微服務與API的風險及緩解措施.pdf

1、Microservice and API Risks and Mitigations 2024 Carnegie Mellon University1DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.2024 Carnegie Mellon UniversityDISTRIBUTION STATEME

2、NT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.AUGUST 7,2024McKinley Sconiers-HasanCERT Associate Solutions EngineerMicroservice and API Risks and MitigationsMicroservice and API Risks and Miti

3、gations 2024 Carnegie Mellon University2DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Document MarkingsCopyright 2024 Carnegie Mellon University.The view,opinions,and/or fi

4、ndings contained in this material are those of the author(s)and should not be construed as an official Government position,policy,or decision,unless designated by other documentation.NO WARRANTY.THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASI

5、S.CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,EITHER EXPRESSED OR IMPLIED,AS TO ANY MATTER INCLUDING,BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY,OR RESULTS OBTAINED FROM USE OF THE MATERIAL.CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF

6、ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,TRADEMARK,OR COPYRIGHT INFRINGEMENT.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.This material may be reproduced in its entire

7、ty,without modification,and freely distributed in written or electronic form without requesting formal permission.Permission is required for any other use.Requests for permission should be directed to the Software Engineering Institute at permissionsei.cmu.edu.CERT and Carnegie Mellon are registered

8、 in the U.S.Patent and Trademark Office by Carnegie Mellon University.DM24-0993Microservice and API Risks and Mitigations 2024 Carnegie Mellon University3DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Gove

9、rnment use and distribution.Introduction to APIs Microservice architectures 3 common risks of modern APIs Authorization vulnerabilities Final recommendationsAgendaMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University4DISTRIBUTION STATEMENT A This material has been approved for p

10、ublic release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Introduction t

11、o APIsMicroservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University5DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Gov

12、ernment use and distribution.Introduction to APIsRequestResponseAn API is a connector between two applicationsMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University6DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see C

13、opyright notice for non-US Government use and distribution.Introduction to APIsResponseRequesthttps:/ of the TigerMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University7DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please s

14、ee Copyright notice for non-US Government use and distribution.Introduction to APIsResponseRequesthttps:/ of the TigerMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University8DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Plea

15、se see Copyright notice for non-US Government use and distribution.APIs are Important for SecurityDatabaseapplicationAPIpublicMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University9DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribut

16、ion.Please see Copyright notice for non-US Government use and distribution.API StructureMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University10DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for n

17、on-US Government use and distribution.API StructureendpointsMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University11DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and dis

18、tribution.API StructureendpointsparametersMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University12DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBU

19、TION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Microservice ArchitecturesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mit

20、igations 2024 Carnegie Mellon University13DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Monolithic vs Microservice ArchitecturesUIMonolithic ApplicationDBUIMicroservicesDBD

21、BDBDBDBDBMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University14DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Monolithic vs Microservice ArchitecturesM

22、onolithic ApplicationPaymentProductsLogin.UIUIMicroservicesDBDBDBDBDBDBDBMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University15DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Governmen

23、t use and distribution.Monolithic vs Microservice ArchitecturesMonolithic ApplicationPaymentProductsLogin.UIUIMicroservicesDBDBDBDBDBDBDBMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University16DISTRIBUTION STATEMENT A This material has been approved for public release and unlimit

24、ed distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Risks of Microservice ArchitecturesMicr

25、oservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University17DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government u

26、se and distribution.Increased Attack SurfaceMonolithic ApplicationPaymentProductsLogin.UIDBDBDBDBDBDBMicroservicesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University18DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please

27、see Copyright notice for non-US Government use and distribution.Recommendations Add redundancy measures to prevent overload from API use in support structures,such as the API gateway and authentication servers.Maintain a thorough inventory of all APIs to prevent shadow and zombie APIs,preferably thr

28、ough auto-generated documentation for uniformity and searchability.Configure thorough logging and monitoring efforts for all API activity,including logging all authentication and input failures.1 Carefully plan API versioning and deployments.Be strategic about adding new APIs so the maintenance and

29、inventory of the existing APIs do not become overwhelming.Microservice and API Risks and Mitigations 2024 Carnegie Mellon University19DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distr

30、ibution.Cascading FailuresPaymentsProductsLogin.Microservices should be loosely coupled so that each of them works independently or mostly independently from other microservices.2Microservice and API Risks and Mitigations 2024 Carnegie Mellon University20DISTRIBUTION STATEMENT A This material has be

31、en approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Recommendations Design APIs with the goal of loose coupling in mind,including domain coupling,temporal coupling,and implementational coupling.Create API documentation that

32、 clearly shows which APIs are coupled and the communication flow that happens between coupled microservices.This documentation will be useful for testing and troubleshooting if there are issues with the API after deployment.Conduct unit testing,integration testing,and end-to-end testing to confirm t

33、he correct functionality of the microservice architecture according to the documented design.Strive to prevent single points of failure in the API network by adding redundancy measures in authentication and authorization points and other network structures.2Microservice and API Risks and Mitigations

34、 2024 Carnegie Mellon University21DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Third Party Software IntegrationsEven the highest quality code can have up to 600 defects pe

35、r million lines of code while average quality code has around 6,000 defects per million lines of code.3Microservice and API Risks and Mitigations 2024 Carnegie Mellon University22DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyrig

36、ht notice for non-US Government use and distribution.Recommendations Perform risk assessments on all third-party software that might be used in a new API to prevent introducing additional API vulnerabilities.Stay informed about the latest vulnerabilities in all third-party software that is integrate

37、d into currently deployed APIs.Use automated vulnerability scanners on third-party software if possible.Consider implementing a Software Bill of Materials(SBOM)framework to help secure the supply chain and mitigate the risks of using third-party software.3Microservice and API Risks and Mitigations 2

38、024 Carnegie Mellon University23DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited dist

39、ribution.Please see Copyright notice for non-US Government use and distribution.Authorization problems are the top issue in APIs todayAuthorization VulnerabilitiesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mitigations 2024 Carnegie Mellon

40、 University24DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Broken Object Level Authorization(BOLA)Microservice and API Risks and Mitigations 2024 Carnegie Mellon University

41、25DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Broken Object Property Level Authorization(BOPLA)Microservice and API Risks and Mitigations 2024 Carnegie Mellon University2

42、6DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Broken Function Level Authorization(BFLA)Microservice and API Risks and Mitigations 2024 Carnegie Mellon University27DISTRIBU

43、TION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.RecommendationsKeep a thorough inventory of all network APIs.Implement static and dynamic testing of all APIs.Check authorization vuln

44、erabilities within your API designs and implementations.27Microservice and API Risks and Mitigations 2024 Carnegie Mellon University28DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distr

45、ibution.References1https:/ Accessed:July 26,20242https:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204.pdf,Date Accessed:July 23,20243https:/insights.sei.cmu.edu/documents/5364/Leveraging_SBOM_for_Risk_Reduction.pdf,Date Accessed:July 28,20244https:/owasp.org/API-Security/editions/202

46、3/en/0 x11-t10/,Date Accessed:July 26,20245https:/insights.sei.cmu.edu/documents/5908/api-vulnerabilities-and-risks-2024sr004-1.pdf,Date Accessed:July 26,2024ReferencesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University29DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.29Q&A