Weitere ähnliche Inhalte Ähnlich wie CA API Gateway: Web API and Application Security (20) Mehr von CA Technologies (20) Kürzlich hochgeladen (20) CA API Gateway: Web API and Application Security1. CA API Gateway: Web API
and Application Security
Ben Urbanski, Advisor, API Management Presales, CA Technologies
D03X41E
DEVOPS
2. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
This session explores common web service, web API and web application security considerations
and how you can use CA API Management solutions to address them.
Ben Urbanski has almost 10 years of experience with API gateways beginning at IBM in 2007,
continuing at Layer 7 in 2011, and to this day at CA Technologies. During that time, he’s been a
presales engineer, a senior director of presales engineering, and now an advisor on CA’s API
Management Presales Center of Excellence team. He has helped many customers understand
how they can simplify and accelerate the creation, security, integration and management of
their web services, web APIs, web applications and mobile applications using API gateways, API
portals and related products. Earlier in his career, he spent time as a software engineer at
several companies, so he’s well grounded in software development practices and how they
relate to API management.
Ben Urbanski
CA Technologies
Advisor, API
Management Presales
4. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
SECURING THE NEW PERIMETER
CA API MANAGEMENT SUITE AND COMMON USE CASES
DEMONSTRATION
SECURITY PROCESS
SECURITY CONSIDERATIONS AND FEATURES
WHERE TO START?
1
2
3
4
5
6
5. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Digital Enterprise and Application Economy
Developer Community
Cloud ServicesPartners/Divisions
Mobile Apps
IoT / Big Data Social Registration
6. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
APIs are the New Perimeter
7. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA quickly and easily creates, secures and manages APIs
8. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA API Management
ESM
CA (Mobile) API Gateway
App Developers
Applications
CA API Developer Portal
Design Time
Runtime
MSSO SDKs
MAS SDKs
CA Mobile App Services
Runtime
CA Live API Creator
API Publishers
Design Time
9. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Internal Security
Integration (ESB or noESB or µS)
Traffic Management (SLA)
API Creation
Security Gateway
API Management
Mobile Enablement
Identity Brokering
DMZ
Trusted Zone
Applications
Runtime
MSSO SDKs
Partner App Developers
Design Time
Internal API and App Developers
Design Time
Portal
Gateways
(optionally with MAG & MAS)
Gateways
MAS SDKs
CA Live API Creator
or
Application Servers
API Academy
CA API Management Use Cases and Deployment
10. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Begins with Risk Analysis
Risk Assessment
What is your risk?
Risk Management
What will you do about it?
11. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What is your risk?
Assets
Threats Vulnerabilities
Risk
12. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What will you do about it?
Avoidance
Reduction
Sharing
Retention
13. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security
Common Criteria for Enterprise
Service Management (Access
Control and Policy Management),
STIG, and FIPS 140-2 compliant,
hardened, tuned and special
purposed appliance
Leading edge support for industry
and vendor security standards and
solutions
Service Virtualization
Identification (w/Federation &
Brokering), Authentication,
Authorization & Auditing
Confidentiality
Integrity
Logging
Non-repudiation
Data Classification and Compliance
Threat Protection
14. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Common Criteria for Enterprise Service Management (Access Control and
Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned
and special purposed appliance
– Common Criteria (CC) is the most relevant security certification for solutions in
our space; CA is the only gateway vendor with a recent certification to more
relevant profiles
– FIPS 140-2 Level 1 crypto processing in all form factors by default. CA offers an
optional hardware acceleration card for crypto processing that includes an on
board HSM in its hardware appliance form factor for FIPS 140-2 Level 3.
– CA’s emphasis on performance allows our customers to take advantage of our
many security capabilities without experiencing significant negative
performance and scalability impacts.
15. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Leading edge support for industry and vendor security standards and
solutions
– The industry and vendors are frequently creating and evolving security standards and solutions. The
standards and solutions can be difficult to understand, implement and maintain. CA wraps its expert
knowledge of both in automatic and/or simple to configure policy language that keeps pace with
changes.
– CA is often used to negotiate differences in security standards and solutions between consumers and
providers of services. For example, consumers might want to send their credentials using WS-Security
UserName tokens, and providers might expect credentials via SAML tokens. With CA in between,
neither consumers nor providers need to change. Instead, CA can accept WS-Security Username tokens
(and many others) from the consumer, perform authentication and authorization (and more), and
include a SAML assertion in the request forwarded to the provider.
