Defending APIs against Cyber Attack: Learn the secrets of defense techniques to build secure application programming interfaces

✍ Scribed by Colin Domoney

Publisher: Packt Publishing Ltd.
Year: 2023
Tongue: English
Leaves: 504
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

Along with the exponential growth of API adoption comes a rise in security concerns about their implementation and inherent vulnerabilities. For those seeking comprehensive insights into building, deploying, and managing APIs as the first line of cyber defense, this book offers invaluable guidance. Written by a seasoned DevSecOps expert, Defending APIs addresses the imperative task of API security with innovative approaches and techniques designed to combat API-specific safety challenges.

The initial chapters are dedicated to API building blocks, hacking APIs by exploiting vulnerabilities, and case studies of recent breaches, while the subsequent sections of the book focus on building the skills necessary for securing APIs in real-world scenarios.

Guided by clear step-by-step instructions, you'll explore offensive techniques for testing vulnerabilities, attacking, and exploiting APIs. Transitioning to defensive techniques, the book equips you with effective methods to guard against common attacks. There are plenty of case studies peppered throughout the book to help you apply the techniques you're learning in practice, complemented by in-depth insights and a wealth of best practices for building better APIs from the ground up.

By the end of this book, you'll have the expertise to develop secure APIs and test them against various cyber threats targeting APIs.

✦ Table of Contents

Defending APIs
Foreword
Contributors
About the author
About the reviewer
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Part 1: Foundations of API Security
1
What Is API Security?
Why API security is important
The growth of the API economy
APIs are popular with developers
APIs are increasingly popular with attackers
Your existing tools do not work well for APIs
Developers often lack an understanding of API security
Exploring API building blocks
Rate limiting
Cryptography
Hashes, HMACs, and signatures
Transport security
Encoding
Examining API data formats
Understanding the elements of API security
DevOps
SAST, DAST, SCA, and WAFs
API management and gateways
API security platforms
Setting API security goals
The three pillars of security
Abuse and misuse cases
Data governance
A positive security model
Risk-based methodology
Summary
Further reading
2
Understanding APIs
Understanding HTTP fundamentals
Uniform Resource Locator
Requests
Responses
Methods
Status codes
Sessions
Exploring the types of APIs
REST
GraphQL
RPC
SOAP
WebSockets
Access control
No authentication
HTTP authentication
AWS keyed-HMAC authentication
Session cookies
API keys
OAuth 2.0
Access control best practices and methods
Using JWTs for claims and identity
Summary
Further reading
3
Understanding Common API Vulnerabilities
The importance of vulnerability classification
Exploring the Open Worldwide Application Security Project API Security Top 10
Object-level vulnerabilities
Authentication vulnerabilities
Function-level vulnerabilities
Data vulnerabilities
Configuration vulnerabilities
Implementation vulnerabilities
Vulnerabilities versus abuse cases
Exploring abuse cases
Business logic vulnerabilities
Preview of the Open Worldwide Application Security Project API Security Top 10 2023
Summary
Further reading
4
Investigating Recent Breaches
The importance of learning from mistakes
Examining 10 high-profile API breaches from 2022
1–Global shipping company
2–Campus access control
3–Microbrewery application
4–Cryptocurrency portal
5–Dating application
6–The All in One SEO WordPress plugin
7–X account information leakage
8–Home router
9–Remote access to two popular vehicles
10–Smart Scale
Key takeaways and learning
Summary
Further reading
Part 2: Attacking APIs
5
Foundations of Attacking APIs
Technical requirements
Understanding API attackers and their methods
Interacting with APIs
Finding API keys
Enumeration and discovery of APIs
Fuzzing API endpoints
Attacking JWTs
Mastering the tools of the trade
CLI clients (HTTPie/cURL)
Postman
Browser tools
Burp Suite
Reverse proxies
Learning the key skills of API attacking
Building a laboratory
Hacking vulnerable APIs
Training courses
Summary
Further reading
6
Discovering APIs
Technical requirements
Passive discovery
Google
Offensive security Google database
Other API-specific searchable databases
Code analysis techniques
Active discovery
Network discovery and scan
OWASP ZAP
Burp Suite
Reverse-engineering mobile apps
Postman
Implementation analysis
Verbose error and debug messages
OS and framework enumeration
Timing or volume attacks
Utilizing online tools such as BuiltWith or Wappalyzer
Evading common defenses
Summary
Further reading
7
Attacking APIs
Technical requirements
Authentication attacks
Insecure implementation logic
Attacking design weaknesses
Authorization attacks
Object-level authorization
Function-level authorization
Data attacks
Injection attack
Detecting injection vulnerabilities
SQL injection
NoSQL injection
Command injection
Path traversal
Server-side request forgery
Other API attacks
API abuse
Unrestricted access to sensitive business flows
Business logic attacks
Summary
Further reading
Part 3: Defending APIs
8
Shift-Left for API Security
Technical requirements
Using the OpenAPI Specification
Data
Security
Generating client and server code
Leveraging the positive security model
Conducting threat modeling of APIs
Automating API security
CI/CD integration
Semgrep
Thinking like an attacker
Summary
Further reading
9
Defending against Common Vulnerabilities
Technical requirements
Authentication vulnerabilities
Handling JWTs securely
Implementing OAuth2
Password and token hardening
Securing the reset process
Handling authentication in code
Authorization vulnerabilities
Object-level vulnerabilities
Function-level vulnerabilities
Using authorization middleware
Data vulnerabilities
Excessive data exposure
Mass assignment
Implementation vulnerabilities
Injection
Server-Side Request Forgery
Insufficient logging and monitoring
Protecting against unrestricted resource consumption
Defending against API business-level attacks
Unrestricted access to sensitive business flows
Unsafe consumption of APIs
Summary
Further reading
10
Securing Your Frameworks and Languages
Technical requirements
Managing the design-first process in the real world
Using code-generation tools
Swagger Codegen
OpenAPI Generator
Summary
Further reading
11
Shield Right for APIs with Runtime Protection
Technical requirements
Securing and hardening environments
Container images
Operating systems
Using WAFs
Understanding the Next-Generation Firewall (NGWAF) and Web Application API Protection (WAAP) products
Using API gateways and API management
Implementing security patterns in the Kong API gateway
Best practices for API gateway protection
Deploying API firewalls
API monitoring and alerting
Selecting the correct protections for your APIs
Summary
Further reading
12
Securing Microservices
Technical requirements
Understanding microservices
Securing the foundations of microservices
Securing the connectivity of microservices
Access control for microservices
Running secure microservices in practice
Summary
Further reading
13
Implementing an API Security Strategy
Ownership of API security
Understanding your stakeholders
Roles and responsibilities
The 42Crunch maturity model
Inventory
Design
Development
Testing
Protection
Governance
Planning your program
Establishing your objectives
Assessing your current state
Building a landing zone for APIs
Running your program
Building your teams
Tracking your progress
Integrating with your existing AppSec program
Your personal API security journey
Summary
Further reading
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

