2023-10-16 Monday - API Security Educational Resources

YouTube: API Security By Design
https://www.youtube.com/watch?v=acXpD1tRmCQ
 Frank Kilcommins (Principal API Technical Evangelist, SmartBear) and José Haro Peralta (API consultant, author, and founder) [see the link below to José's  2023 book]

00:00 Intro
03:11 Why API Security matters
04:48 What is API Security
06:22: OWASP Top API 10 Risks
07:04 Broken Object Level Authorization
08:43 Broken Authentication
10:12 Broken Object Property Level Authorization
12:20 Unrestricted Resource Consumption
14:10 Broken Function Level Authorization
16:44 Unrestricted Access to Sensitive Business Flows
19:48 Server-side Request Forgery
22:26 Security Misconfiguration
24:28 Improper Inventory Management
27:11 Unsafe Consumption of APIs
30:08 Authentication vs Authorization
31:03 OAuth Overview
32:24 Authorization Code Flow
34:28 PKCE Flow
35:40 Client Credentials Flow
36:36 Refresh Token Flow
38:35 OpenID Connect
41:00 JSON Web Tokens (JWTs)
44:45 Security-by-design Overview
46:45 Vulnerable API design overview
47:26 Leaking objects
51:34 Integer Identifiers
53:22 Exposing server-side properties in user input
55:07 Flexible schemas with unknown properties
57:37 Summary and Q&A

Suggested Books:

API Security in Action (2020)
https://www.amazon.com/API-Security-Action-Neil-Madden/dp/1617296023/

Microservices Security in Action: Design secure network and API endpoint security for Microservices applications, with examples using Java, Kubernetes, and Istio 1st Edition (2020)
https://www.amazon.com/Microservices-Security-Action-Prabath-Siriwardena/dp/1617295957/

Advanced API Security: OAuth 2.0 and Beyond 2nd ed. Edition (2019)
https://www.amazon.com/Advanced-API-Security-Definitive-Guide/dp/1484220498/

Microservice APIs: Using Python, Flask, FastAPI, OpenAPI and more (2023)
https://www.amazon.com/Microservice-APIs-Jose-Haro-Peralta/dp/1617298417/

OAuth 2 in Action First Edition (2017)
https://www.amazon.com/OAuth-2-Action-Justin-Richer/dp/161729327X/

Secure By Design First Edition (2019)
https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357

Defending APIs against Cyber Attack: Learn the secrets of defense techniques to build secure application programming interfaces (2024)
https://www.amazon.com/Defending-APIs-against-Cyber-Attack/dp/1804617121


Penetration Testing Tool Resources:

1. https://github.com/intltechventures/Lab.Security/blob/master/PenetrationTestingTools.md
   

Other Resources:

1. https://www.traceable.ai/2023-state-of-api-security
2. NIST SP 800-95: Guide to Secure Web Services
1. "The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy are at odds with traditional security models and controls. Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks based on use of authentication, authorization, confidentiality, and integrity mechanisms. This document describes how to implement those security mechanisms in Web services. It also discusses how to make Web services and portal applications robust against the attacks to which they are subject."
3. NIST SP 800-204: Security Strategies for Microservices-based Application System
1. "Microservices architecture is increasingly being used to develop application systems since its smaller codebase facilitates faster code development, testing, and deployment as well as optimization of the platform based on the type of microservice, support for independent development teams, and the ability to scale each component independently. Microservices generally communicate with each other using Application Programming Interfaces (APIs), which requires several core features to support complex interactions between a substantial number of components. These core features include authentication and access management, service discovery, secure communication protocols, security monitoring, availability/resiliency improvement techniques (e.g., circuit breakers), load balancing and throttling, integrity assurance techniques during induction of new services, and handling of session persistence. Additionally, the core features could be bundled or packaged into architectural frameworks such as API gateways and service mesh. The purpose of this document is to analyze the multiple implementation options available for each individual core feature and configuration options in architectural frameworks, develop security strategies that counter threats specific to microservices, and enhance the overall security profile of the microservices-based application."
2. NIST SP 800-204A Building Secure Microservices-based Applications Using Service-Mesh Architecture 
3.  NIST SP 800-204B Attribute-based Access Control for Microservices-based Applications using a Service Mesh
4. NIST SP 800-204C Implementation of DevSecOps for a Microservices-based Application with Service Mesh 
4. https://owasp.org/www-project-api-security/
   
1. https://owasp.org/API-Security/editions/2023/en/0x11-t10/
   
2. https://content.salt.security/owasp-api-top-10-2023-ebook.html 
3. https://salt.security/blog/owasp-api-security-top-10-explained
   
4. https://snyk.io/learn/owasp-top-10-vulnerabilities/api-security-top-10/
   
5. MuleSoft: API security for the digital estate (Top 5 API Security Best Practices)