微服務與API的風險及緩解措施.pdf

編號:612410 PDF 29頁 1.24MB 下載積分:VIP專享
下載報告請您先登錄!

微服務與API的風險及緩解措施.pdf

1、Microservice and API Risks and Mitigations 2024 Carnegie Mellon University1DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.2024 Carnegie Mellon UniversityDISTRIBUTION STATEME

2、NT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.AUGUST 7,2024McKinley Sconiers-HasanCERT Associate Solutions EngineerMicroservice and API Risks and MitigationsMicroservice and API Risks and Miti

3、gations 2024 Carnegie Mellon University2DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Document MarkingsCopyright 2024 Carnegie Mellon University.The view,opinions,and/or fi

4、ndings contained in this material are those of the author(s)and should not be construed as an official Government position,policy,or decision,unless designated by other documentation.NO WARRANTY.THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASI

5、S.CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,EITHER EXPRESSED OR IMPLIED,AS TO ANY MATTER INCLUDING,BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY,OR RESULTS OBTAINED FROM USE OF THE MATERIAL.CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF

6、ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,TRADEMARK,OR COPYRIGHT INFRINGEMENT.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.This material may be reproduced in its entire

7、ty,without modification,and freely distributed in written or electronic form without requesting formal permission.Permission is required for any other use.Requests for permission should be directed to the Software Engineering Institute at permissionsei.cmu.edu.CERT and Carnegie Mellon are registered

8、 in the U.S.Patent and Trademark Office by Carnegie Mellon University.DM24-0993Microservice and API Risks and Mitigations 2024 Carnegie Mellon University3DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Gove

9、rnment use and distribution.Introduction to APIs Microservice architectures 3 common risks of modern APIs Authorization vulnerabilities Final recommendationsAgendaMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University4DISTRIBUTION STATEMENT A This material has been approved for p

10、ublic release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Introduction t

11、o APIsMicroservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University5DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Gov

12、ernment use and distribution.Introduction to APIsRequestResponseAn API is a connector between two applicationsMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University6DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see C

13、opyright notice for non-US Government use and distribution.Introduction to APIsResponseRequesthttps:/ of the TigerMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University7DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please s

14、ee Copyright notice for non-US Government use and distribution.Introduction to APIsResponseRequesthttps:/ of the TigerMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University8DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Plea

15、se see Copyright notice for non-US Government use and distribution.APIs are Important for SecurityDatabaseapplicationAPIpublicMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University9DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribut

16、ion.Please see Copyright notice for non-US Government use and distribution.API StructureMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University10DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for n

17、on-US Government use and distribution.API StructureendpointsMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University11DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and dis

18、tribution.API StructureendpointsparametersMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University12DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBU

19、TION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Microservice ArchitecturesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mit

20、igations 2024 Carnegie Mellon University13DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Monolithic vs Microservice ArchitecturesUIMonolithic ApplicationDBUIMicroservicesDBD

21、BDBDBDBDBMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University14DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Monolithic vs Microservice ArchitecturesM

22、onolithic ApplicationPaymentProductsLogin.UIUIMicroservicesDBDBDBDBDBDBDBMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University15DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Governmen

23、t use and distribution.Monolithic vs Microservice ArchitecturesMonolithic ApplicationPaymentProductsLogin.UIUIMicroservicesDBDBDBDBDBDBDBMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University16DISTRIBUTION STATEMENT A This material has been approved for public release and unlimit

24、ed distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Risks of Microservice ArchitecturesMicr

25、oservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University17DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government u

26、se and distribution.Increased Attack SurfaceMonolithic ApplicationPaymentProductsLogin.UIDBDBDBDBDBDBMicroservicesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University18DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please

27、see Copyright notice for non-US Government use and distribution.Recommendations Add redundancy measures to prevent overload from API use in support structures,such as the API gateway and authentication servers.Maintain a thorough inventory of all APIs to prevent shadow and zombie APIs,preferably thr

28、ough auto-generated documentation for uniformity and searchability.Configure thorough logging and monitoring efforts for all API activity,including logging all authentication and input failures.1 Carefully plan API versioning and deployments.Be strategic about adding new APIs so the maintenance and

29、inventory of the existing APIs do not become overwhelming.Microservice and API Risks and Mitigations 2024 Carnegie Mellon University19DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distr

