Creating a Safe Environment for Under-Protected APIs WHITEPAPER SHARE THIS WHITEPAPER TAE OF CONTENTS ÐÐBackground ................................................................................................................................................ 3 What are APIs? ........................................................................................................................................ 3 ÐÐAPIs in Modern Applications ....................................................................................................................... 3 Rapid FaaS Evolution is Driving API Adoption ....................................................................................... 4 ÐÐSecurity Concerns of Distributed API Architecture ..................................................................................... 4 The API Security Visibility Problem ......................................................................................................... 4 API Security Risks and Vulnerabilities ..................................................................................................... 4 ÐÐDesigning a Secured API Environment ....................................................................................................... 6 Inline API Security Measures ................................................................................................................... 6 Radware API Security Technology .......................................................................................................... 6 ÐÐReferences .................................................................................................................................................. 7 CREATING A SAFE ENVIRONMENT FOR UNDER-PROTECTED APIs | WHITE PAPER 2 BACKGROUND The newly published OWASP Top 10 2017 Release Candidate introduces new application security risk protection for APIs. This is a common concern as modern applications and services rely heavily on API integration and communication. While on one hand APIs provide synergy and efficiency to business operations by simplifying the architecture and delivery, on the other it introduces a wide range of risks and vulnerabilities. The combination of growing adoption and security risks was the major driver for this new entry to the OWASP list. What are APIs? API (Application Programming Interface) is a set of tools and protocols used to develop application software. This interface predefined request–response message system exposes reliable content and operation negotiation (typically expressed in JSON or XML). The most common API protocol styles in modern architectures are REST and SOAP. REST is by far the most common one. Figure 1 - Distribution of API Protocols and Styles, based on directory of APIs listed at ProgrammableWeb, May 2016. Publicly available APIs allow sharing of content and data openly between communities and applications. ProgrammableWeb, one of the world’s leading information sources about Internet-based APIs, lists more than 17,444 APIs in its API Directory. This number has almost doubled during the past 4 years. Some outstanding companies have built API businesses that match or exceed their original focus. For example, Salesforce reportedly generates 50% of its revenues through APIs, eBay nearly 60% and Expedia a 90%. APIS IN MODERN APPLICATIONS APIs are being used in a variety of modern applications, where the most common examples are: ÐÐMobile applications ÐÐApplications for IoT devices ÐÐEmbedding public and 3rd party APIs as external services into an existing application (e.g. Google Maps APIs) DevOp environments, with the ever-increasing demand for continuous delivery, requires complete process automation utilizing APIs across the board: ÐÐService provisioning and management (e.g. AWS API) ÐÐPlatform management apps ÐÐContinuous delivery process automation CREATING A SAFE ENVIRONMENT FOR UNDER-PROTECTED APIs | WHITE PAPER 3 Rapid FaaS Evolution is Driving API Adoption Serverless architecture - or FaaS (Functions as a Service) - offers a model where the operational unit is a set of function containers rather than a web server. These functions are APIs exposed for the client side application, which may invoke these APIs upon relevant client side event. A simple example would be an IoT device that would push a notification for a temperature reaching a predefined threshold. In a FaaS architecture, the management of function containers is greater in complexity than just managing lasting virtual machines. These function containers are created upon request and may disappear immediately after being used. This approach simplifies the development process and reduces OPEX dramatically. It is important to state that APIs are not tightly coupled with FaaS and are being widely used in other architectures and with web applications. SECURITY CONCERNS OF DISTRIBUTED API ARCHITECTURE The API Security Visibility Problem API vulnerabilities are hard to monitor and do not stand out. Traditional application security assessment tools do not work well with APIs or are simply irrelevant in this case. DAST (Dynamic Application Security Testing) and application scanning tools, for example, cannot invoke the “Since many Application API because they cannot generate well-formed requests. Even if the tool knew whether the request body should be a JSON or an XML and even has a Programming Interfaces schema for the API, it is still difficult to provide the data required to correctly invoke an API. are mission critical and Similarly, SAST (Static Application Security Testing) tools don’t do a great job in scanning API code, as in a typical API, third-party frameworks and involve crucial business libraries use custom methods to read a JSON or XML document from the body of the HTTP request, functionalities and parse it, and pass the data into the API code. These methods are different from one another and are subject to changes, limiting the success rate of processes, API security static tools. When planning for API security infrastructure, has become a major authentication and authorization must be taken into account, yet these are often not addressed properly in many API security solutions. As clearly stated in concern and challenge the OWASP Top 10 2017 Release Candidate, “all the different types of injection, authentication, access control, encryption, configuration, and other issues for organizations. can exist in APIs just as in a traditional application.” API Security Risks and Vulnerabilities Web services such as APIs are vulnerable to all types of attacks and threats against web applications: ” CREATING A SAFE ENVIRONMENT FOR UNDER-PROTECTED APIs | WHITE PAPER 4 Vulnerability/ Attack Risk Protections/Controls API transaction Confidentiality and integrity of - TLS is required to secure the communications between the client manipulations data in transit and APIs for transport confidentiality and integrity of data in transit. TCP protocol tcp packet replay - Once detected the evasion attempt or the protocol manipulation attacks and tcp packet fragmentation an immediate TCP Termination shall be taken. evasion tcp packet reordering techniques HTTP protocol Manipulation of HTTP headers - HTTP protocol parsing and enforcement of HTTP RFC attacks and (for instance - content-type protects against various HTTP attacks such as NULL byte evasion header that is not aligned with injection, encoded attacks, HRS attacks, content-type mismatch techniques the content sent in the body, etc. etc). - Traffic normalization for evasion attacks detection. Peacetime patterns shall be used as a reference as encoded attacks can easily bypass security solutions. - Message size policy enforcement - on HTTP message, body, headers and JSON/XML element sizes - secures the application against buffer overflow attacks, resource exhaustion and other availability attacks on API infrastructure. POSTed JSONs May eventually reach - Strong Typing and Positive Security model provide tight and XMLs databases, leading to protection to API infrastructure. It will be impossible to generate Injections injections. most of the attacks if, for example, the only allowed value type in the JSON element is an integer with the value rage of 1 – 100. - XML/JSON validity check and Schema Validation is extremely important security protection. Types, value ranges, sizes and order of XML elements must be configurable. - SQL and no-SQL Injection protections through sanitizing and validating user inputs and rule-based attack detection. Insecure Direct Manipulation of state - Session and field protections against manipulation. Object References information in parameter - Input validation in post transactions to detect injections of value storing the account references. number may allow access to unexpected data. Invalidated External entity embedding - Validation of user inputs for external domains in parameters and Redirects malicious content in the submitted forms and form fields. service or application. Data Leakage Credit cards, social security - Data Leak Protection to make sure error messages and numbers, passwords or any sensitive information is not leaking out to the potential attacker. other sensitive data may leak Data structures and schemes of private information shall be through the API response. recognized and guarded. Also, 500 error messages may leak architecture information exposing server and data- storing types. Access Violations Unexpected users may - Access Control policy management with: and abuse of APIs