Defending APIs : Uncover Advanced Defense Techniques to Craft Secure Application Programming Interfaces / Colin Domoney ; foreword by Chris Wysopal and Isabelle Mauny.

Format:

Book

Author/Creator:

Domoney, Colin, author.

Contributor:

Wysopal, Chris, writer of foreword.

Mauny, Isabelle, writer of foreword.

Language:

English

Subjects (All):

Application program interfaces (Computer software).

Physical Description:

1 online resource (384 pages)

Edition:

First edition.

Place of Publication:

Birmingham, England : Packt Publishing Ltd., [2024]

Biography/History:

Domoney Colin: Colin Domoney (BSc. MSc. CSSLP, CEH) is an API Security Research Specialist and Developer Advocate with deep expertise in the development of secure software. As VP of AppSec, he took on the challenge of securing software on a large scale and running the global AppSec program at Deutsche Bank. At Veracode, as an evangelist, he produces countless webinars, and blog posts, and speak globally at conferences. Currently, he has embraced the challenge of securing APIs with 42Crunch where he has produced the API industry's first security maturity model and contributed to numerous webinars, talks, and blogs. Currently, he is working on the industry's first defensive API developer training course. He is also the curator of the APISecurity weekly newsletter.

Summary:

Get up to speed with API security using this comprehensive guide full of best practices for building safer and secure APIs Key Features Develop a profound understanding of the inner workings of APIs with a sharp focus on security Learn the tools and techniques employed by API security testers and hackers, establishing your own hacking laboratory Master the art of building robust APIs with shift-left and shield-right approaches, spanning the API lifecycle Purchase of the print or Kindle book includes a free PDF eBook Book Description Along with the exponential growth of API adoption comes a rise in security concerns about their implementation and inherent vulnerabilities. For those seeking comprehensive insights into building, deploying, and managing APIs as the first line of cyber defense, this book offers invaluable guidance. Written by a seasoned DevSecOps expert, Defending APIs addresses the imperative task of API security with innovative approaches and techniques designed to combat API-specific safety challenges. The initial chapters are dedicated to API building blocks, hacking APIs by exploiting vulnerabilities, and case studies of recent breaches, while the subsequent sections of the book focus on building the skills necessary for securing APIs in real-world scenarios. Guided by clear step-by-step instructions, you'll explore offensive techniques for testing vulnerabilities, attacking, and exploiting APIs. Transitioning to defensive techniques, the book equips you with effective methods to guard against common attacks. There are plenty of case studies peppered throughout the book to help you apply the techniques you're learning in practice, complemented by in-depth insights and a wealth of best practices for building better APIs from the ground up. By the end of this book, you'll have the expertise to develop secure APIs and test them against various cyber threats targeting APIs. What you will learn Explore the core elements of APIs and their collaborative role in API development Understand the OWASP API Security Top 10, dissecting the root causes of API vulnerabilities Obtain insights into high-profile API security breaches with practical examples and in-depth analysis Use API attacking techniques adversaries use to attack APIs to enhance your defensive strategies Employ shield-right security approaches such as API gateways and firewalls Defend against common API vulnerabilities across several frameworks and languages, such as .NET, Python, and Java Who this book is for This book is for application security engineers, blue teamers, and security professionals looking forward to building an application security program targeting API security. For red teamers and pentesters, it provides insights into exploiting API vulnerabilities. API developers will benefit understanding, anticipating, and defending against potential threats and attacks on their APIs. While basic knowledge of software and security is required to understand the attack vectors and defensive techniques explained in the book, a thorough understanding of API security is all you need to get started.

Contents:

Cover

Title Page

Copyright and Credits

Foreword

Contributors

Table of Contents

Preface

Part 1: Foundations of API Security

Chapter 1: What Is API Security?

Why API security is important

The growth of the API economy

APIs are popular with developers

APIs are increasingly popular with attackers

Your existing tools do not work well for APIs

Developers often lack an understanding of API security

Exploring API building blocks

Rate limiting

Cryptography

Hashes, HMACs, and signatures

Transport security

Encoding

Examining API data formats

Understanding the elements of API security

DevOps

SAST, DAST, SCA, and WAFs

API management and gateways

API security platforms

Setting API security goals

The three pillars of security

Abuse and misuse cases

Data governance

A positive security model

Risk-based methodology

Summary

Further reading

Chapter 2: Understanding APIs

Understanding HTTP fundamentals

Uniform Resource Locator

Requests

Responses

Methods

Status codes

Sessions

Exploring the types of APIs

REST

GraphQL

RPC

SOAP

WebSockets

Access control

No authentication

HTTP authentication

AWS keyed-HMAC authentication

Session cookies

API keys

OAuth 2.0

Access control best practices and methods

Using JWTs for claims and identity

Chapter 3: Understanding Common API Vulnerabilities

The importance of vulnerability classification

Exploring the Open Worldwide Application Security Project API Security Top 10

Object-level vulnerabilities

Authentication vulnerabilities

Function-level vulnerabilities

Data vulnerabilities

Configuration vulnerabilities

Implementation vulnerabilities

Vulnerabilities versus abuse cases

Exploring abuse cases.

