book

Defending APIs

Name: Defending APIs
Author: Colin Domoney
ISBN: 9781804617120

by Colin Domoney

February 2024

Intermediate to advanced

384 pages

9h 44m

English

Packt Publishing

Read now

Unlock full access

Defending APIs
ForewordContributorsAbout the authorAbout the reviewer
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1: Foundations of API Security
Chapter 1: What Is API Security?
Why API security is importantThe growth of the API economyAPIs are popular with developersAPIs are increasingly popular with attackersYour existing tools do not work well for APIsDevelopers often lack an understanding of API securityExploring API building blocksRate limitingCryptographyHashes, HMACs, and signaturesTransport securityEncodingExamining API data formatsUnderstanding the elements of API securityDevOpsSAST, DAST, SCA, and WAFsAPI management and gatewaysAPI security platformsSetting API security goalsThe three pillars of securityAbuse and misuse casesData governanceA positive security modelRisk-based methodologySummaryFurther reading
Chapter 2: Understanding APIs
Understanding HTTP fundamentalsUniform Resource LocatorRequestsResponsesMethodsStatus codesSessionsExploring the types of APIsRESTGraphQLRPCSOAPWebSocketsAccess controlNo authenticationHTTP authenticationAWS keyed-HMAC authenticationSession cookiesAPI keysOAuth 2.0Access control best practices and methodsUsing JWTs for claims and identitySummaryFurther reading
Chapter 3: Understanding Common API Vulnerabilities
The importance of vulnerability classificationExploring the Open Worldwide Application Security Project API Security Top 10Object-level vulnerabilitiesAuthentication vulnerabilitiesFunction-level vulnerabilitiesData vulnerabilitiesConfiguration vulnerabilitiesImplementation vulnerabilitiesVulnerabilities versus abuse casesExploring abuse casesBusiness logic vulnerabilitiesPreview of the Open Worldwide Application Security Project API Security Top 10 2023SummaryFurther reading
Chapter 4: Investigating Recent Breaches
The importance of learning from mistakesExamining 10 high-profile API breaches from 20221–Global shipping company2–Campus access control3–Microbrewery application4–Cryptocurrency portal5–Dating application6–The All in One SEO WordPress plugin7–X account information leakage8–Home router9–Remote access to two popular vehicles10–Smart ScaleKey takeaways and learningSummaryFurther reading
Part 2: Attacking APIs
Chapter 5: Foundations of Attacking APIs
Technical requirementsUnderstanding API attackers and their methodsInteracting with APIsFinding API keysEnumeration and discovery of APIsFuzzing API endpointsAttacking JWTsMastering the tools of the tradeCLI clients (HTTPie/cURL)PostmanBrowser toolsBurp SuiteReverse proxiesLearning the key skills of API attackingBuilding a laboratoryHacking vulnerable APIsTraining coursesSummaryFurther reading
Chapter 6: Discovering APIs
Technical requirementsPassive discoveryGoogleOffensive security Google databaseOther API-specific searchable databasesCode analysis techniquesActive discoveryNetwork discovery and scanOWASP ZAPBurp SuiteReverse-engineering mobile appsPostmanImplementation analysisVerbose error and debug messagesOS and framework enumerationTiming or volume attacksUtilizing online tools such as BuiltWith or WappalyzerEvading common defensesSummaryFurther reading

Chapter 7: Attacking APIs
Technical requirementsAuthentication attacksInsecure implementation logicAttacking design weaknessesAuthorization attacksObject-level authorizationFunction-level authorizationData attacksInjection attackDetecting injection vulnerabilitiesSQL injectionNoSQL injectionCommand injectionPath traversalServer-side request forgeryOther API attacksAPI abuseUnrestricted access to sensitive business flowsBusiness logic attacksSummaryFurther reading
Part 3: Defending APIs
Chapter 8: Shift-Left for API Security
Technical requirementsUsing the OpenAPI SpecificationDataSecurityGenerating client and server codeLeveraging the positive security modelConducting threat modeling of APIsAutomating API securityCI/CD integrationSemgrepThinking like an attackerSummaryFurther reading
Chapter 9: Defending against Common Vulnerabilities
Technical requirementsAuthentication vulnerabilitiesHandling JWTs securelyImplementing OAuth2Password and token hardeningSecuring the reset processHandling authentication in codeAuthorization vulnerabilitiesObject-level vulnerabilitiesFunction-level vulnerabilitiesUsing authorization middlewareData vulnerabilitiesExcessive data exposureMass assignmentImplementation vulnerabilitiesInjectionServer-Side Request ForgeryInsufficient logging and monitoringProtecting against unrestricted resource consumptionDefending against API business-level attacksUnrestricted access to sensitive business flowsUnsafe consumption of APIsSummaryFurther reading
Chapter 10: Securing Your Frameworks and Languages
Technical requirementsManaging the design-first process in the real worldUsing code-generation toolsSwagger CodegenOpenAPI GeneratorSummaryFurther reading
Chapter 11: Shield Right for APIs with Runtime Protection
Technical requirementsSecuring and hardening environmentsContainer imagesOperating systemsUsing WAFsUnderstanding the Next-Generation Firewall (NGWAF) and Web Application API Protection (WAAP) productsUsing API gateways and API managementImplementing security patterns in the Kong API gatewayBest practices for API gateway protectionDeploying API firewallsAPI monitoring and alertingSelecting the correct protections for your APIsSummaryFurther reading
Chapter 12: Securing Microservices
Technical requirementsUnderstanding microservicesSecuring the foundations of microservicesSecuring the connectivity of microservicesAccess control for microservicesRunning secure microservices in practiceSummaryFurther reading
Chapter 13: Implementing an API Security Strategy
Ownership of API securityUnderstanding your stakeholdersRoles and responsibilitiesThe 42Crunch maturity modelInventoryDesignDevelopmentTestingProtectionGovernancePlanning your programEstablishing your objectivesAssessing your current stateBuilding a landing zone for APIsRunning your programBuilding your teamsTracking your progressIntegrating with your existing AppSec programYour personal API security journeySummaryFurther reading
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Overview

Defending APIs delves into the critical aspects of API security, teaching you both offensive and defensive techniques to safeguard your APIs. You will learn about vulnerabilities, protection strategies, and practical solutions to design secure APIs. Whether you are an API developer or security professional, this book will empower you with the expertise to combat real-world threats.

What this Book will help me do

Understand the core elements of API security and their development lifecycle.
Analyze high-profile API security breaches to learn practical lessons.
Master offensive techniques used by attackers for thorough security testing.
Implement 'shift-left' and 'shield-right' approaches for full security coverage.
Learn defensive strategies tied to common frameworks like .NET, Python, and Java.

Author(s)

Colin Domoney, the author of Defending APIs, is a seasoned expert in API and DevSecOps security. With extensive industry experience, he brings practical insights and real-world examples to his writing. Colin is passionate about secure software development and educating professionals about API vulnerabilities and protection.

Who is it for?

This book is aimed at application security engineers and professionals looking to strengthen their API defenses, as well as penetration testers seeking insights into exploiting API vulnerabilities. It caters to API developers aiming to understand and mitigate potential risks. A basic understanding of APIs and application security is recommended for readers.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781804617120

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills