11436 SSO

Prevent "Top 25" software errors in your API with Security Mediation

Mar 10, 2011

The 2010 CWE/SANS Top 25 "Most Dangerous" Software Errors is out.   

Many of the Top 25 apply to your cloud APIs: 

  • Insecure Interaction Between Components
  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Cross-Site Request Forgery (CSRF)
  • Unrestricted Upload of File with Dangerous TypeImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection'
  • Information Exposure Through an Error Message
  • URL Redirection to Untrusted Site ('Open Redirect')
  • Race Condition

How can you address these for your APIs? 


Use a mediation layer for API security  

Fortunately, there are "Monster Mitigations"  In the world of APIs, mediation can help.  


Security is not just about authentication, security is primarily about trustworthy integration of two or more endpoints.   With Mediation – the two endpoints, the client and the API service are now separated by the gateway service.

A mediation layer or gateway increases security between components by:

  • acting as a stateless integration hub. That mediates data flows between APIs and their client endpoints or other API service machines. 
  • performing authentication with support for SAML2 and OAuth2 session tokens.
  • introspecting the XML or JSON payload on the wire, making it possible to enforce fine grained authorization policies at the object and method level of the API.

Mediation makes threat mitigation easier – without it, the developer has much more work to do to protect the confidentiality of the data in the system and keep the code and data of complete integrity while preventing denial of service attacks.

Got PEP? (Policy Enforcement Points)

A gateway is sometimes referred to as a policy enforcement point (PEP).  The PEP Gateway interacts with a trusted Policy Decision Point (PDP) to perform authentication and to validate credentials of the clients, and when tokens are involved a PDP will also store and refresh OAuth tokens. 

 The PEP Gateway will also be able to enforce fine grained access control authorization decisions by looking up business rule tuples in a Policy Information Point (PIP) which could be a database SQL or KVS, FlatFiles, LDAP, Web Services (SOAP,REST), Messaging (JMS).   

Example:  The value for the number of transactions that are permitted per day is a value that can fluctuate based on the risk perceived in the marketplace.  On Monday TxLimit=100, but this changes on Tuesday to TxLimit=500 after the Entitlements Manager changes the TxLimit policy, for all users with the role: DAYTRADERS

Close Porous Defenses 

 An API Gateway mediates all interaction between identity providers and service providers in the cloud.  This addresses


Porous Defenses issues such as:

  • Improper Access Control (Authorization)
  • Reliance on Untrusted Inputs in a Security Decision
  • Missing Encryption of Sensitive Data
  • Use of Hard-coded Credentials
  • Missing Authentication for Critical Function
  • Incorrect Permission Assignment for Critical Resource
  • Use of a Broken or Risky Cryptographic Algorithm

Input validation can now be done at the edge of the cloud instead of in the application code, where even if input validation is in place the malicious code may be able to escape to a shell before the validation logic is able to execute.

Other benefits of a mediation layer or gateway

-Increased performance, scalability and capacity and ability to be rapidly provisioned in globally distributed locations. 

-Take control of Access Control - Issue OAuth2 tokens to API consumers.  

-Avoid hard-coding integration credentials in code. Instead create trust domains using Mutual SSL Key based authentication, or use a token based architecture such as SAML or OAuth.  Encrypt data in front and behind of the gateway using they keys of your choice.  The Apigee API Gateway will inspect traffic for XML threats and validate the signature of every payload prior to routing to the target API resource. 

I'll cover more on this topic in another post.  In the meantime, we cover several API Security and OAuth issues in "Is your API Naked"  - our API management and operations whitepaper.



Scaling Microservices