Broken Access Control How to Protect Your APIs Against the World's Top Vulnerability

Johnson's a product manager and identity and access management space in Microsoft she has a decade of experience with demonstrated history of shipping Enterprise as well as consumer products across endpoints like Cloud mobile and PC he's spoken at several conference including Ted and storytelling is her swag claim to fame she helps a world record in her name for making the world's largest fully solvable maze we've got Ken who's also been at Microsoft his entire career working as a senior product manager and a recovering engineer across Windows MSN being an identity divisions outside of work can can be frequently found tweeting security memes on Twitter fun facts worked on security with 350k followers and follows also follows Ken on Twitter

I mean uh playing to fame you can't attend the Defcon 4. that's that's that's that's there there were 150 people wow yeah wow so the abstract from the talk even though we all use identity and access systems everywhere in our lives every day Access Control ensuring users are are able to do just the right amount of things and this seamless and unobtrusive manner as possible is still the most commonly misconfigured security weakness currently ranking at number one on the open on olos top 10 for 2021 this talk will discuss common Access Control problems how to detect them in your apps and services and how developers could avoid introducing them in the future by following best

practices and recommendations we talk bills on years of experience securing thousands of applications it's going to be a useful time for it managers developers both looking to secure their ecosystems give it up thank you [Applause] I think in the mic all right hey so first of all this community wouldn't exist if it wasn't for volunteers and for the organizers so I want to just give a round of applause to all of the the people that worked on the Committees and the people helping out so thanks everyone for that um it's been a very long time since I was in Dallas my grandparents lived here and I haven't seen that much of it but it's really nice to be back

um just to start the broken axis control um broken access control is something that is incredibly important like it's something that shows up on the the top of the OS top 10. it seems obvious but we're going to talk a little bit more about um like what it is and how we can like try to actually solve this this problem

so first thing I'd like to say is that even though we work together we're not here representing work we're not trying to sell you on anything and we're going to uh to to try not to say the word cyber um the the goal for this is to talk about how can we address the problem with the industry well the fact that this is the top uh olasp issue shows that even though it's obvious and everyone knows about it whatever we're doing is not working so there's more that we can do so that's that's the goal um who are we well we just had a wonderful introduction so we can glass over this a little bit

um so my name is Ken um I have a background primarily in engineering and that's kind of how I come into this reliability and thinking about how do we do this design and architecture to have more more ability to to control the the outcomes and and what can we do in our engineering processes to include the security would you like to go next yeah sure hey everybody thanks for being here uh this is jhansi I am uh I I work for Microsoft and about five years old in the company about a one year old in identity though um thank you so much for having us here I think the charter that I deal with Microsoft is roughly around uh crafting

developer experiences when they're integrating with Microsoft identity platform which includes a set of authentication and authorization libraries and their platform experiences and how do we securely request access for data and resource so on and so forth and all that stuff that counts under the Privacy Charter that's roughly what I deal with uh this is my first talk at any uh b-sides does it go in the protocol to understand what is the audience uh Community like are we having more developers here do we have Architects do we have security Personnel what is the mix of audience like maybe I can some ask some questions uh how many of you guys are developers here yeah okay uh Architects application

security architects okay and anybody in the engineering side engineering managers okay okay awesome thank you so much for that uh gives me a good perspective of what we should really concentrate on because there can be many flavors to any talk as you understand right uh sure go ahead all right first I'm going to start with a story um this isn't real but um I think you'll identify with it um buzz buzz late night phone call the the phone on the dresser starts lighting up the room you like you sit up being on call is no fun you go and take a look uh hello yeah security researchers found an exposed endpoint and we need someone to

look into it like you start walking over to your machine start booting it up while you're doing that you're looking through your email on your phone trying to figure out like you know what are we trying to do here oh crap I thought those servers were decommissioned last year all right the uncle Engineers already shut off access to the machines and now it's up to us to start digging through the wax that's not how you want to find out about access management

how today is going to be right we'll start with what exactly our Access Control policies uh what is the issue with them being broken what are the common broken Access Control issues that we see in Industry at large today uh how to sort of detect them because if it's clearly listed as a top vulnerability by ovasp and for any of you who is not familiar with oasp it's uh it's just it's an open source non-profit standard that is committed towards improving application security so what they do is they release these lists of top API vulnerabilities or security issues you can find out more if you go to the ovasp.org but for the year 2021 broken access control is listed as