30、ibution.Cascading FailuresPaymentsProductsLogin.Microservices should be loosely coupled so that each of them works independently or mostly independently from other microservices.2Microservice and API Risks and Mitigations 2024 Carnegie Mellon University20DISTRIBUTION STATEMENT A This material has be

31、en approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Recommendations Design APIs with the goal of loose coupling in mind,including domain coupling,temporal coupling,and implementational coupling.Create API documentation that

32、 clearly shows which APIs are coupled and the communication flow that happens between coupled microservices.This documentation will be useful for testing and troubleshooting if there are issues with the API after deployment.Conduct unit testing,integration testing,and end-to-end testing to confirm t

33、he correct functionality of the microservice architecture according to the documented design.Strive to prevent single points of failure in the API network by adding redundancy measures in authentication and authorization points and other network structures.2Microservice and API Risks and Mitigations

34、 2024 Carnegie Mellon University21DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Third Party Software IntegrationsEven the highest quality code can have up to 600 defects pe

35、r million lines of code while average quality code has around 6,000 defects per million lines of code.3Microservice and API Risks and Mitigations 2024 Carnegie Mellon University22DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyrig

36、ht notice for non-US Government use and distribution.Recommendations Perform risk assessments on all third-party software that might be used in a new API to prevent introducing additional API vulnerabilities.Stay informed about the latest vulnerabilities in all third-party software that is integrate

37、d into currently deployed APIs.Use automated vulnerability scanners on third-party software if possible.Consider implementing a Software Bill of Materials(SBOM)framework to help secure the supply chain and mitigate the risks of using third-party software.3Microservice and API Risks and Mitigations 2

38、024 Carnegie Mellon University23DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited dist

39、ribution.Please see Copyright notice for non-US Government use and distribution.Authorization problems are the top issue in APIs todayAuthorization VulnerabilitiesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon UniversityMicroservice and API Risks and Mitigations 2024 Carnegie Mellon

40、 University24DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Broken Object Level Authorization(BOLA)Microservice and API Risks and Mitigations 2024 Carnegie Mellon University

41、25DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Broken Object Property Level Authorization(BOPLA)Microservice and API Risks and Mitigations 2024 Carnegie Mellon University2

42、6DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.Broken Function Level Authorization(BFLA)Microservice and API Risks and Mitigations 2024 Carnegie Mellon University27DISTRIBU

43、TION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.RecommendationsKeep a thorough inventory of all network APIs.Implement static and dynamic testing of all APIs.Check authorization vuln

44、erabilities within your API designs and implementations.27Microservice and API Risks and Mitigations 2024 Carnegie Mellon University28DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distr

45、ibution.References1https:/ Accessed:July 26,20242https:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204.pdf,Date Accessed:July 23,20243https:/insights.sei.cmu.edu/documents/5364/Leveraging_SBOM_for_Risk_Reduction.pdf,Date Accessed:July 28,20244https:/owasp.org/API-Security/editions/202

46、3/en/0 x11-t10/,Date Accessed:July 26,20245https:/insights.sei.cmu.edu/documents/5908/api-vulnerabilities-and-risks-2024sr004-1.pdf,Date Accessed:July 26,2024ReferencesMicroservice and API Risks and Mitigations 2024 Carnegie Mellon University29DISTRIBUTION STATEMENT A This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.29Q&A

友情提示

1、下載報告失敗解決辦法
2、PDF文件下載后,可能會被瀏覽器默認打開,此種情況可以點擊瀏覽器菜單,保存網頁到桌面,就可以正常下載了。
3、本站不支持迅雷下載,請使用電腦自帶的IE瀏覽器,或者360瀏覽器、谷歌瀏覽器下載即可。
4、本站報告下載后的文檔和圖紙-無水印,預覽文檔經過壓縮,下載后原文更清晰。

本文(微服務與API的風險及緩解措施.pdf)為本站 (小小) 主動上傳,三個皮匠報告文庫僅提供信息存儲空間,僅對用戶上傳內容的表現方式做保護處理,對上載內容本身不做任何修改或編輯。 若此文所含內容侵犯了您的版權或隱私,請立即通知三個皮匠報告文庫(點擊聯系客服),我們立即給予刪除!

溫馨提示:如果因為網速或其他原因下載失敗請重新下載,重復下載不扣分。
客服
商務合作
小程序
服務號
折疊
午夜网日韩中文字幕,日韩Av中文字幕久久,亚洲中文字幕在线一区二区,最新中文字幕在线视频网站