Escolar Documentos
Profissional Documentos
Cultura Documentos
API security – OAuth 2.0, SAML, clientid/secret, Single sign-on, Mutual authentication etc-Demo ·
Perimeter security
Encryption, Masking
* https://www.mulesoft.com/resources/api/connected-business-strategy
Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)
Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)
Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)
Anna David
frie nd
nd
frie
es
like
lik
comm
Jessica
s
likes
ented
d
movies
a te
books
cre
on
posting
ls
cal
customer API
offers protec
ted by
customer implemen
ted by OAuth policy
customer flow
Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats –s Denial of
o p etc
Service, injection protection,
L o
• @ the Implementation
c k – Secure By
ba
Design – Authorization & Identity (PKI,
d
Federation,ee
openid connect), Contract
F
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)
Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)
• Before OAuth
– You would have to provide your username and
password to third-party app.
– Apps store user’s passwords
– Apps get complete access to user’s account
– Only way users would be able to revoke access to the
app is by changing password
– Compromised apps expose user’s password
• Then cames OAuth1
– OAuth1 standardized how different services
implemented authorization
– But there were some limitations
API
Portal API
1
o API AP
I
cess t es
u est ac o k
t(s) req i nv
Clien lid,
ti l l va
8 s
o ken
If t
6
API proxy
Makes API call using token Gateway
Va
lida
tes
clie
n t to
ken
Requ 7
es
Provides client id and client secret
ts tok
en by
t
es
passin
u
g clie
eq
ntid/
sr
4 secre
s
t
ce
ac
PI
sA
ive
ce
re
Oauth
2
in
Provider
dm
Ia
AP
3
Creates Client object in OAuth store
API administrator
Client Object
Key
Client id
Client Secret
Client Name
DB
Description
All contents © MuleSoft Inc. 19
OAuth2 -Client Authentication
Client
1. The client application, receives client id and client secret from BAC API Aplication
administrator.
2. Client application sends a access token request to the OAuth provider www
1
application to retrieve client id, client secret. If valid credentials , then Oauth
provider returns access token. 2
3
Sample Request:
http://171.135.20.188:22107/bac/api/
token?grant_type=client_credentials&client_id=5ab9af1544604f8da18f82640 DMZ
1e760f6&client_secret=D9a6179Da5c64192Bc02963cdD69275f&scope=POST Mule Gateway
_RESOURCE proxy
OAuth token enforcement policy
/access_token
Sample response:
{
"access_token":
"V60RAUK4KNzk_kjlAJNN50P1RNENgooxZLGZDXffWQDEaSWCqzL_avXga- Implementation tier 4 5
dVrsyLqi13noFcuFacZdXBap0JZw", /validate
"scope": "POST_RESOURCE",
"token_type": "bearer",
"expires_in": 86400 Oauth
API
Provider
} /oauth
3.Client app sends a request to the API, appending the access token to the API administrator
request API
Sample Request:
http://171.135.20.188:22106/
accounts?access_token=9LUukoZIjwucSBLTB6YoHyvY_JfjSBtIhNNbeVnFA3xD7
fdmdZMDbKZQ8yz_Xnc7GVhnWYZhh5K0KshNOjyCfA Client Object
Key
Client id
Client Secret
Client Name
DB
Description
All contents © MuleSoft Inc. 20
OAuth2– Client Authentication(cont)
Client
Aplication
www
4. The OAuth 2.0 token enforcement policy in DMZ Mule Gateway, 1
intercepts the request and validates the token by making validate
2
token call to OAuth provider. 3
/validate
If invalid token proxy receives 401 unauthorized response code
Oauth
API
5. If the access token is valid, the mule proxy forwards the request /oauth
Provider
to the API.
API administrator
Client Object
Key
Client id
Client Secret
Client Name
DB
Description
Full Support
• Salesforce
• PingFederate (versions: 6, 7, 8)
• OpenAM (versions : 11, 12, 14)
• Okta
Full Support
• Salesforce
• PingFederate (versions: 6, 7, 8)
• OpenAM (versions : 11, 12, 14)
• Okta
● Basic Authentication: LDAP: Establishes the configuration details for an Open LDAP or Active Directory LDAP that you set up for your
enterprise.
