How to Build an Effective API Security Strategy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right hello everyone i'm keith casey as he said i'm here based in austin texas so a few things about me I do live here I used to run the API meetup here in town ran that for a few years because before that I came from a company called Twilio most of you've probably heard of it by this point when I joined it no way it heard of it it was just this strange little API company there were 25 of us we all fit in one room and now I think they have something like 2,000 people but more recent times I've designed and built api's all over the place large large scale companies that you probably heard of tiny companies that unfortunately have gone out of business basically everything in between my current job is at octa my title at work is the API problem solver and I do mean that quite literally that's all my business cards and everything so it must be true and one of the things that when I talk about API design and saw how it works and how its approached I tell people that I wrote the book on API design and I say that because the URL the URL is the API design book calm not another or some API design book but the API design book and actually I'm being kind disrespectful my co-author was here yesterday morning James Higginbotham so if you met him yesterday we've been working together on that done some great work around that but really what it comes down to is that I love breaking things I love getting in trouble I love causing trouble in fact I've had a number of good friends sort of think about how I approach data and api's and figure out how can we abuse this in fact there's prominent people in the API community that just don't share data with me anymore because when I get a hold of data I cause all kinds of problems with it so with that mindset I get to advise our customers I get to sit down and see like what are they doing what are they what are they doing that they shouldn't be doing what are they not doing that they should be doing like how can we make this world a little more amusing I mean a little more secure so that's kind of my approach on things and normally one of the big questions I get when I sit down with all these customers is what the hell are you doing because I'm the guy that will sit down with postman and start connecting to the API even though we're not supposed to because the bad news is that the vast majority API is out there are not secure even in the slightest so with that I want to talk a little bit about failure if we look about if we stop and think about how API breaches happen how big security breaches happen there's too many to list if we even just limit it to the last two years there are catastrophic and they're getting bigger and bigger and I don't just mean in terms of the number of customers affected I mean the type of data affected you know my favorite on here is actually tinder for different reasons but the the amusing thing about the tinder API is that they didn't actually have any authentication built into it so you could send messages as somebody else it's a silly use case right that's a silly scenario but fundamentally you can cause a lot of problems with that and then we we kind of step up and we say okay well what about Delta Delta had scenarios where they are releasing loyalty accounts like loyalty information so that with just a little bit of information I could then query and say when are you traveling when do I know you won't be home even more fun can I get your confirmation number because with many many many Airlines if I have your first name last name and confirmation number I can cancel your flight is that a problem at all I think it could be especially if I wait for you to get to wherever you're going Equifax is the 800-pound gorilla of the bunch I'm not even going to touch that one because it's just way I don't want to end on a depressing note but let me talk about this and say the vast majority of API vulnerabilities happen for good honest well they at least have it for honest reasons it's because when we stop and think about api's it's very rare that the CEO the c-level executive walks in the room and says we will have api's yeah it happens a little bit but more likely what happens is the vast majority of api's come from the bottom up it's because your team your team of five developers is building something and you've built the same thing over and over and over again and you're getting irritated you're saying I want to build this one and be done with it and so you build it once and you say okay I have five users I can look around the room and see my entire user base I don't need to worry about authentication I trust everyone that I work with well that's successful that works really well people are really excited about they're like wow this API we were able to move faster in our projects we don't have to refigure this out every time and another team learns about it the team down the hall the team down the hall comes you and says hey I heard you had this API we are thinking about doing that but you've done it can we just like get access to it and you say hey look that's yeah your coworkers yeah we trust you we see you in the lunchroom all the time and they go ahead and give you access so we go from five people the five teams okay that's great well at some point we have an architect get involved and an architect says well we need to start thinking about governance and versioning we need to put an api gateway in place we need to think about these things and and those are all great those are all fantastic things to have but eventually that architects boss the VP says we'll wait a second these internal teams across campus and that other building actually a lot of our partners have similar use cases our partners need to accomplish very similar things can we open it up to them and we say absolutely because as software developers we have two goals in life say want to know what those two goals are every single one they apply to every single person in this room I guarantee you two goals in life we want to build something useful right we want to build something useful we want to know that our work that our time that