Simple ways to make webhook security better

A presentation at DevSecCon 2022 in December 2022 in by Frederico Hakamine

Slide 1

Slide 1

Simple ways to make webhook security better Fred peace, love and good software @ ngrok

Slide 2

Slide 2

Webhooks You see them You ❤ them

Slide 3

Slide 3

Caveat 1 Most security responsibilities on the listener Confidentiality: Authn, Authz, Integrity: Message Integrity, Queueing Availability: DDoS Confidentiality: Authn, Authz, Integrity: Message Integrity, Queueing Availability: DDoS

Slide 4

Slide 4

Caveat 2 Security doesn’t block success

Slide 5

Slide 5

Caveat 3 Lots of different ways to secure webhooks!

Slide 6

Slide 6

After seeing 100+ webhooks

Slide 7

Slide 7

  1. Implementations + challenges TL;DR 7 of 10 webhooks will present differences 4% of webhooks implement complete controls 7 https://blog.ngrok.com/posts/get-webhooks-secure-it-depends-a-field-guide-to-webhook-security

Slide 8

Slide 8

  1. Implementations + challenges Responsible developers Tasks: - read a bunch of docs - implement beyond the happy path - don’t take it for granted 8 https://blog.ngrok.com/posts/get-webhooks-secure-it-depends-a-field-guide-to-webhook-security

Slide 9

Slide 9

How we can fix this?

Slide 10

Slide 10

catalog!

Slide 11

Slide 11

Webhook Providers Best Practices ▣ ▣ ▣ ▣ Provide amazing documentation Implement security on egress Improve secret keys Use strong Encryption & hashing ▣ ▣ ▣ ▣ 11 Leverage Signature Payload Replay Prevention Versioning Add compensatory controls

Slide 12

Slide 12

Webhook Providers Easier: Copy the Greats! 12

Slide 13

Slide 13

Webhook Listeners Best Practices ▣ ▣ ▣ ▣ Use HTTPS with a strong ciphers Ensure you’re using security Restrict requests by IP Storing secrets ▣ ▣ ▣ ▣ 13 Segmenting secrets Rotating secrets Use robust signature algorithms Call back the service

Slide 14

Slide 14

Webhook Listeners Easier: Learn from your Web App/API ▣ ▣ ▣ ▣ Use HTTPS with a strong ciphers Ensure you’re using security Restrict requests by IP Storing secrets ▣ ▣ ▣ ▣ 14 Segmenting secrets Rotating secrets Use robust signature algorithms Call back the service

Slide 15

Slide 15

As an Individual / Industry Some standards IETF HTTP Message Signatures OpenID’s Shared Signals and Events (SSE) Spec for Signing HTTP messages Applicable to webhooks Part of the IETF Extensions Working Group Establishing a security framework for event notification. Focus on security solutions exchanging info. Relies heavily on webhooks as proto for events. CloudEvents REST Hooks Specification for standardizing event data. The specification includes webhooks. Simplifying event declaration and delivery across systems. Active effort at Cloud Native Computing Foundation (CNCF). REST Hooks are an initiative ran by Zapier from 2013-2017. Goal was to create a collection of patterns for treating webhooks like subscriptions with a minimum implementation walkthrough. 15

Slide 16

Slide 16

As an Individual / Industry Easy-ish: Build Awareness 16

Slide 17

Slide 17

As an Individual / Industry Ways to help us https://webhooks.fyi https://github.com/realadeel/awesome-webhooks Read, Contribute, Star, Share List your implementation or a provider you know 17

Slide 18

Slide 18

Thank you ❤ @sudobinbash @ngrokHQ 18