How to get along with HATEOAS without letting the bad guys steal your lunch?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] well welcome are you having fun at devoxx are you all really tired and want to go home no no so you haven't come to this maybe 50 minutes time you've come to this talk so you can just lay back and be quiet but we're going to scare you and inform you so my name is Steve Poole and the one not being abducted I work for IBM I'm a developer advocate for the Java team and so I get to come out and talk about cool Java stuff to you guys and I'm growing charters I also work for IBM I'm an architect and developer advocate on Liberty so I tend to talk about Liberty and micro profile and stuff and stuff so we're going to talk to you about something we've had conversations about this and it was at this make a good talk because it's sort of like new and different and there's different opinions and I have I'm not a security professional by any means but I'm a sort of interested visitor and so I have learnt a lot about some of the bad things that we do as developers when we ignore some security stuff so we're going to talk to you about you say it was it good you gonna call it hey toss it on a hat or hate us and some of the security implications and some of the things that you could do to make it less so a challenge okay cool you did the first bit all right yeah so the title of the talk how to cut how to get along with hey toss without letting the bad guys steal your lunch so I first came across hey toss as you were saying talking to a customer quite a few years ago so hey toss is nothing new who here thinks they know what hey toss is awesome so I've got to be careful now I better get it right so I met a customer through quite a few years ago and they said we love hey toss it make it make it writing our client-side applications a lot simpler they're more flexible we don't have to change them as often when we change the backends and so on and so when we were talking to Steve said talking together he said well it'd be great to do a kind of security angle to this so I'm going to start by defining hopefully hey toss and going through a little bit maybe the kind of thought processes I've went through as I was kind of investigating this so it stands for Hyper me as the engine of application state that's gotta be just about the worst name and acronym have ever come across but so that was sorry that's what went through my mind what the Frell so I thought well let's break it down a bit and look at what hypermedia means so hypermedia this is the some kind of dictionary definition an extension of the term hypertext is a nonlinear medium of information that includes graphics audio video plain text and hyperlinks so if we try and understand that let's start with hypertext hypertext is essentially text which is all interlinked and so on so you have a graph of text but we're talking about multimedia so things like graphics and audio and video and text as well so hence hyper media so that's kind of okay we're a little bit wiser maybe so I carried on digging and then I came across a really nice blog article by Martin Fowler which talked about something called the Richardson maturity model who's come across the Richardson maturity model yeah a few of you it's not new it's about done that maybe about eight years old might even be longer if I'm misremembering the dates and this was essentially something which was written as part of a book and it's trying to define a maturity model for doing rest services and if you're familiar with capability maturity models there are maturity models for various other types of things and they always start with a layer 0 and essentially level 0 is where you've done nothing so you're completely I guess incapable you've not done anything towards designing to do good rest and designing good rest services and then they design defined three layers above where you kind of make this progression through your learning and expertise of doing rest services so the next one is resources so thinking about resources next one up is about using HTTP verbs appropriately and then the last one is about putting in hyper media controls so I thought I'll be interesting to kind of look at those in a little bit more detail because the first one was called swamp of pox so it's showing its age because pox was plain old XML and we all do Jason now so it's now the swamp of Podge so let's look have a look what swamp of podge means and so essentially kind of layer layer 0 or swamp of podge is you're using HTTP just to tunnel your requests and what they what serve this is implemented in this way typically do is they they use the lowest common denominator in terms of HTTP so they usually just use HTTP POST because it can't be cached and it can't be retried or shouldn't be cached and shouldn't be recent retried I should say so you you're not really using HTTP very well but you're kind of the lowest common denominator so things shouldn't go wrong it's just it's not optimized for the web and so you define effectively your own little request protocol stuff going on so here we've got a method called get person and we're providing some data as part of this query and that's going in the body of the post request and we'll get a response back so I'd like to do with each of these things is show a little bit of demo and as we're going to go through we'll see how the different layers become more helpful to the developer alright so the first one this one per pod so I've got a service endpoint it's a single endpoint that's another point to make so lots of requests we'll go over this and we'll hit this endpoint and so in terms of kind of explaining to the user about this this