Defending APIs Uncover Advanced Defense Techniques to Craft Secure Application Programming Interfaces
Get up to speed with API security using this comprehensive guide full of best practices for building safer and secure APIs Key Features Develop a profound understanding of the inner workings of APIs with a sharp focus on security Learn the tools and techniques employed by API security testers and ha...
| Otros Autores: | , , |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England :
Packt Publishing Ltd
[2024]
|
| Edición: | First edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009799144206719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Foreword
- Contributors
- Table of Contents
- Preface
- Part 1: Foundations of API Security
- Chapter 1: What Is API Security?
- Why API security is important
- The growth of the API economy
- APIs are popular with developers
- APIs are increasingly popular with attackers
- Your existing tools do not work well for APIs
- Developers often lack an understanding of API security
- Exploring API building blocks
- Rate limiting
- Cryptography
- Hashes, HMACs, and signatures
- Transport security
- Encoding
- Examining API data formats
- Understanding the elements of API security
- DevOps
- SAST, DAST, SCA, and WAFs
- API management and gateways
- API security platforms
- Setting API security goals
- The three pillars of security
- Abuse and misuse cases
- Data governance
- A positive security model
- Risk-based methodology
- Summary
- Further reading
- Chapter 2: Understanding APIs
- Understanding HTTP fundamentals
- Uniform Resource Locator
- Requests
- Responses
- Methods
- Status codes
- Sessions
- Exploring the types of APIs
- REST
- GraphQL
- RPC
- SOAP
- WebSockets
- Access control
- No authentication
- HTTP authentication
- AWS keyed-HMAC authentication
- Session cookies
- API keys
- OAuth 2.0
- Access control best practices and methods
- Using JWTs for claims and identity
- Summary
- Further reading
- Chapter 3: Understanding Common API Vulnerabilities
- The importance of vulnerability classification
- Exploring the Open Worldwide Application Security Project API Security Top 10
- Object-level vulnerabilities
- Authentication vulnerabilities
- Function-level vulnerabilities
- Data vulnerabilities
- Configuration vulnerabilities
- Implementation vulnerabilities
- Vulnerabilities versus abuse cases
- Exploring abuse cases.
- Business logic vulnerabilities
- Preview of the Open Worldwide Application Security Project API Security Top 10 2023
- Summary
- Further reading
- Chapter 4: Investigating Recent Breaches
- The importance of learning from mistakes
- Examining 10 high-profile API breaches from 2022
- 1-Global shipping company
- 2-Campus access control
- 3-Microbrewery application
- 4-Cryptocurrency portal
- 5-Dating application
- 6-The All in One SEO WordPress plugin
- 7-X account information leakage
- 8-Home router
- 9-Remote access to two popular vehicles
- 10-Smart Scale
- Key takeaways and learning
- Summary
- Further reading
- Part 2: Attacking APIs
- Chapter 5: Foundations of Attacking APIs
- Technical requirements
- Understanding API attackers and their methods
- Interacting with APIs
- Finding API keys
- Enumeration and discovery of APIs
- Fuzzing API endpoints
- Attacking JWTs
- Mastering the tools of the trade
- CLI clients (HTTPie/cURL)
- Postman
- Browser tools
- Burp Suite
- Reverse proxies
- Learning the key skills of API attacking
- Building a laboratory
- Hacking vulnerable APIs
- Training courses
- Summary
- Further reading
- Chapter 6: Discovering APIs
- Technical requirements
- Passive discovery
- Offensive security Google database
- Other API-specific searchable databases
- Code analysis techniques
- Active discovery
- Network discovery and scan
- OWASP ZAP
- Burp Suite
- Reverse-engineering mobile apps
- Postman
- Implementation analysis
- Verbose error and debug messages
- OS and framework enumeration
- Timing or volume attacks
- Utilizing online tools such as BuiltWith or Wappalyzer
- Evading common defenses
- Summary
- Further reading
- Chapter 7: Attacking APIs
- Technical requirements
- Authentication attacks
- Insecure implementation logic.
- Attacking design weaknesses
- Authorization attacks
- Object-level authorization
- Function-level authorization
- Data attacks
- Injection attack
- Detecting injection vulnerabilities
- SQL injection
- NoSQL injection
- Command injection
- Path traversal
- Server-side request forgery
- Other API attacks
- API abuse
- Unrestricted access to sensitive business flows
- Business logic attacks
- Summary
- Further reading
- Part 3: Defending APIs
- Chapter 8: Shift-Left for API Security
- Technical requirements
- Using the OpenAPI Specification
- Data
- Security
- Generating client and server code
- Leveraging the positive security model
- Conducting threat modeling of APIs
- Automating API security
- CI/CD integration
- Semgrep
- Thinking like an attacker
- Summary
- Further reading
- Chapter 9: Defending against Common Vulnerabilities
- Technical requirements
- Authentication vulnerabilities
- Handling JWTs securely
- Implementing OAuth2
- Password and token hardening
- Securing the reset process
- Handling authentication in code
- Authorization vulnerabilities
- Object-level vulnerabilities
- Function-level vulnerabilities
- Using authorization middleware
- Data vulnerabilities
- Excessive data exposure
- Mass assignment
- Implementation vulnerabilities
- Injection
- Server-Side Request Forgery
- Insufficient logging and monitoring
- Protecting against unrestricted resource consumption
- Defending against API business-level attacks
- Unrestricted access to sensitive business flows
- Unsafe consumption of APIs
- Summary
- Further reading
- Chapter 10: Securing Your Frameworks and Languages
- Technical requirements
- Managing the design-first process in the real world
- Using code-generation tools
- Swagger Codegen
- OpenAPI Generator
- Summary
- Further reading.
- Chapter 11: Shield Right for APIs with Runtime Protection
- Technical requirements
- Securing and hardening environments
- Container images
- Operating systems
- Using WAFs
- Understanding the Next-Generation Firewall (NGWAF) and Web Application API Protection (WAAP) products
- Using API gateways and API management
- Implementing security patterns in the Kong API gateway
- Best practices for API gateway protection
- Deploying API firewalls
- API monitoring and alerting
- Selecting the correct protections for your APIs
- Summary
- Further reading
- Chapter 12: Securing Microservices
- Technical requirements
- Understanding microservices
- Securing the foundations of microservices
- Securing the connectivity of microservices
- Access control for microservices
- Running secure microservices in practice
- Summary
- Further reading
- Chapter 13: Implementing an API Security Strategy
- Ownership of API security
- Understanding your stakeholders
- Roles and responsibilities
- The 42Crunch maturity model
- Inventory
- Design
- Development
- Testing
- Protection
- Governance
- Planning your program
- Establishing your objectives
- Assessing your current state
- Building a landing zone for APIs
- Running your program
- Building your teams
- Tracking your progress
- Integrating with your existing AppSec program
- Your personal API security journey
- Summary
- Further reading
- Index
- Other Books You May Enjoy.
