Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath
Jul 16, 2015
Securing Insecure
Prabath Siriwardena, WSO2
Twitter : @prabath
About the presenter (@prabath)
• 7+ years at WSO2
• Member of OASIS Identity Metasystem Interoperability (IMI)
TC,OASIS eXtensible Access Control Markup Language
(XACML) TC, OASIS Security Services (SAML) TC, OASIS
Identity in the Cloud TC and OASIS Cloud Authorization
(CloudAuthZ) TC
• Blog: http://blog.facilelogin.com
• Books:
Perception
Perception
Perception
Correctness
C-I-A
Confidentiality
Integrity
Availability
Correctness
The Weakest Link
Insider Attacks
Defense In Depth
Threat Modeling
Pattern 01
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees via a single web application while they are
behind the company firewall. All the user data are stored in an Active Directory and the
web application is connected to it to authenticate users. The web application passes
logged in user’s identifier to the backend APIs and retrieves data related to the user.
Pattern 02
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees via a single web application while they are
behind the company firewall. All the user data are stored in an Active Directory and the
web application is connected to it to authenticate users. The web application needs to
access the backend APIs on behalf of the logged in user.
Pattern 03
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees via multiple web applications while they are
behind the company firewall. All the user data are stored in an Active Directory and all
the web applications are connected to a SAML 2.0 Identity Provider to authenticate
users. The web applications need to access backend APIs on behalf of the logged in
user.
Pattern 04
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees via multiple web applications while they are
behind the company firewall. All the user data are stored in an Active Directory and all
the web applications are connected to a SAML 2.0 Identity Provider to authenticate
users. The web applications need to access backend APIs on behalf of the logged in
user. All the users are in a Windows domain and once they are logged into their
workstations – they should not be asked to provide credentials at any point for any other
application.
Pattern 05
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees as well as employees from trusted partners
via multiple web applications. All the internal user data are stored in an Active Directory
and all the web applications are connected to a SAML 2.0 Identity Provider to
authenticate users. The web applications need to access backend APIs on behalf of the
logged in user.
Pattern 06
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees via multiple web applications while they are
behind the company firewall. All the user data are stored in an Active Directory and all
the web applications are connected to an OpenID Connect Identity Provider to
authenticate users. The web applications need to access backend APIs on behalf of the
logged in user.
Pattern 07
Problem Statement
A medium-scale enterprise in the finance industry needs to expose an API to its
customers through a mobile application. One major requirement is that all the API calls
should support non-repudiation.
Pattern 08
Problem Statement
A medium-scale enterprise that sells bottled water has a RESTful API (Water API),
which can be used to update the amount of water consumed by a registered user. These
APIs should be accessed by any registered user via any client application - could be an
android app, an iOS app or even a web application. The company only provides APIs
and anyone can develop client applications to consume those. All the user data are
stored in an Active Directory. Client applications should not be able to access the API
directly and query about users. Only registered users can access the API – and they
also should not be able to see other users information. At the same time for each
update by the user – the Water API must also update user’s health care record
maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it
too exposes an API (MyHealth API). The Water API has to call MyHealth API to update
user record, on be half of the user.
Pattern 09
Problem Statement
A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different
departments and each department runs its own OAuth authorization server due to
vendor incompatibilities in different deployments. These APIs should only be accessed
by company employees via multiple web applications while they are behind the company
firewall – irrespective of the department they belong to. All the user data are stored in a
centralized Active Directory and all the web applications are connected to a centralized
OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The
web applications need to access backend APIs on behalf of the logged in user. These
APIs may come from different departments – having their own authorization servers.
The company also has a centralized OAuth authorization server and an employee
having an access token from the centralized authorization server must be able to access
any API hosted in any department.
Pattern 10
Problem Statement
A global organization has APIs and API clients distributed across different regions. Each
region operates independent from each other. Currently both the clients and the APIs
are non-secured. Need to secure the APIs without doing any changes either at the API
end or at the client end.
Pattern 11
Problem Statement
A company wants to expose an API to its own employees. But the user credentials must
not ever go over the wire.
Pattern 12
Problem Statement
A medium-scale enterprise has a limited number of RESTful APIs. These APIs should
only be accessed by company employees via a single web application while they are
behind the company firewall. All the user data are stored in an Active Directory and the
web application is connected to it to authenticate users. The web application needs to
access the backend APIs on behalf of the logged in user. The backend API must
authorize the user.
Contact us !