this service there's not a lot I can say because there's so much different there's so many different types of data that are going to flow over this so when I try and kind of define an API for it all it's going to tell me is well you can send some JSON and you're going to get some JSON back but I happen to know that I've got a method property and I'm gonna call it get person because that's the method I want to the method I want to make a request for and I can get the person with a particular ID so you can kind of immediately see this isn't very helpful as a developer I've got no information about the API and so on so if I execute my rest hopefully I got it right and yeah we can see that I've managed to to retrieve a person okay so next level up his resources so this is where you start thinking about resources so you end up with multiple endpoints so in my particular example I've got a person and an address so I can have a person endpoint for my person resources I can address endpoint for my address resources but we're still not using HTTP appropriately so we're going to tunnel the tunnel things over post requests because I want to pass body data in so what am i my request looks very similar and the response coming back again is going to look very similar so let's just see what that looks like so now we can see we've actually got two endpoints which is nice so as a developer I now know that there are more endpoints available more things I can call but they're only doing post but because I'm passing in person objects and getting person objects back I can perhaps give a little bit more information a little bit more structure so but I don't know what the methods are but I can kind of maybe guess oops I need to do a try it out button that can maybe maybe guess because it's a person object I might be able to do get person and then let's pass in the ID and execute that again and we can see we've got the person back so a little bit more helpful to the developer so next one HTTP verbs layer two low level two so here we actually start using HTTP appropriately so I'm going to do an update in this particular example so I'm going to post a person to the person endpoint actually I've got the URL wrong I shouldn't giving it an ID but anyway and then I'm maybe going to get a person back with a generated ID for example or I might do a get or a put or a delete and I may even be able to do patch and the head and things like that so it's using HTTP appropriately so you can then take advantage of of the way the web works so you can retry certain methods you can cache certain methods and so on so when I look at what's available now there's a lot more information available to me as a developer hopefully you can see that okay anyone struggling to see that all right let's go a little bit though didn't mean to do that okay so I've got various HTTP methods available and I can do things like okay I can do a get and this is gonna give me back all the guessing based on it's just at the the kind of root of the person resource it's going to give me back all the people that are defined in my back end and you might have pagination methods and things like that so again it's getting a bit more helpful to the developer more information for me to see last one hypermedia that's what hypermedia does is it says well that's okay returning a resource but you want to there's additional information you can provide back so let tell me information about what the things are I can do once I've essentially retrieved the state of this resource where can I go next so I could always go back to myself or in this particular example I can go and navigate to the address resource this person has an address but also the kind of as the engine of state aspect of Haiti ah sore hat socks or whatever we want to call it if this person doesn't have an address then don't give me an address link you might give me a link where I can go and create a new address based on this person and that address of what automatically becomes the address of that person so this is again additional useful information for me as a client me writing a client application to this rest service so let's just finally see the last example so from a kind of H out from the outside it looks just like any any normal just like it looks like the previous example but now when I do my might get and get the results back and getting this let me just scroll that up getting this additional information so I can see what my link is myself link I can also navigate to the address now I haven't actually hey toss enabled the address which is a bit of a shame but I can go and go and look at and you can see it's a valid end point and so on and that's fine for people and addresses but this might be banking applications and so on where some of these things are maybe more useful to you as a developer or perhaps a hacker okay so just a quick summary so layer 1 you start giving the developer help in terms of resources understanding what resources are available layer 2 you start telling them what the operations are there's a bit more of a hint about what operations can be performed on the resources and layer 3 gives you kind of additional state and navigation information about the resource it's all very very useful so because this is a security talk I was always reading Martin Fowler's blog post I came across this paragraph or paragraph extracts and thought it's quite interesting because it kind of summarizes the the hypermedia control layer and says further benefit is that it helps client developers explore the protocol the links give client developers a hint as to what may be possible next which is really really nice ok what happens if we do this to it it still makes