轮换定律
At PayPal, we take security seriously. The API client ID and client secret in the API world are akin to username and password in the web world. It is a well-known security best practice to regularly change the passwords (password rotation). Similarly, in the API world, it is a security best practice to regularly rotate the API client-secret that your application uses from other API providers such as PayPal. Regularly scheduled changes to the API client-secret keep attackers at bay and ensure that your app is less vulnerable to being compromised. For the sake of simplicity, I will refer to the change of API client-secret as API credential rotation in the rest of this article.
在贝宝,我们非常重视安全性。 API世界中的API客户ID和客户机密类似于网络世界中的用户名和密码。 定期更改密码(密码轮换)是一种众所周知的安全性最佳实践。 同样,在API世界中,最好的做法是定期轮换您的应用程序从其他API提供程序(如PayPal)使用的API客户机密。 对API客户端机密的定期更改会阻止攻击者,并确保您的应用程序不易受到破坏。 为了简单起见,在本文的其余部分中,我将把API客户机密的更改称为API凭据轮换。
To simplify the credential rotation process, we have enabled this capability as a self-service feature on the developer portal. We hope that this feature will provide greater flexibility to our developers in rotating credentials per their own schedule.
为了简化证书轮换流程,我们在开发人员门户上启用了此功能作为自助功能。 我们希望此功能将为我们的开发人员按照自己的时间表轮换凭据提供更大的灵活性。
贝宝(PayPal)的API客户秘密的生命周期 (Lifecycle of an API client-secret at PayPal)
A client-secret can have the following three statuses:
客户秘密可以具有以下三种状态:
Enabled: The client-secret can be used to authenticate your application for API integration
启用:客户端秘密可用于验证您的应用程序以进行API集成
Disabled: The client-secret cannot be used to authenticate your application for API integration. The client-secret can, however, be moved to “Enabled” status and made functional again.
禁用:客户端秘密不能用于验证应用程序的API集成。 但是,可以将客户端机密移到“已启用”状态并重新使能。
Deleted: The client-secret is no longer available for use. A client-secret once deleted cannot be Enabled or recovered.
已删除:客户端秘密不再可用。 一旦删除,客户端机密将无法启用或恢复。
There can only be a maximum of two client-secrets that can be created for each app. These client-secrets can be in either of these two states: Enabled or Disabled.
每个应用程序最多只能创建两个客户端秘密。 这些客户端秘密可以处于以下两种状态之一:启用或禁用。
旋转客户机密的过程 (Process of rotating a client-secret)
Rotating your client-secret is an easy process and can be done in a self-service fashion on the Developer Portal. The steps are detailed below and are applicable to both your Live and Sandbox client-secret rotation.
旋转客户机密是一个简单的过程,可以在Developer Portal上以自助方式完成。 下面详细介绍了这些步骤,这些步骤适用于Live和Sandbox客户机密轮换。
- Login to Developer Portal and access your REST App 登录到开发人员门户并访问您的REST应用
2. Click on the App to view your API Client ID and Client Secret
2.单击应用程序以查看您的API客户端ID和客户端密钥
3. Generate an additional client-secret credential as backup to your existing “Enabled” credential.
3.生成一个额外的客户端机密凭据,作为对现有“已启用”凭据的备份。
4. Update your web or mobile application to start using the newly generated API credential
4.更新您的Web或移动应用程序以开始使用新生成的API凭据
5. Test your application and ensure that all PayPal API functionality is working fine with the newly generated credentials
5.测试您的应用程序,并确保所有PayPal API功能都可以在新生成的凭据下正常运行
6. Disable the old credential now to ensure that you have only one active credential at a given time.
6.现在禁用旧证书,以确保您在给定时间只有一个活动证书。
7. Re-validate that your application is continuing to work even after the old REST App Credentials have been disabled, to rule out any possibility of your application using older credentials.
7.即使禁用了旧的REST App凭据,也要重新验证您的应用程序是否仍可以继续工作,以排除使用较早的凭据的应用程序的任何可能性。
8. If there are any issues with your application functionality, feel free to re-enable the “Disabled” client-secret and troubleshoot the issue.
8.如果您的应用程序功能有任何问题,请随时重新启用“已禁用”客户端机密并解决问题。
9. If validation is successful, then delete the old credential. This will ensure that the older credentials are not used by someone on your team by mistake. Once deleted the credentials cannot be recovered due to security reasons. Hence, it is critical that you ensure that your application is not dependent on these old credentials before you delete them.