a top security vulnerability so we're trying to draw your attention towards this particular issue as to what exactly are Access Control issues uh why are they broken in what forms are they broken so we'll go ahead and see some of the common broken Access Control issues how do we detect them because I think that's the first step to even address and solve them and then we'll go ahead and cover some of the remediation steps and then we'll also sort of observe uh what exactly manifests out of these broken Access Control issues these are some of the small issues in your apis you know relating to permissions access management elevated privileges on and so forth but they actually manifest into

bigger damages in Industry we'll cover some of the massive data breaches that has happened uh will draw your attention towards that just to emphasize that if they're not fixed at the code level this is what they would manifest into a few years down the lane and then we'll also talk about the best practices about how can you detect them fix them and sort of get a closure over in your code in the production environment itself that's how the rough outline of this talk is going to be now uh let's start with what exactly is Access Control right I'll start with the textbook definition it says it goes like this access control is identifying a person doing a specific job

authenticating them by looking at their identity and then giving that person only the key to the door the key here is only only the key to the door or computer or the resource that they need an access to and nothing more as simple as that right just identifying who the person is and and trying to understand what he's trying to access and just giving him that access as simple as that well sounds very easy as per the definition but then why is it listed as the top vulnerability today that's what we're trying to understand now I think Ken will talk about what are the common broken Access Control issues that we see today

um yeah the I promise we won't do any more uh you know definitions from like standard textbooks that was just the cissp definition all right why is it so common um most broken Access Control are logic errors not they're not code errors like you don't find them by compiling and seeing it not work or or things like that it's hard to scan it's hard to it's not like buffer overflows and things that can be detected like readily um quite often especially in larger organizations you have gaps between ownership where um servers become lost they just sort of drift out there in the wild or you have gaps in teams where they don't quite connect so the the handoff from one team

to another doesn't do the right verification things like that um it's really important to point out that this also doesn't apply it to only code and software this is a physical security it deals with how your customer support like gives access to customers to their their accounts and things and it includes your system governance if you've got tenant admins or people that are in charge of resetting the developer permissions or signing of like the the permissions and things all of those need to be thought about from the perspective of what if someone got fished will they be able to just turn that into instant root access but compliance enforcement unfortunately doesn't work that well because typically compliance is based on

checklists as long as you do one two three then you're a complaint and then you can go off to the races um ensure that you patch don't roll your own crypto avoid non-memory safe languages like these are all good things to do good and and absolutely should be done but when we're talking about broken Access Control there tends to be more about what's the scenario and and it requires more upfront time so it's something where sometimes pulling in the right people to ask the right questions is really important the developers are often assigned work without having as much of a connection with how it's being used by the customer and that also can lead to

disconnect very subtle in how people understand the problem versus what they're actually implementing to fix the problem we see it all the time in in regular functional bugs it also applies to this and there's quite often a lack of documentation on what those assumptions are even when people are are agreeing with what they're doing it doesn't get documented so it gets lost and then later on when people have to go in and do a bug fix or do something else then they don't know about those assumptions um an example of an assumption would be that only dogs can use doggy doors but so um so this is the the only really great comedy slide so please appreciate it

feed um the the main thing is that like everything that we make assumptions on is this disprovable it's just this is the really obvious one all right there are 34 uh weaknesses that are identified for broken Access Control it's a really long list and a lot of them droop into specific areas so just to sum it up like kind of briefly directory traversals when people are given access to a specific location and then they're able to somehow worm their way out of it and go to other places elevated privileges um it's kind of self-explanatory whenever you're able to do something you shouldn't be allowed to the improper and missing authentication where we don't actually know who it is we're just

giving them the stuff um I want to call out confused Deputy in particular it's it's a little bit vague in what the name is but it's almost the definition of social engineering confused Deputy is when you are able to convince some other actor to do things on on using its credentials that you want it to do so a confused Deputy would be like if you can ping a web server and get it to forward your ping with its own credentials or if um like in the case of social engineering you ask someone to just send you money um you can't directly ping in their bank and like get money but the bank will trust them so

it works right okay um so do any of you have experienced any of these issues in your application development life cycle or heard about it or read about it any interesting experiences to share otherwise I can share mine so I've heard about the story recently right so uh back when Apple was still not so solid on their privacy and security constructs I guess a particular a particular student rookie called up Apple customer care and tried to update an existing Apple employees profile with a new credit card information so he would give out his credit card information and get the details updated well good so far right he would call up after a few days and verify himself

giving the credit card information establish his identity and then he has now access to everything literally regarding that accounts profile right from his other profile information to the data to the machines that he's logged into and he had a complete control and authority over it still it was till the time it was detected and fixed so I mean even things like that are broken Access Control it's not necessarily what I put inside my code like Ken was trying to draw your attention to some time back we're not just talking about software code practices which involves authentication and authorization experiences we're also talking about the information axis that is sometimes given over something like a customer support