Service Virtualization
– An ESB concept, but with security implications. By using CA to virtualize your services (including their
identity, protocol and interface), you effectively hide implementation details from attackers.
16. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Identification, Authentication & Authorization
– Many out-of-the-box methods of identification, authentication and authorization based on industry standards
and vendor proprietary mechanisms
– The ability to support identity federation based on different standards, and identity brokering between
standards and vendor proprietary mechanisms
– Some (but not all) supported standards include SSL with mutual authentication, FTP Credentials, HTTP Basic,
HTTP Digest, HTTP Cookies, NTLM, Kerberos, SAML, WS-SecureConversation, WS-Security, OAuth, OpenID
Connect, XACML, LDAP, WS-Trust, WS-Federation, X.509 Certificates
– Some (but not all) supported vendor proprietary mechanisms include Mobile SSO, CA Single Sign-On, Tivoli
Access Manager, Oracle Access Manager, Sun Java System Access Manager
– CA can easily and conditionally use one or more of the above methods in a single policy (including JDBC and
other protocols for custom identity provider implementations)
– CA provides an out-of-the-box and configurable WS-Trust based STS service
– CA can be an enterprise PEP, PDP, PIP and PRP for XACML
– CA can be a SAML identity provider
– CA can be a OAuth authorization server and an OpenID Connect server
17. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Confidentiality
– Easy to configure and accelerated secure transport (SSL/TLS) for point-to-point encryption and confidentiality
(both in front and behind our gateway, with and without client authentication)
– Easy to configure and accelerated end-to-end confidentiality with message or element level encryption and
decryption based on industry standards (e.g. XML Encryption, WS-Security, and JWE)
Integrity
– Easy to configure and accelerated end-to-end integrity with message or element level digital signature and
verification based on industry standards (e.g. XML Signature and WS-Security)
– HMAC signature support for emerging non-XML standards like REST and OAuth
18. 21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Auditing & Logging
– Automatic and configurable auditing and logging of events by category and priority level both on and off
gateways
– Gateway Audit Event viewer that can see all audit events across a cluster of multiple gateways with or without
full request and response message recording
– Auditing and logging is very configurable and can be managed globally across a cluster and/or conditionally in
policy
– Audit and log events can be sent remotely via syslog and/or all other outbound protocols supported by CA
Non-repudiation
– CA supports non-repudiation through a combination of auditing, logging and digital signatures
19. 22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Data Classification and Compliance
– Automatic XML well-formed-ness validation
– XML schema validation, Schematron, and JSON schema validation
– Many additional out-of-the-box assertions for classifying, validating, masking and filtering message content at
runtime
Threat Protection
– Automatic threat protection for TCP/IP Based Attacks, Coercive Parsing and XML Bomb, External Entity Attack,
Schema Poisoning, WSDL Scanning and XML Routing Detours
– Configurable threat protection for single and multi-message denial of service attacks
– Injection attack protection (both SQL and code)
– Rate limiting and SLA enforcement with high performance and accuracy across a cluster of multiple gateways
– True replay attack protection across a cluster of multiple gateways
– Virus scanning via the ICAP protocol with specific support Symantec, McAfee and Sophos
20. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Mobile API Gateway
Apple Push Notification
Android Push Notification
Mobile SSO (API and SDK)
– Multi-user Support
– Social Login
– One Time Password
– Dynamic App Config & Credential Provisioning
– Geo-location Support
– Cross Device SSO (QRC, BLE, NFC)
Enterprise Browser
Samsung KNOX for APIs
API Portal
API Servers
IdM
MAG
21. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
OWASP Top 10[1] Protection as Web App Proxy
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Un-validated Redirects and Forwards
[1] https://www.owasp.org/index.php/Top_10_2013-Top_10
22. 25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where do I start?
Reduce attack surface (expose only what’s needed; require all traffic to go through
gateway)
Use a secure transport (i.e. SSL/TLS)
Control access (e.g. Mutual Auth SSL, HTTP Basic Auth, OAuth, MSSO, API Key?,
etc.)
