Security Assurance of REST API based applications Nishu Prasher Master in Information Security Submission date: June 2018 Supervisor: Basel Katt, IIK Norwegian University of Science and Technology Department of Information Security and Communication Technology SecurityAssurance Preface This Master thesis is submitted to complete a three year part-time study program in Master of information security (MIS) at NTNU, Gjøvik. The project was carried out during the spring semester 2018, in cooperation with Statistics Norway. The idea of the project was suggested by my supervisor, Associate Professor Basel Katt at the Department of Information Security and Communication Technology. The topic was discussed with the management at Statistics Norway, and it was chosen after recognizing that the topic was complying with company’s need and objec- tives. The intended readers for this thesis are security testers, security architects, developers and managers, particularly security managers. The readers should be familiarwithbasicconceptsofsecurityrelatedtermsandRESTAPItechnology. 01-06-2018 i SecurityAssurance Acknowledgments My foremost thanks to Almighty for giving me knowledge, strength and opportu- nitytoundertakethisresearch. I would like to thank my supervisor Basel Katt, who has given me valuable guidance throughout the work. This thesis could not be completed without his help. IwouldalsoliketothankmycolleaguesatStatisticsNorway.Fromthemanage- ment,thankstoErikØvrumforgivingmetheopportunitytocompletemymaster’s degree.ThankstoEvenLysen,whohascontributedtothesecuritytestingprocess. ManythankstoAgataWrzos-KaminskaandHildeMadsenforthevaluablediscus- sions and inputs during the work. Thanks to Rune Johansen and other colleagues inthedeveloperteamforsharingtheirtechnicalknowledgeofthecasestudies. Last but not the least I would like to express my gratitude towards my family fortheirsupportduringthiswork.Ihavespentpreciousfamilytimeonweek-ends and vacations to finish this work. Jeinender, you are my rock, this could not have beenaccomplishedwithoutyoursupport.MydaughtersArgha&Kashvi,thankyou forbeingpatientandunderstanding.Thankstomymotherforfeedingmedinners onbusydays. N.P. iii SecurityAssurance Abstract Securityassuranceistheconfidencethatasystemmeetsitssecurityrequirements, based on specific evidences that an assurance technique provide. In this thesis, I have proposed a quantification method which aims to develop security assurance profilesbymeasuringthelevelofsecurityofaRESTAPI.Thenotionofmeasuring security is complex and tricky, existing approaches are often based on manual re- view and time consuming tasks. In addition, there is little research work done on quantificationofsecurityassuranceforRESTAPIs. Acommonperspectivehasbeentofocusonthevulnerabilitiesofasystemwhile securitytesting.However,securityrequirementsarenottendtogetenoughatten- tion during a security test. The main approach of this thesis was to look at both requirements and vulnerabilities to accomplish a level of security assurance. Ap- propriatemetricsweredefinedtoreflecttherequirementfulfillmentandthevulner- ability presence. The requirements were declared to be fulfilled if their associated security mechanisms were present. Vulnerabilities were on the other hand sorted intotheirrelevantcategoriesandassignedariskscore.Thesecurityassurancemet- ricwasdefinedasanequationwherethevulnerabilitymetricwassubtractedfrom therequirementmetric. ThecasestudieswerecarriedoutatStatisticsNorway,wheretheauthorisem- ployed. Analyzes showed that the API with the most security mechanisms imple- mentedgotaslightlyhighersecurityassurancescore.Thiswasduetothefactthat thevulnerabilitieswereconsideredmoreharmfulinoneofthecasesasthesecurity objectivesdiverged. The proposed quantification method can be re-used on any other domain, by alteringthelistsofrequirementsandvulnerabilities. v SecurityAssurance Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii ListofFigures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi ListofTables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 TopicDescription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Problemdescription . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.4 Justification,motivationandbenefits . . . . . . . . . . . . . . . . . . 3 1.5 Researchquestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.6 Choiceofmethods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.7 Claimedcontributions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.8 ChosenCaseStudies . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.8.1 PX-API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.8.2 TS-API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.9 ThesisOutline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 DefinitionofREST&API . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 DesignResponses . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1.2 HATEOAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.3 Simple&Stateless . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.4 RESTAPISecurity . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.5 UnRESTfulsecuritymeasures . . . . . . . . . . . . . . . . . . 12 2.2 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.1 VariousSecurityAssuranceFrameworks . . . . . . . . . . . . 12 2.2.2 SecuritytestingofRESTAPI . . . . . . . . . . . . . . . . . . . 14 2.2.3 Standardsavailable. . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.4 Quantificationmethods . . . . . . . . . . . . . . . . . . . . . 15 2.2.5 SummaryofRelatedWork . . . . . . . . . . . . . . . . . . . . 16 3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.1 QualitativeMethods . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 vii SecurityAssurance 3.2 QuantitativeMethods . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.3 Casestudy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4 Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.1 BasicConcepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.2 ProcessDevelopment . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3 ModelingtheAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.3.1 HiddenAPIs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.4 ElicitingSecurityElements . . . . . . . . . . . . . . . . . . . . . . . . 24 4.4.1 SelectionofRequirements . . . . . . . . . . . . . . . . . . . . 25 4.4.2 ListofRequirements . . . . . . . . . . . . . . . . . . . . . . . 25 4.4.3 SelectionofVulnerabilities. . . . . . . . . . . . . . . . . . . . 26 4.4.4 ListofSecurityVulnerabilities . . . . . . . . . . . . . . . . . . 27 4.5 APISecurityTesting . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.5.1 Toolselection . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.6 ApplyMetrics&QuantifyAssurance . . . . . . . . . . . . . . . . . . 30 5 QuantifiableMetrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.1 ImportanceofMetricsandMeasurement . . . . . . . . . . . . . . . . 31 5.2 SecurityAssuranceModels . . . . . . . . . . . . . . . . . . . . . . . . 32 5.2.1 Requirement&VulnerabilityMetrics . . . . . . . . . . . . . . 32 5.2.2 Existencescore . . . . . . . . . . . . . . . . . . . . . . . . . . 34 5.2.3 Weights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 5.3 RiskModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.3.1 DREAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.3.2 CVSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.3.3 EvaluationofRiskmodels . . . . . . . . . . . . . . . . . . . . 39 5.4 ScaleConsideration&Normalization . . . . . . . . . . . . . . . . . . 39 6 Casestudy&Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 6.1 Casestudy1:PX-API . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 6.1.1 UMLDiagram . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 6.1.2 RequirementsreviewofPX-API . . . . . . . . . . . . . . . . . 43 6.1.3 VulnerabilityinspectionofPX-API . . . . . . . . . . . . . . . . 46 6.1.4 RiskModelingofPX-API . . . . . . . . . . . . . . . . . . . . . 47 6.1.5 SecurityAssuranceScore(AM)forPX-API . . . . . . . . . . . 48 6.2 CaseStudy2:TS-API . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 6.2.1 Requirementcheck . . . . . . . . . . . . . . . . . . . . . . . . 49 6.2.2 Vulnerabilitycheck . . . . . . . . . . . . . . . . . . . . . . . 51 6.2.3 RiskModeling . . . . . . . . . . . . . . . . . . . . . . . . . . 51 6.2.4 SecurityAssuranceScore(AM)forTS-API . . . . . . . . . . . 53 6.3 SummaryResult . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 viii