our effort is valued and the other goal is to go home that's it those are our two goals in life right you know you could go home because you know I've got other things to do I've got family I've got friends whatever I don't care we want to build something useful and go home the best single metric of building something useful is more people want to use it if you come into work on Monday and then you come back on Tuesday and there's more people using your software or using your Docs or using whatever you're happy because you know your work is valued so when we're looking at this we go wow my team found valuable the five people on my team they found it valuable those five other teams they found it valuable those five partners they found it valuable I'm successful well at this point a c-level exact gets involved they come back in the room and they say hey I was just at this retreat we were talking about digital transformation and digital transformation is the wonderful thing it's driving the future bla bla and they feed you that line of Bowl but what it means is that those customer use cases that top-tier customers they look a lot like partners and they they want to accomplish many of the same things they want to do these things they want to tie in they want to integrate data they we want our product to be stickier and so we're like hey this is fantastic and so we tie in our top tier customers and it turns out James was on stage talking about this earlier our top tier customers and our next to your customers are next to your customers they actually look a lot alike there's not a big fundamental difference between most of those so goes from our top tier customers to all of our customers like that now remember that's so more people using our API that's more success that's more excitement we're happy because more and more people are using our API every day we've won right well here's the problem we get close to that that c-level executives saying hey look we're launching the API in 30 days and they go the security team and they say hey security team we've got this great API we're launching in 30 days we need you to do a security review of it because we're launching it to the public anyone can use it but don't worry it's probably secured because we've been using it for a year there's one phrase of that entire thing that your security team heard what was it we've been using it for a year cuz they go what the that's their reaction because they know that any sort of vulnerability any sort of issue that they find here at this stage one they have to convince their c-level exact hey look don't launch that thing because we need to fix it but more importantly they know that every vulnerability that they find here actually existed the whole time and the reason this happens is really simple it's because Windows 5 people when we can look around the room and see who's using our API we didn't about security when it got to be five teams we couldn't look around the room we couldn't reach out and slap the person that's misbehaving but we never stopped to reevaluate security when we then go to five partners that we can't even name the people using our API maybe we can't even name the partners it radically changes things when we open it up to the whole freaking world we have a problem we never stop to think about do these things still make sense are we still insecure and what we're doing how are we is this going to be the next Panera this is actually how Panera worked out so the exact path that they took and fundamentally I'd wager every single company up there and every single one of you have gone through this very similar path okay so how do we do this how do we fix this so I sort of boil it down to four aspects the first one is we only want to expose the interfaces that we need so we're not going to expose our entire API at once we're going to expose the individual pieces relevant to the individual use cases that we're solving okay pretty simple and boring next one is let's only collect and share the data that we need if we don't need it don't collect it if we haven't collected it it can't be breached right we can't leak something if we don't have it and then once we do have something if we don't have a reason to share it don't at octa we do authentication user name and password once we accept that password and we hash it we never give you that hash again because that's something that could potentially be compromised by not sharing it back we don't have to worry about that and the other thing is we only want to grant access to the people and the systems that we need we're not going to publish API keys to everyone we need to stop and think who do we want to have access and is there use case valid and sometimes the answer is going to be no and that's fine but we need to draw these boundaries actually wait a minute wait wait we're software developers right software developers what number do we always start counting with zero so I actually skipped zero because I think this is the most important factor more than any that's like because we need to think like a bad guy if we stop and think like a bad guy how could some a misuse and abuse this API this data that's way more fun I mean that's way more effective at figuring out what can actually happen here so the rest of time I want to talk about thinking like a bad guy because that's way more fun I mean effective so let's talk about how first of all I say always read the news looking competitors look at our peers look at our look at the people in the space and see what breaches they've had see what things they've struggled with let other people learn these lessons for us that's the best fastest easiest cheapest least career damaging way to learn things is watch other people screw up next up talk to your legal and compliance team I know no one loves talking to lawyers right just stop and talk to them actually they have a really important job their job their entire focus in life is to protect the organization security isn't that a piece of that we just need to go in and talk with them say hey what are the things that keep you up at night about data technology those sorts of things the more we can do that the better off we'll