APIs are being attacked by bots all the time, being abused all over the internet. Even without a front end, APIs are still a big target for malicious actors. How do we fight this? In this talk we will cover all the best practices for making your APIs tough and safe!
– APIs are an issue, explain stats and facts on why they need sec attention
– I lied: I’m going to show you way more than ten, but “Top Ten” sounds good.
– Create a complete inventory of all APIs
– All external APIs are connected to via an API gateway
– Throttling and Resource Quotas on ALL APIs
– Logging, monitoring and alerting, same as for web apps
– Block all unused HTTP methods/verbs
– Use a service mesh for communication management
– Implement standards for your org, enforce them
– Strict linting of all calls – Authenticate THEN authorize
– Avoid verbose error messages
– Decommission old or unused versions of APIs.
– All the same secure coding practices you normally do; input validation using approved lists, parameterized queries, bounds checking, etc.
– Summary and conclusion
– Free resources (I made a course out of this talk and it’s free, plus a downloadable PDF that summarizes the whole talk) Q&A