Channel or even the physical access let's say in a hospital an unauthorized room or something how do you sort of break out and break out into that and get an unauthorized access to information so the umbrella of broken access control is really vast and what we are trying to cover is some of the best practices so that you can avoid running into such issues now why do we want to avoid running into such issues here's the answer some of the major and visible damages that have happened because of having some sort of broken Access Control in your system uh these are the top four uh incidents right so Experian has uh sort of leaked 24

million customer data and that that has been in the news for a long time and I had I think they had a lot of damage control to do so that they secure the customer information so is the case with Adobe I think about 7.7 to 8 million data has been exposed in the Creative Adobe Creative create cloud and also the recent social engineering attack with Uber right I think it was also about fishing the MFA uh process of authentication so somebody was given the multi-factor authentication multiple times and then he was approached on WhatsApp he gave his details and then you know attack has got an access into the entire system and therefore they could sort of get a

hangover the source code as well so and and also another another of the major examples is about one million Clubhouse data has also been exposed so data breaches phishing attacks compromised identities identity theft stolen access so on and so forth broken Access Control manifests himself into many and large damage damages in the industry in the past so which is why we want developers to be really really aware of this as they start coding and they start putting practice policies and practices into their production environment now what can we do about it I think Ken will cover about hey how do we identify them and uh how do we sort of address them yeah so I've got this broken into four parts

um so auditing because all the things you don't know about like auditing is not sexy and every talk practically seems to say we should do more auditing nobody ever does like it's so it's the it's definitely a challenge but like it's not enough to just know the machines are there you also need to know who owns them who's responsible for them and who do we contact if there's an emergency so that information is critical and the the more you can do the better you need to also keep track of where backups are file shares it's not just specific machines apis um modeling is a really powerful way to try to identify problems especially around logic so since we're talking about

broken access control and frequently being a logical issue so threat modeling of course is is great then it's a standard but State machines actually can work very well if you're able to keep track of what's the state of the user like what's the the type of call and how is it supposed to move through the system it's a better way to recognize when when you move into like a questionable state or you don't or or you don't have the right controls in place finally failure mode analysis because when the system's working in its normal mode you might be hardened but if it goes into a failover state or something you might have a lot of exposure so it's

important to just be paying attention to what are our types of uh of remediations the types of things we're likely to do and if you think about it in the daytime before you know the middle of the night you can make better decisions under processes the processes are like the like the things we put in place for controlling how we're doing things so I'm just calling out again governance the governance just being what permissions do you give to apps like make sure that they have the least privileged permissions that you're not giving broad ones just because it's easier and faster but like but they're you're able to dial it in so that if there is a compromise then it it

minimizes the the risk um it includes like if you're using production systems and for for big big systems you should make sure that no one person can make any change every change should be reviewed and go through like multiple stages right just things like that like it's thinking about password resets thinking about the common things that people do we've already seen examples recently of attackers going through and compromising systems through the CI CD pipeline so so thinking through how those things are set up is really important and customer support is also like customer support people think of themselves as helpful like helpers they don't think of themselves as security guards so making sure that they're aware of like in the Apple case

that was mentioned but the the customer support person was being really nice you know John Doe calls up and says here's my credit card number I need to add it to my account they say oh yeah of course only John Doe would do that we don't need to verify who you are they add the credit card number and then later the you know five minutes later the person calls back gets a different agent says hi I'm John Doe and to prove it here's my credit card number and then they just trusted him because it they didn't have controls around how the data like if they're going to use a credit card number as a password they need to

treat it like a password finally Specialists are always helpful and there's a few number of Specialists and there's a lot of Engineers and a lot of of challenges so it's important to try to get the right people at the right time and the and the further down this list you go the more expensive it is the sooner you find the bug the less expensive it is to fix so Security reviews within your team with the security PMS with people that are available is the best but um pen tests are still important for like bigger releases and of course bug bounties so that at least when the good guys find it then they can tell you