be and by the way if we have good relationships with them when we do need a favor what we do need to ask for help we know who to contact that makes life way easier next one is talk to your existing team about horror stories now I know you're in current development environment and your current security posture is fantastic okay but odds are that last place they came from it was a show right everyone has those stories well there is this time we are using social security numbers for passwords as actually one of my employers like 15 years ago those are the kind of things of they make us cringe on the inside and we kind of think about those things that we still get that tight stomach thinking about it you know what we all have those stories bring them forward talk about them figure out oh wait a minute are we doing that whoo if we discover this internally and have the chance to fix it that's fantastic that means some random knucklehead on the internet can't call that problem for us but actually my favorite approach is right a black me repa sewed is everyone familiar with black mirror is anyone not familiar with black mirror black mirror is this okay it's this postmodern approach of technology dystopia so it's the idea of what if we had the existing technology we had and we took it two steps further in a horrible awful direction it's that fairer it's a good description okay cool so yeah let's take our API and say if somebody got a hold of the data here what could they do the equifax data is fantastic for that you know when you create a new bank account they say what street did you grow up on and what color car do you have and stuff like that well with the Equifax data I can answer that question for anyone in the room oops that won't cause a problem at all all right so part of this is also we want to think about what a bad guy actually wants because saying oh yeah they want our data yeah well that's that's kind of that's right but that's not specific enough let's get a little more specific a bad guy wants valuable data duh obviously that's why they're coming after us more importantly they want accessible infrastructure they want to be able to access something that we weren't expecting them to that's good we want or they want to being able to have a simple or even no authentication or even authorization that was the source of the Equifax hack is you could once you authenticated as whatever user you wanted there was an ID in the URL and you could use the crazy hacker method of incrementing to go through their entire database because there was no filter saying you know what Keith can access this record but no others so another good hacker method incrementing keep that in mind next up bad guys love custom-developed authentication and authorization systems they love those because you know what odds are we screwed it up somewhere that's a safe bet I gave a presentation like this to some people from the NSA and I said look unless you're a crypto expert don't build your own and they go no we don't build our own either this is useful to remember let other people make mistakes and learn from them please one good thing that all bad guys want is they want to act undetected the longer they can act undetected the better it is for them the horrible the worse it is for them but the source of the Marriot hack they actually had hackers had access to the network for I think that's four years just think of all the fun you can cause with four years of data yeah all right so a couple concrete steps I do want to share is I say absolutely apps absolutely absolutely absolutely use an API gateway it's not because I love API gateways it's because they solve a particular class of problem and they do it well so I don't particularly care which one you use what they are useful so they it kind of breaks down into five pillars so you've got life cycle and they do like where's it deployed how is it deployed what state is it in production prod that or production beta that sort of thing interfaces this is where they lock down and say what do we have access to and that's an important thing every API gateway you can say look only grant access to this endpoint and only allow verbs of these types on this endpoint that's good if we allow everything to everyone well I guess that's job security for me so definitely do that okay next up is every API gateway does some sort of access management this could be as simple as API keys this could be oh oh oh some have a built-in ooofff authorization server that's fantastic that's a starting point obviously I'm biased don't just stop there look into an identity provider but the more you can sort of limit your access to specific things the better off you'll be this gets back to limit that's access to only to the systems and people we want and then gateways also handle a consumption and business and things like that I'm not gonna worry about that here next thing is we need to be smarter about our data we absolutely need to be smarter about our data like I said if we don't have to collect it don't we cannot be breached we cannot leak data if we don't have it that makes life easier you know when when you're legal compliance security teams come through and they go well how are you handling PII it's a really easy answer say we don't have any love it that's fantastic well I was working with a large financial institution recently and they're like oh well we only keep this this user identifier I said okay cool the only way you can translate that into a user is here octa API key make a request to us and now you can okay cool so now you have like to figure out what that actually means you need two pieces of information okay that's a little better just compromising your system doesn't give people profile information and addresses and email addresses that's fantastic and when it when possible encrypted at rest if you have to keep PII if you have to keep health care financial data encrypted whenever possible now if you store the encryption key with the data you've defeated the point okay and I'm not saying that any company has ever actually done this but just keep that in mind do not store the keys you know it's it's if you took your house key and taped it next to