Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

API Security Weekly: Issue #43

DZone 's Guide to

API Security Weekly: Issue #43

This week, we have a conference talk recording demonstrating API pen testing; see how the w3af web scanner can be used for APIs, and more.

· Integration Zone ·
Free Resource

This week, we have a conference talk recording demonstrating API pen testing; see how the w3af web scanner can be used for APIs; look at SAP’s API security best practices; watch Cisco pay $8.6 million for not fixing vulnerabilities quickly.

Conference talks

The OWASP Global AppSec Tel Aviv conference has published a video recording of the “Testing and Hacking APIs” talk by Inon Shkedy.

Shkedy demonstrates approaches to API penetration testing, including:

  • Analyzing payloads and authentication
  • Broken object-level access control (aka IDOR)
  • Mass assignment
  • Improper data filtering
  • Expanding attack surface

Tools: w3af

Artem Smotrakov explains how the w3af web scanner can be used for REST API security testing. His article includes:

  • API discovery
  • Authentication
  • Disabling validation
  • Sample configuration
  • Context-specific parameters
  • Result analysis

Best practices

SAP has published their API Security Best Practices in a blog series. The posts naturally promote SAP’s own tooling, but the detailed practices can be useful regardless of which technology you use.

The discussed best practices include:

  • IP whitelisting
  • Rate limiting
  • Data masking
  • JSON/XML/SQL injection attacks
  • Logging
  • Alerting

Price of vulnerability

Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication. The basis for the fines is for ignoring the security issues for a long time while still continuing to sell the solution.

You can subscribe to this weekly newsletter at https://APIsecurity.io.

Topics:
api ,apis ,api security ,newsletter ,cybersecurity ,testing ,integration

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}