Issue 5: Bad TLS client authentication, how not to use cURL, State of Software Security
Do not use TLS client authentication, unless you are already on TLS 1.3. With TLS 1.2 and earlier, when you use client authentication, the client certificate is transmitted in the clear. This contains enough information to uniquely identify the user.
Hundreds of thousands of projects use cURL and purposefully disable the verification of TLS host and SSL certificate authority (CA). The aim is to avoid error messages and failures if the local storage is missing up-to-date CA lists, but lacking these verifications makes you extremely vulnerable to the man-in-the-middle attacks. Scott Arciszewski reported the issue and created the Certainty PHP library to auto-refresh the CA lists.
A security researcher has reported a Google Home Hub vulnerability this week which Google is denying. The researcher is claiming that Google is effectively betting on security by obscurity. Google Home Hub is built on top of the Chromecast platform that has an undocumented API for enrolling new devices. The API requires that the device is on the same WiFi network as the Google Home Hub but has no authentication beyond that.
Isabelle Mauny, CTO and co-founder of 42Crunch, has posted slides from her “Better API Security with Automation” session at the Nordic APIs conference.
The latest State of Software Security report by Veracode is out. It is a 60-page report with lots of insights and details. A couple of API-related highlights include:
1. Information Leakage is the number one vulnerability category, 66.9% of apps had that!
2. DevSecOps helps a lot. The leaders in DevSecOps practices manage to reduce fix times up to 11.5 times faster than a traditional organization.
OpenAPI Initiative turns 3! The OpenAPI specification is a Linux Foundation project. It has become the industry standard for API definitions, has gotten all the major players in the industry on board, and has enabled the whole ecosystem around APIs.
Craig Borysowich is doing a series of articles on API microservice security at Toolbox for IT, covering all the aspects layer by layer. He has already posted overviews on SSL Layer, PKI Layer, Identity Enforcement, Content Validation Layer, and Security Architecture Layer.
API Security tips from Tolga Tavlas, the author of “Digital Banking Tips”:
- Use HTTPS.
- Only expose on your API what really needs to be exposed.
- Educate your developers.
- Do not trust API consumers.
- Beware of the three most popular attack types: parameter attacks, identity attacks, and man-in-the-middle attacks.