● Basic Authentication: Simple: Protects the API by requiring username and password when calling apps make a request.
● Client ID Enforcement: Enforces the requirement for calls to the API must include a valid client ID and client secret. See footnote.
● Cross-Origin Resource Sharing: Allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from
non-origin domains. CORS is a commonly implemented solution to the "same-origin policy" that is enforced by all browsers.
● Header Injection and Removal: Adds headers to the request/response of the message or removes headers.
● HTTP Caching: Provides a way to store HTTP responses from an API implementation or an API proxy for later reuse.
● JSON Threat Protection: Protects the target API against malicious JSON that could cause problems.
● Message Logging Policy: Logs a custom message with the information available between policies, proxy, or backend in any point of the
execution.
● OAuth 2.0 Access Token Enforcement Using External Provider Policy: Configures the API so that its endpoints require a mandatory
and valid OAuth 2.0 token.
● OpenAM Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid OpenAM token. This policy is
only available to organizations using an OpenAM Federated Identity Management system.
● OpenID Connect Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid token.
This policy is only available to organizations using an OpenID Connect Management system.
● PingFederate Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid PingFederate
token. This policy is only available to organizations using a PingFederate Federated Identity Management system.
● Rate Limiting – SLA-Based: Limits the number of messages per time period processed by an API at a maximum value specified
in the SLA tier. Any messages beyond the maximum are rejected. Enforcement is based on the client ID passed in the request.
See footnote.
● Rate Limiting: Limits the number of messages processed by an API per time period at a maximum value specified in the policy.
The rate limiting is applied to all API calls, regardless of the source. Any messages beyond the maximum are rejected.
● Simple Security Manager: Supports a placeholder security manager that can be configured with a hard-coded username and
password for testing purposes.
● Spike Control Policy Reference: Smooths traffic by ensuring that within any given period of time, no more than the maximum
configured requests are processed.
● Throttling -SLA-Based: Throttles the number of messages per time period processed by an API at a maximum value specified in
the SLA tier. Any messages beyond the maximum are queued for later processing. Enforcement is based on the client ID passed in
the request. See footnote.
● Throttling: Throttles the number of messages processed by an API per time period at a maximum value specified in the policy.
The throttling is applied to all API calls, regardless of the source. Any messages beyond the maximum are queued for later
processing.
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)
IPSEC
Firewall Firewall
Metadata Traffic
IPSEC
Firewall Firewall
Metadata Traffic
IPSEC
Firewall
• Multiple
Firewall
layer of APIs (API-Led
Connectivity) to expose data
and functions securely
Order
status
Shipment Order Process
status history APIs
Customers
Orders
System
Toll UPS SAP Salesforce
shipments shipments customers customers APIs
By Design
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt Data if needed
By Configuration
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction)
By Design
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt Data if needed
By Configuration
- Throttling/Rate Limit (to protect backend
systems)
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction)
- SQL/XML/Json Injection protection
By Design
- Use Connector as much as possible (with
built in security control)
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt or Tokenize Data if needed
All contents © MuleSoft Inc.