sense so a further benefit is that it helps hackers explore the protocol the links give hackers our hint as to what may be possible next so that's the kind of segue into Steve I'm gonna sit down and enjoy the talk now and Steve's gonna go through the how you look it into thank you thank you ok I'm gonna use this because I'll forget the clicker so before we before we have a big go of this that's list let's do this I want to dispel some fake news then I'll explain why this is by what grams just is displayed and talked about is really good news ok so many people think that if you have a firewall everything is OK anybody here believe that ok right so the reality is is that having a firewall as the way to prevent people getting into your system is not the greatest answer ok because the bad guys are going to attack every single way every single every single part of your system they're going to find a way of getting in cause we all make mistakes and we all let do things that are silly and let people in so it's no good just saying hey I've got a firewall ok so your best defense his pal emissions gonna be fun is defense-in-depth okay so when we talk about when I go through this tool can we talk about some of the problems and some of the benefits it's not a panacea there is no complete panacea right you have to have solutions all the way through so we're just going to grow up one part of this this isn't the if you do hate us properly everything's okay you still got to do everything else okay and you need to do this you need to have effective detection right so one of the biggest problems with our assumptions about how people get hacked is that you would notice and the answer is that's not true anymore it's almost it's almost impossible unless you've built in systems into the detection systems you're never going to notice okay so how do they get to you okay so how do people start to break into your system okay there is this view that you have that it's like this is a bank robbery so I'm going to target you as a bank there's the wrong example I'll guitar using individual application and I'll look at your system and I'm gonna create complicated plans I'm going to mission what you're doing and I'm just gonna figure wait get okay I'm gonna figure my way in and the answer is attacks don't start with planning okay they start with scripts so the world that we live in there is like this so this is a human analogy but imagine imagine it a burglar he's trying every door of every building across the planet 24 by 7 think of these people out there these scripts that are trying to get into your system every moment of the day they're looking for the open lock so they're not talking you specifically there's no plan that is finding somebody who's got an open window okay so the other way of thinking of this is that you have this really excited tester he's out there just trying to find bugs in your system right okay except for he's never gonna fill up pull requests and tell you that you've got them but they're going to be doing this you know those guys that find those complicated problems and they go look if you do this I can crash your system or if you'll do this I can steal data this is what's happening they're gonna just keep doing that forever okay so how do they get started right and I said they go looking for you right well they use Google right they just put words in Google and they find things so WordPress that's got an API if at WordPress actually publishes a particular file on a website on your web server in a certain place that tells what the API is it's standard great thanks very much or I can go to swagger hub where you may have registered your API thanks very much or I may have gone here are you done the same okay you've told me what your API is oh I might just do this I'm just gonna try you and see if I get a response okay so all the has to happen is is that you have to respond okay or you publish your later and now I've got an API endpoint okay so what do I do next how do they start hacking the API right well you do follow security design principles when you're writing applications are you thinking about these things are you thinking about attack surface areas defense-in-depth are you were looking at failing security securely any of you guys do any of this stuff oh look one hand at the back okay okay okay okay okay yes right this list comes from the Oh boss guys so I would recommend that you go ever read so the thing is however much you do this well you don't do this the bad guys are trying to figure out where you were not so good and that's not necessarily you deliberately being wrong but you just have to be making mistake right being probed all the time trying to find these mistakes okay so there are three parts to how they get to you I'm already going to talk about one they're going to try and figure out how you do or thent ocation and access management and try and figure out how to get around that okay you may go I have to miss Access Management therefore people can't hack my hack my API and the answers are that's not true because there are all sorts of ways of being able to get around your security it's not difficult you only have to make a mistake and they'll be get it we won't talk about social engineering which is basically you blabbing about how your system works in places that people can find the information okay and they will also try and find ways to manipulate you to give people access we haven't got something for that we won't talk about the reverse engineering bit okay so as a hacker if you use rest okay thank you it's Christmas because why because you've given me all this documentation you've told me Graeme demonstrated how lovely it is for me to see