Tyk and OWASP Top Ten Threats
The Open Web Application Security Project (OWASP) provides a top ten threat awareness document compiled by security experts. The current version is 2017. For more details on the OWASP project visit https://www.owasp.org. Below are the 2017 top ten threats and how Tyk guards against them:
1 - Injection
Tyk does not validate incoming traffic for SQL injections or similar attacks, but you can use a 3rd party validator with a plugin, which will filter all requests. Additionally you can protect yourself against DNS attacks, where your upstream could be compromised by using certificate pinning.
2 - Broken Authentication
One of Tyk’s main functions is to handle authentication. So unless a configured policy or a created a key has not been setup correctly, Tyk will handle it.
3 - Sensitive Data Exposure
You can use the Tyk whitelist plugin to explicitly specify a list of allowed endpoints. you can also specify per path access at a policy level in access rules. You also can use Tyk Analytics to check for anomalies.
4 - XML External Entities (XXE)
Tyk does not process XML, unless it explicitly specified with body transforms. Even if such transforms are performed, our processor does not evaluate external entity references.
5 - Broken Access Control
See number 2 and 3
6 - Security Misconfiguration
Tyk can be configured with TLS with all the modern ciphers. Tyk does not expose sensitive data to logs or analytics unless specified by setting a higher log level, enabling key logging, or enabling detailed recording.
7 - Cross-Site Scripting (XSS)
Tyk does not work at this level, unless you write some custom logic in a plugin.
8 - Insecure Deserialization
Tyk usually acts as a centralized service bus, which reduces the deserialization of services.
9 - Using Components with Known Vulnerabilities
Our patch release schedule is very agile, and in the case of security issues we close them as soon as possible. We try to upgrade components we have with any found vulnerabilities and try to compile Tyk with latest stable version of Go.
10 - Insufficient Logging and Monitoring
Based on OWASP logging cheatsheet Tyk provides information and feedback in various ways:
- Logs of multiple verbosity, depending on your situation.
- Integration with 3rd party aggregated log and error tools - Tyk logger supports multiple back-ends such as Sentry, Graylog and Logstash.
- System level analytics exposed via StatsD and various other loggers (instrumentation).
- Request analytics with different ways of detailed recording on the request level and the key level. Data per data, including its content can be viewed in real-time in Tyk Dashboard. You can also choose to send the data to an external services and used to analyze your logs.
- OpenTracing to allow services, which have distributed tracing enabled, for instrumentation to work seamless with Tyk gateway.
- Event handlers - Tyk has the ability to configure APIs with event handlers to log data or fire webhooks when an event occurs. Events could represent an authentication failure, exceeded rate-limit, misuse of api version and more.
- Monitors and events - Active monitoring of both user & organisations. Provides simple means of notifying stakeholders in the case of traffic abnormalities.
- Audit logs for the management layer - to record all activity and changed done by the users of the API Management.