
customer
your
org
Attack Landscape Summary
28. All contents © MuleSoft Inc.
MuleSoft + WAF + PingIntelligence Architecture
Full Lifecycle API Mgmt.
Design, Create, Publish APIs
Content Inspection
Content Validation
Session Management
Policy Based Security enforcement
Rate Limiting
API Visibility & Protection
Deep Visibility & Reporting
Unique API Behavioral models
Automated Attack Blocking
API Discovery
API Deception
Self Learning – no rules or
Policies
Web Application Security
WAF Positive Security Model
OWASP Top 10 Protection
DDoS Prevention
RASP
Content Filtering
Rate Limiting
Signature Based Detection
30. All contents © MuleSoft Inc.
References and Documentation
30
• OWASP
– https://www.owasp.org/index.php/Main_Page
• PingIntelligence + MuleSoft Integration
– https://docs.pingidentity.com/bundle/pingintelligence_mulesoft_integration_pi
ngintel_32/page/pingintelligence_mulesoft_api_gateway_integration.html
• PingIntelligence
– https://docs.pingidentity.com/bundle/PingIntelligence_For_APIs_Deployment_
Guide_pingintel_32/page/pingintelligence_product_deployment.html
• Undisturbed REST
– https://www.mulesoft.com/lp/ebook/api/restbook
• API Security
– Kin Lane, API Evangelist, Evolving API Security Landscape Whitepaper
• https://www.pingidentity.com/en/resources/client-library/white-
papers/2018/evolving-api-security-landscape.html
31. All contents © MuleSoft Inc.
References and Documentation
31
• MuleSoft Documentation
– API Manager
• https://docs.mulesoft.com/api-manager/2.x/
– Anypoint Security
• https://docs.mulesoft.com/anypoint-security/
33. All contents © MuleSoft Inc.
What’s Next?
33
• Share:
– Tweet your pictures with the hashtag #MuleMeetup
– Invite your network to join: https://meetups.mulesoft.com/denver/
• Feedback:
– Contact your organizer aaron@bigcompass.com or linda.gunn@bigcompass.com
to suggest topics
– Contact MuleSoft at meetup@mulesoft.com for ways to improve the program
• Our next meetup:
– Date: August 2019
– Location: TBD
– Topic: TBD
34. See you next time
Please send topic suggestions to the organizer