how your API works okay I will start just ticking this is all available for scripting engines code can read the swagger and figure out what to do and just keep prodding okay so I can guess how you a P I works okay I can do guess users get users and get some data cool thanks very much I can do users one I can get small ones I can do users to like it's more stuff cool I'm just exploring your API and I'm getting into your system okay and I can try all the other different ways of verbs and see what happens there okay I can look at your cookies that you're saying backwards and forwards can I find information in there and can i play with that data all automatically okay and just see what happens okay I'll also go to some of the online services and I'll figure out what your server does I'll figure out what version of componentry you're running so I can look for vulnerabilities and I'm just going to go do this okay there is this wonderful website called showdown dot IO which is an index searching it search sorry it's an index of IOT devices you think of Google but for IOT devices and because it searches all the IOT devices it searches all the web service team and it gives me all sorts of wonderful information what ports you've got open what the responses are from probing those points in standard ways where you are what software you are running all sorts of information is gathered by these tools and as a bad guy I can use this to find you find your weaknesses so you know if you've had a vulnerability in your web server okay this guy is going that these are going to find it because they're going to find the run the the versions of a particular perhaps server that you've got they'll have a vulnerability therefore exploit it they get in right so that hat your system okay so the dual of that they'll try all these combinations they'll try these different verbs to see what your code does think I'll just keep playing and trying different things what do I do with your head is your cookers cookies just play and I'll try and break your service because if I can break your service then your errors will tell me more things for instance I may be able to figure out which parts of your component Ares dealing with static files which is which is that's part of your application yes your business logic this is where you're serving up static files I might be able to tell that from the errors you respond all right if I can find the end of static game points then maybe I can start to doing things like this I can start trying to wand around your system okay because you've told me that this end point gives me gives me files so I'll try and do that okay and then if things go wrong that's good too because you've been very helpful in giving the information about what the problem was so from stack traces I can work out what version of software you're running thank you you know or Apache Tomcat eight five three four thank you very much what components oh and look you told me something was wrong okay so maybe I'll try that again and try different number and see what happens all of this activity of trying to probe your system is called fuzzing and there are lots of fuzzing tools so fuzzing tools are things like what happens if I try users one ok ones if I increment that number what happens if I put our parameter in that's got some embedded SQL thing can i I'm just going to explore your api's for the root for the edges that you haven't thought about what happens if I send in max rather than zero or something like that okay the oboz guys keep track of all this you can go read about all this right but believe me it is enormous space there are lots and lots of tools out there it is a professional set it is very mature why because it's been produced by the guys who have been paid to test your systems the pen testers and in the bad guys make use of this so look archery fuzzy it's a random tool that you can go by and use and point to your website and it will fuzz your data and find ways in okay so things like do you deal with 0 wets you're at zero wit space in your data you probably don't even know what it is but does your code deal with it do you understand the side effects that might happen to your system if you have these in there well the big list of naughty strings best thing ever it's not really swear words it's a list of strings that have been shown to have interesting side effects when used on your system ok in its covers all sorts of spaces so reverse engineering fuzzing this isn't just URLs its headers it's the JSON payloads that you do when you post something if I've managed to see what you post or your your URL is your API is properly documented I can try these things I'm gonna start to figure these things that come on adoptions file formats so you take you take an upload for an image ok what i'm if i play with the image structure I get your system to break can I get you to do things can I find the vulnerabilities all automatically all the time okay robots dangerous values which is people know how to break your systems great fantastic tools high-quality tools to attack your system but huh I could rather things like I could just go read your code on github and you know I can do good Google searches like in your out so I can say tell me all the URLs are in the world that has respect JSON in them because that turns out to be the description of a certain type of API they are that's all the stuff thank you very much or I could ask Google to give me all the web servers it can find that have inadvertently let access to Google for the logs so I can now look at your logs and see what your URLs look like in your logs and what your errors are all that sort of stuff okay and I can either get at the