Book Image

Defending APIs

By : Colin Domoney
Book Image

Defending APIs

By: Colin Domoney

Overview of this book

Along with the exponential growth of API adoption comes a rise in security concerns about their implementation and inherent vulnerabilities. For those seeking comprehensive insights into building, deploying, and managing APIs as the first line of cyber defense, this book offers invaluable guidance. Written by a seasoned DevSecOps expert, Defending APIs addresses the imperative task of API security with innovative approaches and techniques designed to combat API-specific safety challenges. The initial chapters are dedicated to API building blocks, hacking APIs by exploiting vulnerabilities, and case studies of recent breaches, while the subsequent sections of the book focus on building the skills necessary for securing APIs in real-world scenarios. Guided by clear step-by-step instructions, you’ll explore offensive techniques for testing vulnerabilities, attacking, and exploiting APIs. Transitioning to defensive techniques, the book equips you with effective methods to guard against common attacks. There are plenty of case studies peppered throughout the book to help you apply the techniques you’re learning in practice, complemented by in-depth insights and a wealth of best practices for building better APIs from the ground up. By the end of this book, you’ll have the expertise to develop secure APIs and test them against various cyber threats targeting APIs.

Related Content you might be interested in

Current Title:

Small book image
Defending APIs
Colin Domoney
Feb, 2024 | 384 pages
Small book image
Building an API Product
Bruno Pedro
Jan, 2024 | 278 pages
Small book image
Enterprise API Management
Luis Weir
Jul, 2019 | 300 pages
Small book image
Attacking and Exploiting Modern Web Applications
Donato Onofri | Simone Onofri
Aug, 2023 | 338 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Foundations of API Security
Part 1: Foundations of API Security
Free Chapter
2
Chapter 1: What Is API Security?
Chapter 1: What Is API Security?
Why API security is important
Exploring API building blocks
Examining API data formats
Understanding the elements of API security
Setting API security goals
Summary
Further reading
3
Chapter 2: Understanding APIs
Chapter 2: Understanding APIs
Understanding HTTP fundamentals
Exploring the types of APIs
Access control
Using JWTs for claims and identity
Summary
Further reading
4
Chapter 3: Understanding Common API Vulnerabilities
Chapter 3: Understanding Common API Vulnerabilities
The importance of vulnerability classification
Exploring the Open Worldwide Application Security Project API Security Top 10
Vulnerabilities versus abuse cases
Business logic vulnerabilities
Preview of the Open Worldwide Application Security Project API Security Top 10 2023
Summary
Further reading
5
Chapter 4: Investigating Recent Breaches
Chapter 4: Investigating Recent Breaches
The importance of learning from mistakes
Examining 10 high-profile API breaches from 2022
Key takeaways and learning
Summary
Further reading
6
Part 2: Attacking APIs
Part 2: Attacking APIs
7
Chapter 5: Foundations of Attacking APIs
Chapter 5: Foundations of Attacking APIs
Technical requirements
Understanding API attackers and their methods
Mastering the tools of the trade
Learning the key skills of API attacking
Summary
Further reading
8
Chapter 6: Discovering APIs
Chapter 6: Discovering APIs
Technical requirements
Passive discovery
Active discovery
Implementation analysis
Summary
Further reading
9
Chapter 7: Attacking APIs
Chapter 7: Attacking APIs
Technical requirements
Authentication attacks
Authorization attacks
Data attacks
Injection attack
Other API attacks
Summary
Further reading
10
Part 3: Defending APIs
Part 3: Defending APIs
11
Chapter 8: Shift-Left for API Security
Chapter 8: Shift-Left for API Security
Technical requirements
Using the OpenAPI Specification
Leveraging the positive security model
Conducting threat modeling of APIs
Automating API security
Thinking like an attacker
Summary
Further reading
12
Chapter 9: Defending against Common Vulnerabilities
Chapter 9: Defending against Common Vulnerabilities
Technical requirements
Authentication vulnerabilities
Authorization vulnerabilities
Data vulnerabilities
Implementation vulnerabilities
Protecting against unrestricted resource consumption
Defending against API business-level attacks
Summary
Further reading
13
Chapter 10: Securing Your Frameworks and Languages
Chapter 10: Securing Your Frameworks and Languages
Technical requirements
Managing the design-first process in the real world
Using code-generation tools
Summary
Further reading
14
Chapter 11: Shield Right for APIs with Runtime Protection
Chapter 11: Shield Right for APIs with Runtime Protection
Technical requirements
Securing and hardening environments
Using WAFs
Using API gateways and API management
API monitoring and alerting
Selecting the correct protections for your APIs
Summary
Further reading
15
Chapter 12: Securing Microservices
Chapter 12: Securing Microservices
Technical requirements
Summary
Further reading
16
Chapter 13: Implementing an API Security Strategy
Chapter 13: Implementing an API Security Strategy
Ownership of API security
The 42Crunch maturity model
Planning your program
Running your program
Your personal API security journey
Summary
Further reading
17
Index
Index
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