9.如果验证成功,则删除旧凭据。 这将确保您的团队中的某人不会误使用较早的凭据。 一旦删除凭据,由于安全原因无法恢复。 因此,至关重要的是,在删除旧凭据之前,请确保您的应用程序不依赖于这些旧凭据。
凭证轮换的最佳做法 (Best practices for credential rotation)
- Merchants and System Integrators should define, describe, document and agree on a standard process and steps for client-secret rotation. Create a standard operating procedure (SOP) on credential management and the process to follow in case of a suspected or known breach of credentials. Having a well-defined process will help prevent a panic reaction, and will allow you to gracefully handle the breach without negatively impacting your customers and business 商家和系统集成商应定义,描述,记录并商定客户机密轮换的标准流程和步骤。 创建有关凭证管理的标准操作程序(SOP),以及在怀疑或已知的凭证违反情况下应遵循的流程。 具有明确定义的流程将有助于防止出现恐慌React,并使您能够妥善处理违规行为,而不会对客户和业务造成负面影响
- Unless it’s an emergency, and you are aware of a breach or bad actor, it is best to identify an appropriate day and time when your mobile app or website experiences little to no traffic, to rotate your client-secret. 除非是紧急情况,并且您知道有违规行为或不良行为,否则最好确定适当的日期和时间,使您的移动应用程序或网站很少或根本没有流量,以轮换您的客户秘密。
- Thoroughly validate that your application is working fine with the new credentials before deleting an existing client-secret. 在删除现有的客户端机密之前,请彻底验证您的应用程序是否可以使用新凭据正常运行。
- Rotate client-secrets when your credential custodians (the individual or developer who manages the credentials for your organization or business) change. 当您的凭证保管人(为您的组织或企业管理凭证的个人或开发人员)更改时,轮换客户秘密。
- You can choose to disable a credential immediately if you suspect they have been compromised. Note, however, that your application will stop working until you create a new credential pair, change it to “Enabled” status and make changes in your application to start using the new credentials. 如果您怀疑证书已被盗用,可以选择立即禁用它。 但是请注意,您的应用程序将停止工作,直到您创建新的证书对,将其更改为“已启用”状态并在应用程序中进行更改以开始使用新的证书。
- It is also a good idea to put your API client ID and client-secret credentials in a configuration file instead of hard-coding in your code base. This would allow you to quickly update and deploy changes to the configuration file without having to make any code changes, and reducing the overall time to activate new credentials on your mobile app or website. 将API客户端ID和客户端机密凭据放入配置文件中,而不是在代码库中进行硬编码,也是一个好主意。 这样一来,您就可以快速更新配置文件并将其部署到配置文件中,而无需进行任何代码更改,并且可以减少在移动应用程序或网站上激活新凭据的总时间。
- Delete “Disabled” credentials regularly after validating your application with the new client-secret. This practice will ensure that compromised or old credentials are not enabled by mistake. Additionally, it makes the management of credentials simpler if you don’t have to scroll down a list :) 使用新的客户端密钥验证您的应用程序后,请定期删除“已禁用”凭据。 这种做法将确保不会错误地启用损坏的或旧的凭据。 此外,如果您不必向下滚动列表,它可以简化凭据的管理:)
In conclusion, regularly updating the client-secret/credentials associated with your applications is a security best practice. It is suggested that developers utilize the self-service client-secret rotation feature on the developer portal on a regular schedule for maximum application security. To ensure consistency in the process, it is suggested that developers define, describe, document, and agree on a standard process around client-secret rotation with the rest of their team. A well-defined process will ensure that rotating an application’s client-secret is never a pain and that there are no missed steps during application validation with the newly generated client-secret.
总之,定期更新与您的应用程序关联的客户端秘密/凭据是安全的最佳做法。 建议开发人员定期使用开发人员门户上的自助服务客户端秘密轮换功能,以最大程度地提高应用程序安全性。 为了确保流程的一致性,建议开发人员与其他团队一起定义,描述,记录和协商有关客户秘密轮换的标准流程。 定义明确的过程将确保旋转应用程序的客户机密绝不会麻烦,并且在使用新生成的客户机密进行应用程序验证期间不会遗漏任何步骤。
翻译自: https://medium.com/paypal-engineering/credential-rotation-d4b4cb834988
轮换定律
724
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