your door that's not useful don't do that don't do that with your encryption keys either okay next up absolutely please stick to the standards don't get creative here the the two big ones are obviously Oh off and on top of that open ID connect Daniel's said earlier like most people look at these standards and like oh I can implement OAuth core maybe but don't because one of the nasty ugly things that's actually built into that is OS itself is it's a framework and has all these pluggable pieces and when you stop and look at see all the pluggable pieces that are available there's a lot of them these are let's see I think these are just the ones out of draft status but there's dozens more most people say oh oh auth has to be a job token well not really the core specification doesn't say that's an extension that's RFC's 7519 I believe like these are the kind of things that yes you could build the basics yourself don't don't you will screw it up use use a vendor use an open-source project do something do a security validation of the product your value ating absolutely do that don't build it yourself and here's one cool thing I was working with a large financial institution recently and they said oh we're gonna build our own ooofff library's said please don't please don't take one of the existing ones this was for mobile so they're looking at the APUs library specifically I said use the app off libraries and do a security audit of those one now you don't have to build your own assuming they meet basic specs and if there's any issues report them back to the team submit fixes if you're really motivated and now the Internet has a whole benefits that's the point of open source right folks this is what we want this is what we need to do we can't just consume and use stuff we need to actually say hey what's out there is already good let's reuse that let's contribute and improve that when we can and next up I always say we have we have to integrate into existing processes when we're building api's we think we're Cowboys we want to go off and do crazy things that's remember that's how we started we built the AP API for five people and it worked out well well you know what odds are our security and compliance team or network operations team have processes so at some point in there we need to pause we need to go how can we plug into our existing systems because when when the bad news comes let's be honest and that API breach happened that at Panera or Equifax or Twitter or whatever they don't go to the developers and blame them do they they don't come to us they go to the security team and they go security team it's your job to make the system secure what happened a security team goes what API that's our fault that's our fault for not involving them for not plugging into their existing systems so fundamentally is that let's think of it a personal level I'm risking your job to accomplish my job we have a word for that right if you look at anyone on your team and say yes I would purposely risk your job for my job you're in the wrong business stop get into something else get into consulting okay oh that was rough wasn't it but this has some upside so last last August there was a hack of t-mobile t-mobile has something like 77 million customers something like that well when they launched their api's using awesome kind of biased but they have plugged into their network operations team and so they were under attack and they had these crazy hackers using that increment method trying to get access to things okay so there was a problem the development process right off the bat totally agree but their network operations people detected it and they said whoa wait a second this doesn't look like normal user behavior and because it didn't look like normal user behavior they able to stop it in process and so the attackers only got seven percent the database not a hundred percent of the database still not great but a lot better than it could have been and by the way these guys are heroes now right this is the kind of people who are like wow fantastic you you you're doing great work these are the things we need to watch out for we're a team right if we screw up the the team down the halls job come on nobody needs that nobody wants that we need to think more about that so let me leave you some closing thoughts so I say fundamentally when we're thinking about API security we want to think about like what's the worst possible thing could somebody can do with this API we need to think about what happens if our competitors get our data what happens if they use that crazy hacking method of incrementing to download our entire product database or our customer database or our item database whatever the case may be we need to stop and consider what happens there but before that we need to stop and say what data do we actually need if we don't need it don't collect it if we do need it we don't necessarily need to share it back make sure that that data is segmented and clean and not being broadcast back where we expect don't expect it to be next up who are users today right now that like this immediate moment and who will they be a year from now if we're successful if this is a product as this is an API that's driving usage adoption and growing all over the place we should assume that more people will be using it tomorrow than are using it today and we need to stop and think about that not just the numbers but who because partner is using our API probably don't have the same security posture as we do and we need to stop and think about that and then finally we need to stop and think about how are we in monitoring it so are we plugged into something like Splunk firm for network operations like how are we stopping and thinking about this because I'm better off we do this the better life will be for all of us and security as a whole can benefit so that I want to say thank you and have a good one [Applause]
Info
Channel: Nordic APIs
Views: 13,705
Rating: 4.7600002 out of 5
Keywords: API Security, Keith Casey, Okta, Austin API Summit, Nordic APIs
Id: D7AfQKxFC0U
Channel Id: undefined
Length: 24min 59sec (1499 seconds)
Published: Tue Jun 04 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.