API Security By Design

API Security By Design

Oct 16, 2023

#API #security by design is an approach that integrates security measures into the entire lifecycle of API development. It emphasizes proactive planning and implementation of security controls, rather than treating security as an afterthought. By adopting this approach, organizations can build APIs that are inherently secure, enhancing overall #apisecurity posture.

In this video, Frank Kilcommins (Principal API Technical Evangelist) and José Haro Peralta (API consultant, author, and founder) cover the following:

  • API Security – the what and the why!
  • 2023 #owasptop10 risks for APIs
  • #OAuth, #OpenIDConnect, and #JWTs
  • How and where Security-by-Design fits into the API lifecycle
  • Common vulnerabilities that leak into APIs and how they can be mitigated with security-by-design

0:00 Intro

03:11 Why API Security matters

04:48 What is API Security
06:22: OWASP Top API 10 Risks

07:04 Broken Object Level Authorization

08:43 Broken Authentication

10:12 Broken Object Property Level Authorization

12:20 Unrestricted Resource Consumption

14:10 Broken Function Level Authorization

16:44 Unrestricted Access to Sensitive Business Flows

19:48 Server-side Request Forgery

22:26 Security Misconfiguration

24:28 Improper Inventory Management

27:11 Unsafe Consumption of APIs

30:08 Authentication vs Authorization

31:03 OAuth Overview

32:24 Authorization Code Flow

34:28 PKCE Flow

35:40 Client Credentials Flow

36:36 Refresh Token Flow

38:35 OpenID Connect

41:00 JSON Web Tokens (JWTs)

44:45 Security-by-design Overview

46:45 Vulnerable API design overview

47:26 Leaking objects

51:34 Integer Identifiers

53:22 Exposing server-side properties in user input

55:07 Flexible schemas with unknown properties

57:37 Summary and QnA