Scribd Logo
Importer

Bienvenue sur Scribd !

  • Secureyourrestapi 140530183606 Phpapp02

    Transféré par

    kumar
    16 vues40 pages

    Titre original

    secureyourrestapi-140530183606-phpapp02.pptx

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPTX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    16 vues40 pages

    Secureyourrestapi 140530183606 Phpapp02

    Transféré par

    kumar

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 40

    Secure your REST API

    (the right way)

    Les Hazlewood @lhazlewood


    Apache Shiro PMC Chair
    CTO, Stormpath
    stormpath.com

    .com
    User Management and
    Authentication API
    Security for your applications
    User security workflows
    Security best practices
    Developer tools, SDKs, libraries

    HTTP Authentication...

    ... is all about the headers

    earn more at Stormpath.com

    1. Request
    GET /accounts/x2b4jX3l31uiL HTTP/1.1
    Host: api.acme.com

    earn more at Stormpath.com

    2. Challenge Response
    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: Basic realm=name

    earn more at Stormpath.com

    3. Resubmit Request
    GET /accounts/x2b4jX3l31uiL HTTP/1.1
    Host: api.acme.com
    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    earn more at Stormpath.com

    Authorization Header Format


    GET /accounts/x2b4jX3l31uiL HTTP/1.1
    Host: api.acme.com
    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
    sp

    Scheme Name Scheme-specific Value

    earn more at Stormpath.com

    4. Successful Response
    HTTP/1.1 200 OK
    Content-Type: application/json
    ...
    {
    email: jsmith@gmail.com,
    givenName: Joe,
    surname: Smith,
    ...
    }

    earn more at Stormpath.com

    Example: Oauth 1.0a


    GET /accounts/1234 HTTP/1.1
    Host: api.acme.com
    Authorization: OAuth realm="Photos",
    oauth_consumer_key="dpf43f3p2l4k3l03",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="137131200",
    oauth_nonce="wIjqoS",
    oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
    oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"

    earn more at Stormpath.com

    Example: Oauth 2
    GET /accounts/x2b4jX3l31uiL HTTP/1.1
    Host: api.acme.com
    Authorization: Bearer mF_9.B5f-4.1JqM

    earn more at Stormpath.com

    Example: Oauth 2 MAC


    GET /accounts/x2b4jX3l31uiL HTTP/1.1
    Host: api.acme.com
    Authorization: MAC id="h480djs93hd8",
    nonce="264095:dj83hs9s,
    mac="SLDJd4mg43cjQfElUs3Qub4L6xE="

    earn more at Stormpath.com

    Ok, now thats out of the way


    Please avoid Basic Authc if you can.
    Favor HMAC-SHA256 digest algorithms over
    bearer token algorithms
    Use Oauth 1.0a or Oauth 2 (preferably MAC)
    Only use a custom scheme if you really, really
    know what youre doing.

    earn more at Stormpath.com

    Status Codes

    earn more at Stormpath.com

    401 vs 403
    401 Unauthorized really means
    Unauthenticated
    You need valid credentials for me to respond to
    this request

    403 Forbidden really means Unauthorized


    I understood your credentials, but so sorry, youre
    not allowed!

    earn more at Stormpath.com

    HTTP Authorization

    earn more at Stormpath.com

    HTTP Authorization
    After authc, perform authz
    Filter requests before invoking MVC
    layer
    Blanket security policies
    Per-URI customization

    earn more at Stormpath.com

    HTTP Authorization: OAuth


    OAuth is an authorization protocol, NOT
    an authentication or SSO protocol.
    Can I see User Xs email address please?
    NOT:
    I want to authenticate User X w/ this
    username and password

    People still try to use OAuth for


    authentication (OpenId Connect)

    earn more at Stormpath.com

    HTTP Authorization: OAuth


    When OAuth 2 is a good fit:
    If your REST clients do NOT own the data
    they are attempting to read

    When Oauth 2 isnt as good of a fit:


    If your REST client owns the data it is
    reading
    Could still be fine if youre willing to incur
    some additional overhead

    earn more at Stormpath.com

    HTTP Authorization: JWT


    JWT = JSON Web Token
    Very new spec, but clean & simple
    JWTs can be digitally signed and/or
    encrypted, and are URL friendly.
    Can be used as Bearer Tokens and for SSO

    earn more at Stormpath.com

    Best Practices

    earn more at Stormpath.com

    API Keys

    earn more at Stormpath.com

    API Keys, Not Passwords

    Entropy
    Independence
    Speed
    Reduced Exposure
    Traceability
    Rotation

    earn more at Stormpath.com

    API Keys contd

    Authenticate every request


    Encrypt API Key secret values at rest.
    Avoid Sessions (not RESTful)
    Authc every request + no sessions = no
    XSRF attacks

    earn more at Stormpath.com

    Identifiers

    earn more at Stormpath.com

    Identifiers
    Good
    /accounts/x2b4jX3l31uiL

    Not So Good
    /accounts/1234

    Why?

    earn more at Stormpath.com

    Identifiers

    Should be opaque
    Secure Random or Random/Time UUID
    URL-friendly Base62 encoding
    Avoid sequential numbers:
    distribute ID generation load
    mitigate fusking attacks

    earn more at Stormpath.com

    Query Injection

    earn more at Stormpath.com

    Query Injection
    String query =
    select * from accounts where acct_id = +
    request.getParameter(acctId) + ;

    Vulnerable URL:
    foo.com/accounts?acctId=or1=1

    Solution
    Use Parameterized Query API
    (Prepared Statements).
    If not available, escape special chars

    earn more at Stormpath.com

    Redirects and Forwards

    earn more at Stormpath.com

    Redirects and Forwards


    foo.com/redirect.jsp?url=evil.com
    foo.com/whatever.jsp?fwd=admin.jsp

    Avoid redirects and forwards if possible


    If used, validate the value and ensure
    authorized for the current user.

    earn more at Stormpath.com

    TLS

    earn more at Stormpath.com

    TLS
    Use TLS for everything
    Once electing to TLS:
    Never revert
    Never switch back and forth

    Cookies: set the secure and httpOnly


    flags for secure cookies
    Backend/infrastructure connections use
    TLS too

    earn more at Stormpath.com

    TLS Contd
    Configure your SSL provider to only support
    strong (FIPS 140-2 compliant) algorithms
    Use Cipher Suites w/ Perfect Forward
    Secrecy!
    e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256

    Keep your TLS certificates valid


    But beware, TLS isnt foolproof
    App-level encryption + TLS for most secure results

    earn more at Stormpath.com

    Configuration

    earn more at Stormpath.com

    Configuration

    CI: Security Testing


    Security Patches
    Regularly scan/audit
    Same config in Dev, Prod, QA*
    (Docker is great for this!)

    Externalize passwords/credentials

    * Except credentials of course

    earn more at Stormpath.com

    Storage

    earn more at Stormpath.com

    Storage

    Sensitive data encrypted at rest


    Encrypt offsite backups
    Strong algorithms/standards
    Strong encryption keys and key mgt
    Strong password hashing
    External key storage
    Encrypted file system (e.g. eCryptfs)

    earn more at Stormpath.com

    Thank You!
    les@stormpath.com
    Twitter: @lhazlewood
    https://stormpath.com

    earn more at Stormpath.com

    .com
    Free for developers
    Eliminate months of development
    Automatic security best practices
    Sign Up Now: Stormpath.com

    earn more at Stormpath.com

    Vous aimerez peut-être aussi