API Security Flashcards
AuthN Endpoint with Authorization service
Advantages: Support multi language, aligns with single responsibility and single source of truth
Delegated Authorization
- store permissions in user service
- send permissions as part of /authenticate response payload
- downstream API determines user access based on permissions present
Stateful Service Management
1.) replicate that session data across all of the web servers
Cons: performance and cost increases complexity
2.) use a central store that each web server connects to, or
Cons: A central store will limit scaling and increase latency
3.) ensure that a given user always hits the same web serve
Cons: Confining users to a specific server leads to dependency (downtime) problems.
Client Side Sessions
Pushing the session data to the browser has some obvious advantages:
- the data is always available, regardless of which machine is serving a user
- there is no state to manage on servers
- nothing needs to be replicated between the web servers
- new web servers can be added instantly
Cons:
Can’t trust client not to tamper with cookie
Solution: Encrypt and sign the cookie using a server key (node - client sessions)
Can’t revoke session
Solution: add token to the user table as well as session cookie, most api calls read from user table anyways.
API Styles
Remote Procedure Call: APIs expose a set of procedures or functions that can be called by clients over a network connection. The RPC style is designed to resemble normal procedure calls as if the API were provided locally. RPC APIs often use compact binary formats for messages and are very efficient, but usually require the client to install specific libraries (known as stubs) that work with a single API. The gRPC framework from Google (https://grpc.io) is an example of a modern RPC approach. The older SOAP (Simple Object Access Protocol) framework, which uses XML for messages, is still widely deployed.
Remote Method Invocation: A variant of the RPC style known as Remote Method Invocation (RMI) uses object-oriented techniques to allow clients to call methods on remote objects as if they were local. RMI approaches used to be very popular, with technologies such as CORBA and Enterprise Java Beans (EJBs) often used for building large enterprise systems. The complexity of these frameworks has led to a decline in their use.
REST: The REST (REpresentational State Transfer) style was developed by Roy Fielding to describe the principles that led to the success of HTTP and the web and was later adapted as a set of principles for API design. In contrast to RPC, RESTful APIs emphasize standard message formats and a small number of generic operations to reduce the coupling between a client and a specific API. Use of hyperlinks to navigate the API reduce the risk of clients breaking as the API evolves over time.
Some APIs are mostly concerned with efficient querying and filtering of large data sets, such as SQL databases or the GraphQL framework from Facebook (https://graphql.org). In these cases, the API often only provides a few operations and a complex query language allows the client significant control over what data is returned.
API Security - 3 Parts
InfoSec:
- Define security goals and identify threats
- Protect your APIs using access control techniques
- Secure information using applied cryptography
Network Security:
- The basic infrastructure used to protect an API on the internet, including firewalls, load balancers, and reverse proxies
- Use of secure protocols such as HTTPS to protect data transmitted to or from your API
Application Security:
- Secure coding techniques
- Common software security vulnerabilities
- How to store and manage system and user credentials used to access your APIs
API Network Architecture
API Security Lifecycle
Dataflow Diagram
STRIDE
Spoofing: Pretending to be somebody else
Tampering: Altering data, messages, or settings
Repudiation: Denying that you did something that you really did
Information disclosure: Revealing information that should be kept private
Elevation of privilege: Gaining access to functionality you’re not supposed to have access to
API Security Mechanisms
- Encryption ensures that data can’t be read by unauthorized parties, either when it is being transmitted from the API to a client or at rest in a database or filesystem. Modern encryption also ensures that data can’t be modified by an attacker.
- Authentication is the process of ensuring that your users and clients are who they say they are.
- Access control (also known as authorization) is the process of ensuring that every request made to your API is appropriately authorized.
- Audit logging is used to ensure that all operations are recorded to allow accountability and proper monitoring of the API.
- Rate-limiting is used to prevent any one user (or group of users) using all of the resources and preventing access for legitimate users.
API Security Layering