this is kind of the thesis that I want to call out the most important thing is communicating with your developers like everyone in this room is probably has like a really strong security mindset and if they were looking at the software they would find the problem and go ah this is definitely an issue it needs to be fixed the problem is that for every one of you there's a hundred other people that are maybe customer Specialists people that are very good at distributed computing or machine learning but they're not necessarily thinking like an adversary and they're not necessarily going to to recognize this problem so you don't scale the only way to to get that work and to

get the security in place is to build those relationships and be able to I mean like shift left and devsecops are pretty popular now but the but those concepts are that we need to have those relationships and we need to build trust with the engineering community we need to understand what their challenges are because it's different on this than the infosec side than it is when you're under a lot of pressure to get that thing done by the end of Q3 foreign the best practices that I recommend the more you can do as a leader is to foster a culture of curiosity it's really easy to get into a rut to just see your backlog and see all the

things that need to happen um the more you can do to reward curious behavior and get people actually thinking about um the world in a different way um like kind of open your eyes think about it again bring in the big picture think about the architecture what's my role in this and how do I like how do I make the whole system secure that's a huge change in perspective um and as a leader if you're able to like send out positive emails to the manager so the people that do a good job of it things like that it's free it doesn't cost you anything it helps them at review time and it does a huge amount

to show leadership and to help like Drive the behavior you want to see it doesn't always have to be a stick carrots work really well um negative testing especially in a move fast break things type of world people go does the does the unit test pass it does great ship it they're not necessarily testing you know as soon as it works the way it's supposed to great but you also need to make sure it doesn't work when it's not supposed to there's a lot of ways that we would just miss and people just aren't paying attention to because of trying to get their backlog and get get to the next thing um all apis are public

if you have an internal API it might currently be internal but you shouldn't expect it will always be internal it's just a good practice to always you know do defense in depth like this is the only time I'm going to say zero trust um make sure that the that all of the places that you can put in hardness um and and make things more protected the better and so this is something that just shouldn't be skipped over look avoiding obfuscation so eschewing it means uh like not doing it um but it's the most complicated way you can say it um so we can't depend on security through obscurity the scanners are getting better and better and the worms are

getting more and more sophisticated and you know if we just leave things out there thinking they're not going to be found then it's just a time bomb and please don't use basic glass the more you can use oauth and like and and strong cert insert protection the better there's amazing technology now and there's no excuse for storing anyone's password all right returning to the fictional story this is a different experience the same person as before but now they're waiting in wine for coffee in the morning um well they're skimming through their work emails they see that uh so the decommissioning of the Legacy service has been delayed again well that happens um getting customers to move off of

these are hard it's really hard like naming things is the hardest but after naming things getting people to move off of Old apis and things is almost impossible it always takes work um fortunately the owning teams already put together a data sheet we know what data is on these things we and now they're going to have to provide a quarterly update to the leadership to explain what they're going to do about it and how they're going to work with the customers to to get off of it um waking up the person sees the burst is ready to take their order and so they ask for a skinny grande vanilla latte so whenever access control works

it's effortless right it's like networking a network admin on a good day looks like they're not working and on a bad day like everything's on fire and it's horrible so when we do it right everything is better so we just have to get to that point Blue Sky all right all right that's that's it for our presentation do anyone have any questions Inspire is this inspiring does it help you I hope it gives you a different perspective we could have gone through and just read a bunch of dictionary definitions but um there's a lot of information on the internet um The Oasis top 10 is a great place to start you can find a lot of information

from the cissp training um but I know the thing about the community and the thing about coming to b-sides is the conversations in the hallway the hopefully a spark of inspiration that gives you something different that you weren't going to find and now you know there's also some more uh buzzwords you can do searches on so hopefully that helps question

oh confused Deputy yes yes oh yeah yeah

okay perfect um usually I'm the person in the chair saying that thank you um the question was what was the deputy weakness and the answer is confused Deputy sometimes you'll see a picture of Barney Fife from you know the deputy from the 1960s Andy Griffith Show um yeah basically anytime you can get someone else to make an action using their credentials instead of your own instead of an on behalf of relationship um there's an opportunity to explain it right yes sir