logs if you've got an iOS device for an Android device you've got logs on the phone I can get those to cannae cuz as developers you cut debug information and stuff and as a bad guy can make use of it I can find test end points just by looking for certain files in Google this is really cool right I've had conversations with people about this before and people say we don't use security on our on our test endpoints because it's easier to test that way okay and then unfortunately your test endpoints get published and get discovered and now people have got a way into your system by calling your test point your own test endpoints which you don't have security on okay the takeaway right now is it's a really scary situation right the omus guys have a whole list of how you can be attacked and it's worth reading because it will help you be more informed but you need to understand that this is it doesn't matter how much defense you've got these guys are going to be probing you all the time they're just looking for a mistake a mistake that you make and makes take it mistake your IT makes a mistake that's in one of your dependencies right and they will be finding and probing their ways in okay so what has this got to do with rest and hasty us and stuff like that well this is a talk about what you can do in this defense of the defense in depth which brick can you do in the rest space okay so let's do some more bad news okay so when we build rest api's we have these wonderful examples that you see and they're really simplistic but they are too simplistic and they're very easy to be manipulated because you know they're things like get API v1 management departments 10 we're taught to structure these api's so you as human beings can go oh yeah I understand that works and I can code for them we put in the new documentation they get printed out they get searchable ok why are you putting API v1 in ok ok anything you can think of that's not API v1 any of variations that you have invented somebody else's thought about it and it's part of one of these search terms so ok don't put API v1 put something else that's a bit less obvious and a but useful to you ok by the way though don't put stuff in there that's related to the name of the project so if you go hey we've got this super server it's called a No Darkstar don't put darkstar there because you're going to talk about darkstar on social media I was using dark stored it didn't work and the bad guys will catch that go well I was if I tried darkstar ok but why do we do this because that's what people say and because it's easy ok and then we're trying to make it harder for people for this these bots to get in because as soon as they've got a chlorine that they understand that they may have found a way and they're going to try something else how do we prevent it how do we make can get bored and move on okay so don't put departments ten don't have UID don't have client one two three four five because I can just guess you want you AI DS for all your all your entities so that they can't be spoofed I can't take one of those change it and get more data if I want to guess what the next department is I have to do something else okay yeah and I said about donating there okay you're trying to make it harder for people to fuzz your data you're trying to make the robots move on so you're trying to these basic stuff okay think though about what you think your application is doing so what do you think you're checking and what do you think the dependence is that you're using are checking so for instance the path navigation dot slash dot dot slash desktop who checks that you make sure that that's within balance do you do that or do you rely on something some dependency to do that whichever way it is right some tests to prove then it behaves the way that you want and run them because at some point it might fail and that's all the bad guys are looking for they're not looking for you to change your design deliberately they're looking for mistakes to get it okay the other thing is about data validation that's a big topic but basically if you are not putting lots of effort into how you deal with the data and how you assume that everything is correct the fuzzing guys are going to break you right there's only so many combinations of data that you should accept and you should be checking for that so the other thing you can do is reduce the data you return okay so if you have a API v1 users one and you return everything you need then you've just given away I mean what would you do you get you could say I make this call it goes to a no SQL database I get back some JSON I give it to the client okay because that's easy don't do that structure api's around use cases and give back just the data that the guys need for that use case make it harder for the bad guys to do the discovery okay don't give back raw data if you can do anything any other way so often we don't think about just doing a little bit more a little more clever design so for instance if I have a calendar API and I say give me the entries and I get some schedule and I get dates great thanks very much that's a date I've given information away I don't want to do that okay what I do is think like this I want to say I'm going to call the API and I'll give you some starting position and then the information that comes back for me is relative to some starting position you can still code to that but it's harder for human beings and BOTS to work out what this is because as soon as they understand what this data format is they can fuzz it okay so it's you thinking about how you can restrict the data you're giving out but still achieve your goals you don't have to give out the simple stuff okay there's