現代API安全.pdf

《現代API安全.pdf》由會員分享，可在線閱讀，更多相關《現代API安全.pdf（44頁珍藏版）》請在三個皮匠報告上搜索。

1、Modern API Security 2024 Carnegie Mellon University1DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.2024 Carnegie Mellon UniversityDISTRIBUTION STATEMENT A This material has

2、been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.AUGUST 6TH,2024Alejandro GomezModern API SecurityEngineering security into the API lifecycleModern API Security 2024 Carnegie Mellon University2DISTRIBUTION STATEMENT A

3、This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University3DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribut

4、ion.Please see Copyright notice for non-US Government use and distribution.Document MarkingsCarnegie Mellon University 2024This material is based upon work funded and supported by the Department of Defense under Contract No.FA8702-15-D-0002 with Carnegie Mellon University for the operation of the So

5、ftware Engineering Institute,a federally funded research and development center.References herein to any specific entity,product,process,or service by trade name,trade mark,manufacturer,or otherwise,does not necessarily constitute or imply its endorsement,recommendation,or favoring by Carnegie Mello

6、n University or its Software Engineering Institute nor of Carnegie Mellon University-Software Engineering Institute by any such named or represented entity.NO WARRANTY.THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS.CARNEGIE MELLON UNIVERSIT

7、Y MAKES NO WARRANTIES OF ANY KIND,EITHER EXPRESSED OR IMPLIED,AS TO ANY MATTER INCLUDING,BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY,OR RESULTS OBTAINED FROM USE OF THE MATERIAL.CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FR

8、EEDOM FROM PATENT,TRADEMARK,OR COPYRIGHT INFRINGEMENT.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.This material may be reproduced in its entirety,without modification,and

9、 freely distributed in written or electronic form without requesting formal permission.Permission is required for any other use.Requests for permission should be directed to the Software Engineering Institute at permissionsei.cmu.edu.Modern API Security 2024 Carnegie Mellon University4DISTRIBUTION S

10、TATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University5DISTRIBUTION STATEMENT A This material has been approved for public release and unlimite

11、d distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University6DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and d

12、istribution.Modern API Security 2024 Carnegie Mellon University7DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Agenda1.Definitions 2.The State of APIs3.Engineering Security

13、in APIs4.Q&AModern API Security 2024 Carnegie Mellon University8DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for p

14、ublic release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API SecurityDefinitionsModern API Security 2024 Carnegie Mellon University9DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Ple

15、ase see Copyright notice for non-US Government use and distribution.Application Programming InterfacesModern API Security 2024 Carnegie Mellon University10DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Gov

16、ernment use and distribution.“A set of functionalities independent of their implementation,allowing the implementation to vary without compromising the users of the component.”-Joshua BlochModern API Security 2024 Carnegie Mellon University11DISTRIBUTION STATEMENT A This material has been approved f

17、or public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University12DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice

18、for non-US Government use and distribution.Security /CybersecurityModern API Security 2024 Carnegie Mellon University13DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Enginee

19、ring Cybersecuritymust be:1.Empirical(i.e.,data-driven)2.Cost-effective3.Maintain CIA qualitiesModern API Security 2024 Carnegie Mellon University14DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government

20、 use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API SecurityThe State of Modern APIs1.Ubiquitous2.Expose system functionality to clients3.Require

21、 evolvable interfacesAll these are avenues for attackers to exploit!Modern API Security 2024 Carnegie Mellon University15DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Inter

22、net traffic is overwhelmingly API-basedIts share is also increasing relative to other types of requestsSource:Cloudflare 2022Modern API Security 2024 Carnegie Mellon University16DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyrigh

23、t notice for non-US Government use and distribution.Internet traffic is overwhelmingly API-basedIts share is also increasing relative to other types of requestsSource:Cloudflare 2022ML analysis showed 30.7%more API endpoints through machine learning-based discovery,compared to what organizations sel

24、f-reportedModern API Security 2024 Carnegie Mellon University17DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.API usage is growing in heavily regulated industriesBanking,Fin

25、ancial Services and Telecommunications are seeing a rise in API usageSource:Cloudflare 2022Modern API Security 2024 Carnegie Mellon University18DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use

26、 and distribution.The U.S.Govts API use is increasingMetrics collected from data.gov shows a linear increase in API use in recent years.Source:data.gov 2024Modern API Security 2024 Carnegie Mellon University19DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited d

27、istribution.Please see Copyright notice for non-US Government use and distribution.Over half of API requests are write requestsMost internet APIs are making their system operations available to end users,increasing system attack surfaceSource:Cloudflare 2022Modern API Security 2024 Carnegie Mellon U

28、niversity20DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Source:CNN 2024Modern API Security 2024 Carnegie Mellon University21DISTRIBUTION STATEMENT A This material has been