Testing Considerations per each API layer
By Configuration
- Throttling/Rate Limit (for fair-usage or SLA) - Security Test to ensure that the APIs only serve under the allowed throughput per API
- SQL/XML/Json Injection protection Consumer
- Identify User (for role extraction)
- Security Test to ensure that the APIs are protected against SQL/XML/JSON injections
By Design - Functional Test to ensure that the process operations only return the correct data set per API
- Control Logged Data & Level Consumer and per id profile
- Data ”ownership” per role
- Encrypt Data if needed - Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Technical Test to ensure that the encrypted data are properly handled with the right key
- Technical Test to ensure that the tokenized data integrity during mashup
By Configuration
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction)
- Security Test to ensure that the APIs only serve requests from the allowed APIs
By Design - Functional Test to ensure that the process operations are aligned with the system of records
- Control Logged Data & Level and only return the correct data set per id profile
- Data ”ownership” per role
- Encrypt Data if needed
- Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Technical Test to ensure that the encrypted data are properly handled with the right key
Technical Test to ensure that the tokenized data integrity during mashup
By Configuration
- Throttling/Rate Limit (to protect backend - Security Test to ensure that the APIs only serve requests from the allowed APIs & under the
systems) allowed throughput
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction) - Security Test to ensure that the APIs are protected against SQL/XML/JSON injections
- SQL/XML/Json Injection protection - Functional Test to ensure that the CUD operations are aligned with the system of records
By Design
- Functional Test to ensure that the R operation only return correct data set per id profile
- Use Connector as much as possible (with
built in security control) - Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Control Logged Data & Level - Technical Test to ensure that the encrypted or tokenized data are properly handled
- Data ”ownership” per role
- Encrypt or Tokenize Data if needed
All contents © MuleSoft Inc.
Top Ten OWASP Implementation Recommendation
A1. Injection • Use Database Connector “Parameterized” Mode id the API implementation is MuleSoft based
• Use SQL Injection Policy to protect non-secure API implementation
A2. Broken Authentication • Use any 3rd party or MuleSoft provided OAuth provider to manage sessions
and Session Management • Use the out-of-the box OAuth Access Token enforcement policies to protect the API Access
• Implement stateless API
A5. Broken Access Control • Use LDAP Authorization Policy to restrict access at the User level
• Use IP Whitelist/Blacklist Policies to restrict access at the System level
A6. Security • Use MuleSoft Credential Vault to encrypt all servers/credentials information
Misconfiguration
A7. Cross Site Scripting • Use IP Whitelist to restrict API access at the System Level
(XSS) • Use Cross Site Scripting policy for GET requests
• Use CORS, JSON Threat and/or XML Threat policies
A8. Insecure • MuleSoft is largely Spring-based and Spring has hardened its susceptible classes
Deserialization • Enable SSL
• Use IP Whitelist to restrict API access at the System Level
A10. Insufficient Logging • Use MuleSoft Runtime Manager for System Level Logging, API Analytics for Usage Level Logging and
and Monitoring Insight for Functional Level Logging
• Use Splunk or ELK to aggregate MuleSoft or external systems logs for further in depth analysis
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)
IPSEC
Firewall Firewall
Metadata Traffic
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)
IPSEC
Firewall Firewall
Metadata Traffic
Customers /External Applications Runtime Plane (CloudHub) Mainly HTTPS driven, via VPC Peering that
allows the isolation of the Process APIs and can
only be access via the specific Experience APIs
Runtime Traffic
IPSEC
Public facing APIs that serves external
customer and applications via HTTPS Firewall or S/FTP.
•The Virtual Private Cloud (VPC) offering allows you to virtually create a private and
isolated network in the cloud to host workers
•Public internet
– Default connectivity to CloudHub VPC
•VPC Peering
– Connect an Amazon VPC directly to a CloudHub VPC
Synchronous Asynchronous
API Call Batch Execution • “https” all the way between the APIs
jdbc jdbc
”abc” ”abc”
https https
api key
”a57”
api key
”a57” • Other APIs can use the token for
data mapping or master/detail
mapping without any extra
https ”a57” https ”a57”
detokenization step
api key api key
Anypoint Security
Tokenization
jdbc jdbc
”abc” ”abc”
https https
api key
”a57”
api key
”a57” • Other APIs can use the token for
data mapping or master/detail
mapping without any extra
https ”a57” https ”a57”
detokenization step
api key api key
Anypoint Security
Tokenization
jdbc jdbc
”a57” ”a57”
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)
IPSEC
Firewall Firewall
Metadata Traffic
IPSEC
Firewall Firewall
Metadata Traffic
• ISO 27001
• PCI-DSS Level 1
• SOC 2
• ITAR
• Application Logs:
– Log setting in Cloudhub is overwritten by
Mulesoft to avoid logging of sensitive data.
Customer can request to disable the default
logging, but then the Customer will be
responsible for the compliance check