📜 SIMILAR VOLUMES

Defending APIs: Uncover advanced defense

📁 Defending APIs: Uncover advanced defense techniques to craft secure application programming interfaces

✍ Colin Domoney 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Get up to speed with API security using this comprehensive guide full of best practices for building safer and secure APIsKey Features<ul><li>Develop a profound understanding of the inner workings of APIs with a sharp focus on security</li><

Defending APIs: Uncover advanced defense

📁 Defending APIs: Uncover advanced defense techniques to craft secure application programming interfaces

✍ Colin Domoney 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Cyber Security Defense with Microsoft De

📁 Cyber Security Defense with Microsoft Defender.

✍ Dave Kawula; Emile Cabot 📂 Library 📅 2021 🏛 MVPDays Publishing 🌐 Russian

Cyber Security Defense with Microsoft De

📁 Cyber Security Defense with Microsoft Defender

✍ Kawula, Dave; O'Neill Sr, John; Kawula, Cristal; Cabot, Emile; Sun, Cary 📂 Library 📅 2021 🌐 English

Building Secure Defenses Against Code-Re

📁 Building Secure Defenses Against Code-Reuse Attacks

✍ Lucas Davi, Ahmad-Reza Sadeghi (auth.) 📂 Library 📅 2015 🏛 Springer International Publishing 🌐 English

This book provides an in-depth look at return-oriented programming attacks. It explores several conventional return-oriented programming attacks and analyzes the effectiveness of defense techniques including address space layout randomization (ASLR) and the control-flow restrictions implemente

Tactical Home Defense and Security: Defe

📁 Tactical Home Defense and Security: Defend Yourself and Family Against Home Invasion and Deadly Attack

✍ Special Tactics 📂 Library 📅 2022 🌐 English