Api security Checklist
Augment API mediation technologies with security-focused controls
Yüklə 2,4 Mb. Pdf görüntüsü
|
|
Augment API mediation technologies with security-focused controls:
organizations historically front-end their mediation layer with web application firewalls WAF . This approach can provide a level of protection from general web injection attacks, protect partner or developer self-service portals in the API management APIM suite, and protect back-end database services used to power the APIM itself. Some APIM offerings also offer lightweight threat protection that are essentially message filters. Much like WAFs, These APIM and API gateway threat protection filters can be useful for blocking some forms of injection, including XML or JSON injection, but rules are typically too static, too generic or not maintained by the vendor. You should look to purpose-built API security offerings that can provide full lifecycle security and API context rather than repurposing traditional controls like WAF. Salt I API Security Best Practices I 15 Network security The top 3 recommendations for network security include: 1. Enable encrypted transport to protect the data your APIs transmit 2. Use IP address allow and deny lists if you have small numbers of API consumers 3. Look to dynamic rate limiting and rely on static rate limiting as a last resort Traditional network perimeters were created at the ingress to an organization’s datacenters. As organizations move towards an integrated ecosystem of APIs and adopt cloud services those network boundaries erode immensely. Infrastructure is much more ephemeral as well as virtualized and containerized, which makes many network access controls unusable at scale. Network security begins to heavily intersect with identity and access management IAM as an organization gets into zero trust architectures. The design goals of zero trust promote that your ability to connect to a given resource depends on what you are doing at a given moment, which is heavily tied to your authenticated context and behaviors within that session. The principles of zero trust and some zero trust focused technologies like microsegmentation or zero trust network access ZTNA are sometimes overloaded as “application security.” These zero trust technologies are used to control connectivity between workloads or to control connectivity to workloads that power applications and APIs. The level of security protection doesn’t go deeper than that. Best practices for network security include: 1. Yüklə 2,4 Mb. Dostları ilə paylaş:
|