Enforce a strict interface (i.e. validate protocol, resource, method, parameters,
schema)
Validate (and optionally encode) input (and optionally output) parameter values
Rate limit (to not exceed capacity - anywhere)
Monitor (log and audit)
23. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA (Mobile) API Gateway
(for runtime policy enforcement)
Policy Manager
(for policy authoring and administration)
ACME
Warehouse
Service
CA API Developer Portal
(for discovering, exploring, registering to access
and monitoring utilization of APIs)
Demo
24. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Optimize with API
Insights &
Monitoring
CA API Management
Theater 3
Orchestrate and
Secure APIs &
Microservices
CA API Management
Theater 3
Launch Faster with
API Management in
the Cloud
CA API Management
Theater 3
Deliver
Continuously with
API Testing
CA API Management
Theater 3
25. 28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
DO3T82S Building the Digital Platform - with secure APIs 11/16/2016 at 1:00 pm
DO3X18S Securing your API Portfolio with API Management 11/16/2016 at 2:00 pm
DO3T02S
Case Study: How Adobe Secures, Manages and Deploys
Enterprise Mobile Apps
11/17/2016 at 1:45 pm
26. 29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Questions?
27. 30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Thank you.
Stay connected at communities.ca.com
28. @CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.31 @CAWORLD #CAWORLD
DevOps – API Management and
Application Development
For more information on DevOps – API Management and
Application Development, please visit: http://cainc.to/DL8ozQ
Hinweis der Redaktion As you build out your presentation, here are a few dos and don’ts.
A1 Injection
CA API Management provides policy assertions to protect against SQL and other types of injection attacks. CA API Management also has full access to all Web request and response content and context to enable inspection and protection at runtime.
A2 Broken Authentication and Session Management
CA API Management can require strong or multi-factor authentication over secure protocols and can protect against brute force attacks using simple or sophisticated rate limiting or throughput quota policies. CA API Management can also detect and protect against session-based attacks by controlling cookie security attributes, using digital signatures and encryption or tracking, mapping and enforcing stick session identifiers sent in a variety of ways, through policy management.
A3 Cross-Site Scripting (XSS)
CA API Management considers cross-site scripting another form of injection and protects against it using the same or similar policy assertions used for A1 Injection.
A4 Insecure Direct Object References
CA API Management could be used to support per user or session indirect object references and can check access authorization for requests with direct object references.
A5 Security Misconfiguration
CA API Management is a special-purposed security gateway that has been hardened for easy and secure deployment to the DMZ and is the only gateway of its kind with Common Criteria certification for the Enterprise Security Management–Policy Management Version 1.4—and Enterprise Security Management–Access Control Version 2 profiles. As the first line of application layer defense in front of your Web applications, CA API Management can help protect you from security misconfigurations elsewhere in your stack.
A6 Sensitive Data Exposure
CA API Management has a variety of capabilities for filtering, masking, tokenizing and encrypting (using modern and strong algorithms) sensitive data in flight and at rest to protect against sensitive data exposure. CA API Management is also FIPS 140-2 Level 1 compliant in all of its available form factors and FIPS 140-2 Level 3 compliant when integrated with a network HSM or when including the optional onboard HSM in the hardware appliance form factor.
A7 Missing Function Level Access Control
CA API Management can control access to Web pages and their resources using industry-standard-based policy or with integrations to identity access management solutions like CA Single Sign-On.
A8 Cross-Site Request Forgery (CSRF)
CA API Management provides out-of-the-box cross-site request forgery detection and protection using double submit cookie validation and/or HTTP referrer validation.
A9 Using Components with Known Vulnerabilities
As noted under A5, CA API Management is a special purposed security gateway that has been hardened for easy and secure deployment to the DMZ, and is the only gateway of its kind with Common Criteria certification for the Enterprise Security Management—Policy Management Version 1.4 and Enterprise Security Management—Access Control Version 2 profiles. CA API Management engineering and support teams are constantly vigilant for new vulnerabilities, and quickly create, release and communicate vulnerability patches to CA API Management customers. These patches are easily applied through the patch management system included with CA API Management.
A10 Unvalidated Redirects and Forwards
CA API Management can detect, validate and, if necessary, help prevent redirects. CA API Management can also be used to detect and validate absolute or relative URL or URI references in request messages. Additionally, CA API Management provides ODATA threat protection, which allows the same sort of metadata validation that JSON and XML schema protection provides.