Business logic vulnerabilities

Preview of the Open Worldwide Application Security Project API Security Top 10 2023

Chapter 4: Investigating Recent Breaches

The importance of learning from mistakes

Examining 10 high-profile API breaches from 2022

1-Global shipping company

2-Campus access control

3-Microbrewery application

4-Cryptocurrency portal

5-Dating application

6-The All in One SEO WordPress plugin

7-X account information leakage

8-Home router

9-Remote access to two popular vehicles

10-Smart Scale

Key takeaways and learning

Part 2: Attacking APIs

Chapter 5: Foundations of Attacking APIs

Technical requirements

Understanding API attackers and their methods

Interacting with APIs

Finding API keys

Enumeration and discovery of APIs

Fuzzing API endpoints

Attacking JWTs

Mastering the tools of the trade

CLI clients (HTTPie/cURL)

Postman

Browser tools

Burp Suite

Reverse proxies

Learning the key skills of API attacking

Building a laboratory

Hacking vulnerable APIs

Training courses

Chapter 6: Discovering APIs

Passive discovery

Google

Offensive security Google database

Other API-specific searchable databases

Code analysis techniques

Active discovery

Network discovery and scan

OWASP ZAP

Reverse-engineering mobile apps

Implementation analysis

Verbose error and debug messages

OS and framework enumeration

Timing or volume attacks

Utilizing online tools such as BuiltWith or Wappalyzer

Evading common defenses

Chapter 7: Attacking APIs

Authentication attacks

Insecure implementation logic.

Attacking design weaknesses

Authorization attacks

Object-level authorization

Function-level authorization

Data attacks

Injection attack

Detecting injection vulnerabilities

SQL injection

NoSQL injection

Command injection

Path traversal

Server-side request forgery

Other API attacks

API abuse

Unrestricted access to sensitive business flows

Business logic attacks

Part 3: Defending APIs

Chapter 8: Shift-Left for API Security

Using the OpenAPI Specification

Data

Security

Generating client and server code

Leveraging the positive security model

Conducting threat modeling of APIs

Automating API security

CI/CD integration

Semgrep

Thinking like an attacker

Chapter 9: Defending against Common Vulnerabilities

Handling JWTs securely

Implementing OAuth2

Password and token hardening

Securing the reset process

Handling authentication in code

Authorization vulnerabilities

Using authorization middleware

Excessive data exposure

Mass assignment

Injection

Server-Side Request Forgery

Insufficient logging and monitoring

Protecting against unrestricted resource consumption

Defending against API business-level attacks

Unsafe consumption of APIs

Chapter 10: Securing Your Frameworks and Languages

Managing the design-first process in the real world

Using code-generation tools

Swagger Codegen

OpenAPI Generator

Further reading.

Chapter 11: Shield Right for APIs with Runtime Protection

Securing and hardening environments

Container images

Operating systems

Using WAFs

Understanding the Next-Generation Firewall (NGWAF) and Web Application API Protection (WAAP) products

Using API gateways and API management

Implementing security patterns in the Kong API gateway

Best practices for API gateway protection

Deploying API firewalls

API monitoring and alerting

Selecting the correct protections for your APIs

Chapter 12: Securing Microservices

Understanding microservices

Securing the foundations of microservices

Securing the connectivity of microservices

Access control for microservices

Running secure microservices in practice

Chapter 13: Implementing an API Security Strategy

Ownership of API security

Understanding your stakeholders

Roles and responsibilities

The 42Crunch maturity model

Inventory

Design

Development

Testing

Protection

Governance

Planning your program

Establishing your objectives

Assessing your current state

Building a landing zone for APIs

Running your program

Building your teams

Tracking your progress

Integrating with your existing AppSec program

Your personal API security journey

Index

Other Books You May Enjoy.

Notes:

Includes index.

Description based on publisher supplied metadata and other sources.

Description based on print version record.

ISBN:

9781804613061

1804613061

OCLC:

1418731223