API Transit Basics: Security
API Transit Basics: Security
AS APIs continue to gain in importance, so too must their security. Read on to get the opinions of, and some tips from, an API developer and advocate.
Join the DZone community and get the full member experience.Join For Free
This is a series of stories I’m doing as part of my API Transit work, trying to map out a simple journey that some of my clients can take to rethink some of the basics of their API strategy. I’m using a subway map visual, and experience to help map out the journey, which I’m calling API transit–leveraging the verb form of transit, to describe what every API should go through.
Hopefully, you already have your own security practices in place, with the ability to scan for vulnerabilities and understand where security problems might exist. If you do, I’m guessing you probably already have procedures and protocols around reporting, and handling security problems across teams. Ideally, your API security practices are more about prevention than they are about responding to a crisis, but your overall strategy should have plans in place for addressing both ends of the spectrum.
Unfortunately, in the wider API space, much of the conversation around API security has been slowed by many people feeling like their API management solutions were doing everything that is needed. Luckily, in 2017 we began to see this thaw a bit and some API security-focused solutions began to appear on the market, and some existing players began tuning into to address the specific concerns of API security, beyond the desktop, web, and other common areas of concern.
- Scanning APIs with OWASP Zap - OWASP is the top place for understanding security vulnerabilities of web applications, and they are expanding their focus to include APIs.
- 42 Crunch - A new, OpenAPI-driven API security solution for helping deliver policies across API operations.
- OWASP REST Security Cheat Sheet - A checklist of considerations when it comes to API security out of OWASP.
After crafting this stop along the API lifecycle I wanted to make sure and include API discovery in the conversation. API definitions like OpenAPI and a solid API discovery strategy help provide the details of the surface area of API operations, allowing for easier scanning and securing of existing infrastructure. Another area that significantly introduces security benefits is making logging a first-class citizen, allowing the DNS, gateway, code, server, and database layers to be analyzed for vulnerabilities.
I prefer keeping this security stop short and sweet, as I know from experience that not all my readers have a strategy in place, and I want to give them a handful of options to consider as they look to get started. Many groups have been focusing on web and mobile security, but are just getting started thinking about API security. As APIs move out of the shadows behind mobile applications, and the number of threats increases, companies, institutions, and government agencies are getting more nervous, increasing the need for more API security storytelling.
Published at DZone with permission of Kin Lane , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.