What this book covers

Chapter 1, What Is API Security?, provides an introduction to the topic of API security and why it is important and distinct from web application security. This chapter also provides an understanding of the basics of APIs and their data formats, covering the key elements of API security and goals.

Chapter 2, Understanding APIs, covers the fundamentals of the HTTP protocol and the different types of APIs currently in use. The key topics of authentication and authorization are covered, along with the use of tokens and keys.

Chapter 3, Understanding Common API Vulnerabilities, provides in-depth coverage of the OWASP API Security Top 10 vulnerabilities (both the 2019 and 2023 variants), how vulnerabilities differ from abuse cases, and how APIs can expose business logic vulnerabilities.

Chapter 4, Investigating Recent Breaches, is an eye-opening look at some of the most significant API security breaches in the last few years, where we examine what went wrong and how such vulnerabilities could be prevented in the future.

Chapter 5, Foundations of Attacking APIs, provides a foundation of how adversaries attack APIs, including their methods, the common tools, and the skills they utilize.

Chapter 6, Discovering APIs, illuminates the various passive and active methods used by adversaries to discover APIs. We will also examine reconnaissance methods used to understand implementations and to evade common defense methods.

Chapter 7, Attacking APIs, provides hands-on guidance on how to attack APIs, focusing on the following areas – authentication and authorization attacks, data-based attacks, injection attacks, and other common attack types.

Chapter 8, Shift-Left for API Security, focuses on core activities that can be used to shift API security left, including leveraging the OpenAPI specification and the positive security model, how to threat model APIs, and the automation of API security within CI/CD pipelines.

Chapter 9, Defending against Common Vulnerabilities, covers the core topics of the defensive patterns and techniques that can be used to defend APIs against the following vulnerabilities – authentication and authorization vulnerabilities, data vulnerabilities, and implementation vulnerabilities.

Chapter 10, Securing Your Frameworks and Languages, moves the focus onto securing languages and frameworks using a “design-first” approach, including the use of code generation tooling, OpenAPI generation with popular frameworks, and patterns to secure these frameworks.

Chapter 11, Shield-Right for APIs with Runtime Protection, emphasizes the critical role played by so-called “shield-right” techniques, including secure and hardened environments, WAFs for API protection, the use of API gateways and management portals, API firewalls and, finally, monitoring APIs at runtime.

Chapter 12, Securing Microservices, looks at the exciting world of APIs within a microservices architecture, where we learn to apply our existing knowledge in a microservices landscape, focusing on securing the foundations, connectivity, and access control.

Chapter 13, Implementing an API Security Strategy, concludes our journey into API security by providing focused guidance on how to build an API security strategy, including the selection of a roadmap and KPIs, and how to plan and execute your strategy.

Previous Section
Next Section