29、 approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Source:CNN 2024“Each time the user pressed enter on the frozen screen,it would silently update the record”Modern API Security 2024 Carnegie Mellon University22DISTRIBUTION S

30、TATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.92%of organizations experienced an API-related security incident in 202257%of these experienced multiple API-related security incidents63%of

31、 incidents involved a data breach or data lossAPIs create riskBy exposing fragile system functionality to unknown clientsSource:Palo Alto Networks 2023Akamai 2023Modern API Security 2024 Carnegie Mellon University23DISTRIBUTION STATEMENT A This material has been approved for public release and unlim

32、ited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University24DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use a

33、nd distribution.The rate of change in software is faster than everAPIs evolve at the rate of change theyre expected to accommodateSource:Bernhardsson 2016Modern API Security 2024 Carnegie Mellon University25DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited dis

34、tribution.Please see Copyright notice for non-US Government use and distribution.We as software designers need to provide assurance that:APIs work as expected for its users.Are trustworthy instead of vulnerable.Are an asset instead of a liability.Create value instead of harm.Modern API Security 2024

35、 Carnegie Mellon University26DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distrib

36、ution.Please see Copyright notice for non-US Government use and distribution.Modern API SecurityEngineering Security in APIsModern API Security 2024 Carnegie Mellon University27DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright

37、 notice for non-US Government use and distribution.DevSecOpsModern API Security 2024 Carnegie Mellon University28DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DevelopmentMo

38、dern API Security 2024 Carnegie Mellon University29DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Static code analyzerRuntime scannerConfiguration scannerIaC scannerSecrets

39、scannerDatabase scannerPort scannerCloud vulnerability scannerNetwork scannerDAST scannerOpen-Source scannerContainer scannerLicense scannerCode Quality scannerScanning for vulnerabilities on each changeScanners enable automation of vulnerability detectionModern API Security 2024 Carnegie Mellon Uni

40、versity30DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.at source code levelCode changesManifestsConfigurationsImagesDocumentationOSLibraries(lockfiles)at version control le

41、velVersion interface separately from the system it supports.Various strategies to allow for clients to use different API versions including:Endpoint Feature flags Using data structures that allow for different compatibilityVersioningModern API Security 2024 Carnegie Mellon University31DISTRIBUTION S

42、TATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Q:How do you design an API for all the worlds payments?You start with a small,focused approach,then iterate on it.Sometimes add extensions.O

43、ccasionally,do a complete rewrite(with backward compatibility)Case study:How do you design an API for all the worlds payment methods?Modern API Security 2024 Carnegie Mellon University32DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see

44、Copyright notice for non-US Government use and distribution.TestingModern API Security 2024 Carnegie Mellon University33DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Determ

45、inistic-Unit-Integration-E2E-AccessibilityNon-Deterministic-Fuzzers-Chaos testing-QA team-Manual-Red-team testingTesting Strategies for API InputsTesting for resilience of API inputs can be broken down asModern API Security 2024 Carnegie Mellon University34DISTRIBUTION STATEMENT A This material has

46、been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Canary deploymentsAllows for feature testingLimits blast radiusRollbacksEnables rapid failure recoveryIncentivizes small,atomic commits in development.Monitoring&Logging

47、Find problems before they appearDeployment/OperationsHow do you engineer secure API deployments?Modern API Security 2024 Carnegie Mellon University35DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Governmen

48、t use and distribution.Security-Channela network,wire,pipe,etc.Modern API Security 2024 Carnegie Mellon University36DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.In Zero Tr

49、ust(ZT),theres no distinction between internal vs external network securityPerform Schema Validation of requestsUse TLS,IPSec or similar protocols that provide confidentiality,integrity,authentication even inside a“safe”network!API Channel SecurityDefense-in-Depth through Zero-Trust ArchitectureMode

50、rn API Security 2024 Carnegie Mellon University37DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Security-Interfacethe set of functionalities exposed to clientsModern API Sec

51、urity 2024 Carnegie Mellon University38DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Runtime:API Gateways are frequently used to aggregate multiple functionality Use Stress

52、 Testing to test assure rate-limiting mechanismConfig Management:Find vulnerable configurations in authentication&middleware Configuration of policy engine that allows access to resourcesAPI Interface Security“Be liberal with your inputs,restrictive with your outputs.”Modern API Security 2024 Carneg

53、ie Mellon University39DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Security-Systemsa system that performs a task and delegates the output to an interfaceModern API Securit

54、y 2024 Carnegie Mellon University40DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.API System SecuritySecuring the systems that enable APIsModern API Security 2024 Carnegie M

55、ellon University41DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University42DISTRIBUTION STATEMENT A This material has been approve

56、d for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API Security 2024 Carnegie Mellon University43DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright noti

57、ce for non-US Government use and distribution.Use memory safe languagesModern API Security 2024 Carnegie Mellon University44DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Modern API SecurityQ&A