a whole bunch of stuff about writing code defenses that defensively start thinking about the fact that the guy who's calling you could be doing it maliciously rather than assuming there's some nice developer that you know down the road is just going to do it for that you know do right no think bad thoughts violate all the data don't treat the request as an order validating okay that's readable I'll do that not okay it says order 10 million barrels of baked beans you're going from there it's a bit wrong okay look at the error messages that come back and make sure they're not too useful that give stack traces unless you really really have to okay etc okay so what are the things that does happen what fuzzing is trying to do fuzzing is trying to figure out how to drive your co2 down unusual paths so you have really complicated code you have paths in here that you're not expecting to be driven so if your API if your data-driven you just read these the parameters and you go okay parameter ones this I do is and then if parameters twos this and I go down this path and if parameter three is this so go down this path I could find myself in some strange part of the code that I never actually expected to get through but because it was data-driven and I didn't validate it okay bad things can happen and that's what the fuzzing is trying to do is trying to find how to drive your application to these weird places okay and we don't look very much so you need to also say when things aren't exactly as you expected you should be looking this is a rest stuff okay hate yours is the next level and we'll talk about that and say but think about this is just basic rest design thinking how do I make it more secure okay think about what you expect the client to be doing and is the clients request valid and valuable and reasonable at this point not whatever they ask if it passes my filter it's in okay and then when you do look stuff log things in such a way that the logging analytics analytics tools that are going to be looking for patterns that you can teach it it can find don't do hey I owe exception if you should be saying far not found or file corrupted because it needs to know that these there are things happening okay but don't put too much in your log because if you put too much in the log bearing in mind your logs could be compromised you might be giving information away it's a hard life right so Haiti us Haiti us can help you so we need api's that reduce the ability for data fuzzing that reduce the ability to drive you down different paths cool reduce ability of the machines to probe your API programmatically we want to make it harder for human beings to figure out what you were doing when they if they get involved we want a system that would like you to detect that weird things are happening okay but also ultimately we still want a solution that as developers you could an API that you can program to okay so does house yours help okay well his hate EOS example get accounts one two three four five blah blah blah some links now hate Yas means the way that this is structured it means I can't get I don't the the swagger won't tell me what the values of these are going to be I can't okay I actually have to make the call to find out what the values are so that's good so it's not documented in the swagger other than as URLs as n point somewhere else so the relationship is not documented but as soon as I make one call I've now figured out what they were right so because Haiti of is intended to do this navigating through the system and making life easier for you as a developer it makes life easier for me as a hacker okay because you're telling me more about what I could do next you said hey you've added options you can do after this point are these okay if you do not understand that you're giving that about where you're helping the hackers but you can do things with Haiti OS that you can't do it rest that will make all this stuff go away so in a traditional rest point every end point can be called in any order right that's the whole point stateless cool cool right there's no relationships so you have any of these endpoints can what happens next a call any other endpoint hey teos used naively doesn't really make any difference because basically you say after you've called any endpoint I'll give you a list of all the other endpoints you can call right because they're all vaguely reasonable things to do that's the wrong thing what you're trying to do is say when I make an endpoint call I get back a list of valid endpoints okay so that they're the only things that you should do next okay however this does not stop the bad guys calling the other endpoints anyway you're not restricting their use to the empty a particular endpoint you're just saying these are valid but it's just it's just it hate really okay so you want to say how do I enforce the behavior the flow around the system given the the bias guys conceal the endpoints can call them directly okay well the approach you can take and this is just one but you can get the idea is is where you start off by having a front door you don't let people go straight to endpoints you have a front door and from that front door you get back endpoints that are reasonable to be called for that activity so if there's an account I get some ones that they go these are these are reasonable okay the ones that I think are unreasonable like closing the account on on this list they'll be have to be another cool to get access to that's date okay and then I start adding information into the URL that lets me track the cooler so I'm not adding state right I'm not tying these endpoints to a particular there's no affinities here but I'm putting information into