34. um so so the question is um how do you see how do I see the maturity of the tools available um so I'm biased because of where I work the a lot of the the Frameworks and things that we offer are around trying to help like the tenant admins and the people that are responsible for overseeing their systems all the users like what permissions are given role-based access ways that you can try to to limit things I wouldn't say that it's that mature I would say that it's it's still an area that has a lot of improvement ux can be better the way that we work with customers it's very confusing so so the if you look at the industry

leaders so Microsoft OCTA paying we all have visions that are like somewhat similar about how do we get people to not use passwords at all like passwordless how do we you know the more prompts and things that we put in front of people the more they um like hate it and want to go do something else we learned from Vista that that's not a not a great experience for people having a lot of security prompts um so really what we need to do is have the defaults be the best instead of asking people do you want to do the right thing we need to just make the right thing and then ask them if they want to do anything else other than

the right thing and make it hard so so inertia is a good tool for for driving good behavior as far as the tools go I don't know I think that we have some really interesting machine learning opportunities looking at looking for anomalous behavior for the ability to um you know to do more automation because cloud data is just so big it's it's really difficult for any like medium to large size company to stay on top of everything is is a challenge and so the more that we can do and pull in and end-to-end encryption endpoint endpoint control like the the bring your own devices things that are still something that you know opens us up to

risk so it there's there's a lot of a lot of tools um the scanners are getting better so that's both a good thing and a bad thing does that help any more questions sir

broken access is that drop in the specifications

so yeah so the the question was when do the logic errors creep into the system is it during a design implementation or or like running in production um all of the above the quite often the initial design is great and then when we go to implement it then we make trade-offs and we start to say oh well it'll be more efficient if we do it this way or we already have these systems and so we need to plug into them and so then there's an opportunity for change there's also a challenge where we tend to ship our org chart so the the code that's written tends to reflect the organization of the people working on the code as opposed to the

the smoothest design for the for big systems um so when when the one of the ways that you can help kind of avoid problems like this is if you have um like an independent consultant like from the engineering team who is outside of the the iterations right if you're doing agile agile has a tendency to like make little tweaks as you're going and sometimes the it's not noticeable like as you make a slight adjustment to the right and a slight adjustment to the right and a slight adjustment to the right you know many cycles later you're now pointing this way instead of this way so sometimes having someone who's deliberately not involved like a senior

engineering manager or someone come back in and look periodically um let the big checkpoints can help to recognize when you started to drift away um so API is the more you can use apis the better so apis as ux that gives you a clear understanding what's the handshake between these things so that's a way for helping make sure that everyone's on the same page of the more that we do like passing files and things like that the more the more likely we are to have you know strange things kind of crop up right hopefully that helps

right okay well um thank you all for having us I hope that this was a helpful talk and that it's inspiring I hope you have some really good conversations with engineering you know buy them Donuts um they'll like it um and thanks again for having us [Applause]

can you take this machine yeah I've got room in my bag I said I should have let you take take some of the questions or something that's fine

kind of biology

I don't know I don't know about it

the camera's a little bit slow this is the first gen version of uh

but

okay yeah it'll just be the right time yeah okay okay

yeah yeah oh yeah thank you sure next is uh it's pretty pretty cool yeah that's why that's why that's why I moved in the piano like have you been here for a long time and I realized that like the heart problems yeah in my case it's easy I still get to interrogate to develop that so yeah process you have some architect who after marketing makes contact maybe gets into doing requirements and then they get handed off to development and development oh what they don't get to talk to the customer so they get to the derived requirements that you find on them yeah it's very good because my role in Microsoft like one of my primary ones is actually developed

relations within Microsoft so I work with teams from okay like around identity so so teams from office to Xbox when they're when they need their identity permissions and solutions then my team does uh like we tell them best practices we like we help them get the permissions uh the next one in here is the AWS S3 that was set in the other room for 4 30. your child is that anyway 210 holy good grief

time flies

the rich animal s oh they're always in the way as always I'm good at that some people are are better in the way than others right I get to do awesome thanks yeah you are so big we have a watch so they can you have hundreds of thousands okay

um stairs to install office oh boy yeah oh yeah that was a long long time ago yeah no kidding the interesting little things yeah again it's that's been a lot of fun into these teams of course uh

but it's interesting we are fixing to comfort circle from the 80s the 80s with lots of Hardware platforms little standardization of operating systems we had the 90s where it was ernestos and a few others like the Amiga cloud and what else was apple yeah apple one of my friends had a POS yeah and that goes in the night we get to to thousands and of course there was a little bit of Apple make the worst eye for them and everything else was Windows Solaris yeah off to the side and the chelco sector and followed others that pretty much stayed this way until like we 30 seconds all of a sudden arm systems like the Raspberry Pi's

latest successors yeah the Linux on it and other os's and all of a sudden it builds ago and Michael control

so as far as time becomes

last time foreign

and

oh yeah

Rockets the advantages

uh

um

yeah but the quality that you get out of that yeah

why don't we just take the internet