Welcome to this month's edition of the Security Roundup! Today, we're going to look at all the best content on DZone and across the web relating to the security of APIs. As APIs become a more and more important aspect of development, their security is garnering increased attention. So read on to see what experts from various fields, including security, web development, and microservices, have to say about securing your API!
And, as a quick side note, if you're interested in writing for DZone, but don't have a topic in mind, come check out our Bounty Board, where you can win prizes for providing great content!
Security, the AP of My I
Secure Your APIs by Josh Begleiter. This article draws on the principles of network security, systems security, and application security to explain how API security is no different than these other subfields and draws quite a bit from them.
API Throttling Made Easy by Nishanth Kadiyala. This article provides an introductory look at the technique of API throttling ("whether certain API calls are valid or not"), explains how throttling adds an extra layer of security to your backend and the resources stored there, and the various types of throttling.
Top 5 REST API Security Guidelines by Guy Levin. A blast from the past! This article, originally posted to DZone in 2016, is still one of the most viewed articles in our Security Zone, which goes to show how many problems have gone unsolved. This article gives a great overview of authentication, output encoding, cryptography, HTTP status codes, and input validation.
Implementing JWT Authentication on Spring Boot APIs by Bruno Krebs. A web developer shows how you can add an extra layer of security to your web application and the APIs it draws upon by using JSON Web Token-based authentication.
Advanced Microservices Security With Spring and OAuth2 by Piotr Minkowski. A great overview of securing your API gateway, setting up authorization for access to your API, and securing the services your API offers.
The Best From the Rest
- Google's Recaptcha Cracked Again by Tom Spring. A look at how University of Maryland researchers used one of Google's own APIs to breaking its Recaptcha tool, which is supposed to offer increased security to users.
- Best Practices for Securely Storing API Keys by Bruno Pedro. An overview of some great tools to use to keep your API keys safe and sound from prying eyes.
DOSarrest Releases New API via Globe Newswire. A brief article explaining the detail behind this new API that allows developers to use this Security as a Service in their applications, and what vulnerabilities this API was meant to help guard against.
DZone Publications on API Security
RESTful API Lifecycle Management Refcard by John Vester. In this Refcard, familiarize yourself with the benefits of a managed API lifecycle and walk through specific examples of using RAML to design your API. Section 5 covers API security!
DZone's Guide to Integration: API Design and Management featuring articles by John Vester, Guy Levin, Piotr Minkowski, Kin Lane, Ross Garrett, and Tom Smith. Though the field of Integration has been present for ages, the industry is still ripe for some major changes. Significant developments in tools like Kafka, microservice architectures, and container technologies require the latest knowledge of integrating systems. The 2017 Guide to Integration provides this and more by exploring APIs, design and documentation, tooling, and Integration best practices (including RESTful API Security!).
Find Your Next Great Security Gig!
In this role, you'll design and implement internal security mechanisms to secure individual Elasticsearch clusters as well as provide security for cross-cluster operations, implement access control for Elasticsearch APIs, documents, and fields within documents, improve existing APIs to make them address more use-cases while keeping their surface area contained, and more! Experience working with distributed systems, systems integration, and debugging is a plus.
The ideal candidate will have prior experience in conducting vulnerability assessments and penetration tests, an understanding of the OWASP testing methodology and knowledge of penetration testing tools, and a comfort in working on various platforms and operating systems (e.g. Windows, Linux, Kali). In this role, you'll perform application (web and mobile) and penetration tests on different platforms and technologies, conduct source code review to identify software program vulnerabilities and malicious embedded code, simulate real-time cyber-attacks using red team/blue team exercises, and a lot more!