the cool so this guy makes a call I give you some responses and I give you some unique data okay so let me show you what it looks something like this so I might have my accounts get a UID back and I get status that's going to give me the data I deposit in withdrawal and I get the endpoints but I get magic information attached with it however you put it in there whether it's parameters or your eyes okay okay so I explain how this works on exec so you've now connected the the initial caller with what happens next right that link together and if I take this basic design principle of separating out the use cases so the things that are less likely to happen like closing accounts they're not even valid I can't get there from that point all right so let me show you a different examples you can get but it looks a bit better in the data you know there's all these ways of getting data I can browse the you can pass on all sorts of information like how big the page sizes are and have what page number to start up and those things can be first I can put in back space size minus 100 right and that's just life if I take this a design approach I can validate the front door because I've got this information and I can look at that and go but that's why I'm gonna pull my effort in the front door once I've got past that okay the links that I give back once that's valid which could be say a list of data a list of users each of these isn't user 1 user 2 it's just an encrypted token okay so the links are still stateless so I have all these links and it says user 1 if you want to edit user 1 call this endpoint you want any user to call this I don't know that's user 1 or user 2 I don't have a UID for the user but I think encrypted round token okay they're still stateless I can keep calling them but every time I call them I get back another link with a different token and I'll show you what the takers got a second the thing is these can't be fast I'm not passing in selection data I'm passing in something opaque okay so that means that if I had a pet store and I say give me a list of all the pets by status and a page number I can get a query back and the thing says hold some random number okay and inside that random number could be all sorts of information that the Packer can't influence but helps you so for instance you'd have the real data in what the what the query was and what the pay size was but it might tell you how many pages have been processed it may tell you what the IP addresses the corner is right they might tell what when you started when did he make the call to the front door how long has this been session going on right and you're doing this in ways that he can't see that you're tracking right and anything else you think you want to do to check the profile of this user and to make sure they're not wandering off doing bad things okay because this encrypted data is not possible it's just random for us they could it's encrypted it's just a thing okay but you have all this actual information about what you could do so if you want to catch somebody going this guy's made 15 withdrawals boom boom boom boom or he's gone because I come into front-door remember contra front-door get a start of a state table and I can then go off to different places but he can track me so I make it cool when I go give me all the people whose name begins with a okay thank you now from there I can do a state call that might be another query okay that state query says give me everybody who's got B well and then I get back another unique link that says and he uses it to get all the people who got people with dealing with C suddenly you could start seeing because you're tracking air this guy's doing something that you're not thinking you think is invalid okay it's just one way of doing it the thing I really wanted to point out is this is the sort of thing you have to start thinking about how you design your api's so that you can stop people fuzzing it and giving out this naked information there's all sorts of ways that you could do this is just one example well this is what Haiti Offices of principle is giving you this state transition mechanism of going from one place to the other without tying your your rest endpoints to any particular service any particular runs thread or anything core any particular app server the it's still stateless but it's got unreadable tracking information that you can use to track what the person is doing identify bad behavior that's what we wanted so it's not fuzzy ball you can see what bad behavior is going on and you can control the actions of the end user it's not the only solution it's not the solution that's going to give you complete peace of mind but the fact is it's part of the defense-in-depth you should be thinking along these lines about how you're going to prevent yourself being hacked hate EOS whether it's the best or the worst thing of doing it it's made us think about how we do things and so that was the sort of thing we wanted to share good anything else you want to say no oh okay to have any more yeah I know you just don't know but ultimately we have six minutes left so I will stop there I if you want to know more about how bad the situation is and how people get into your systems I'm happy to inform you but as I said primarily this is all about defense in depth and about you thinking new ways to design your applications to reduce the ability of these guys to hack you because they've only got to be successful once that's it thank you [Applause] [Music]

Info

Channel: Devoxx

Views: 2,967

Rating: 4.830986 out of 5

Keywords: DevoxxUK, DevoxxUK2019

Id: IL2PlsbvUDs

Channel Id: undefined

Length: 45min 0sec (2700 seconds)

Published: Thu May 16 2019