Simple ways to make webhook security better Fred peace, love and good software @ ngrok

Webhooks You see them You ❤ them

Caveat 1 Most security responsibilities on the listener Confidentiality: Authn, Authz, Integrity: Message Integrity, Queueing Availability: DDoS Confidentiality: Authn, Authz, Integrity: Message Integrity, Queueing Availability: DDoS

Caveat 2 Security doesn’t block success

Caveat 3 Lots of different ways to secure webhooks!

After seeing 100+ webhooks

  1. Implementations + challenges TL;DR 7 of 10 webhooks will present differences 4% of webhooks implement complete controls 7 https://blog.ngrok.com/posts/get-webhooks-secure-it-depends-a-field-guide-to-webhook-security

  1. Implementations + challenges Responsible developers Tasks: - read a bunch of docs - implement beyond the happy path - don’t take it for granted 8 https://blog.ngrok.com/posts/get-webhooks-secure-it-depends-a-field-guide-to-webhook-security

How we can fix this?

catalog!

Webhook Providers Best Practices ▣ ▣ ▣ ▣ Provide amazing documentation Implement security on egress Improve secret keys Use strong Encryption & hashing ▣ ▣ ▣ ▣ 11 Leverage Signature Payload Replay Prevention Versioning Add compensatory controls

Webhook Providers Easier: Copy the Greats! 12

Webhook Listeners Best Practices ▣ ▣ ▣ ▣ Use HTTPS with a strong ciphers Ensure you’re using security Restrict requests by IP Storing secrets ▣ ▣ ▣ ▣ 13 Segmenting secrets Rotating secrets Use robust signature algorithms Call back the service

Webhook Listeners Easier: Learn from your Web App/API ▣ ▣ ▣ ▣ Use HTTPS with a strong ciphers Ensure you’re using security Restrict requests by IP Storing secrets ▣ ▣ ▣ ▣ 14 Segmenting secrets Rotating secrets Use robust signature algorithms Call back the service

As an Individual / Industry Some standards IETF HTTP Message Signatures OpenID’s Shared Signals and Events (SSE) Spec for Signing HTTP messages Applicable to webhooks Part of the IETF Extensions Working Group Establishing a security framework for event notification. Focus on security solutions exchanging info. Relies heavily on webhooks as proto for events. CloudEvents REST Hooks Specification for standardizing event data. The specification includes webhooks. Simplifying event declaration and delivery across systems. Active effort at Cloud Native Computing Foundation (CNCF). REST Hooks are an initiative ran by Zapier from 2013-2017. Goal was to create a collection of patterns for treating webhooks like subscriptions with a minimum implementation walkthrough. 15

As an Individual / Industry Easy-ish: Build Awareness 16

As an Individual / Industry Ways to help us https://webhooks.fyi https://github.com/realadeel/awesome-webhooks Read, Contribute, Star, Share List your implementation or a provider you know 17

Thank you ❤ @sudobinbash @ngrokHQ 18