Api security Checklist
Use encrypted transport to protect the data your APIs transmit
Yüklə 2,4 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Set IP address allow and deny lists for small numbers of API consumers
|
Use encrypted transport to protect the data your APIs transmit:
TLS should be enabled for any API endpoints to protect data in transit, ideally version 1.3 but 1.2 at a minimum. All versions of SSL should be disabled due to the number of weaknesses in the protocol or related cipher suites. Legacy infrastructure components sometimes linger within organizations or suppliers, requiring that SSL or older versions of TLS be maintained. Some traffic inspection tooling may also not support more recent encryption protocols, which puts organizations in a bind when they want to maintain visibility over their network traffic. Unfortunately, supporting older protocols and cipher suites exposes the organization to a number of cryptographic and downgrade attacks that can result in encrypted data being viewable by unauthorized parties. Enforce encryption policies through your API mediation layer wherever possible, and ensure legacy protocols and cipher suites are kept disabled. If necessary, refactor or re-architect the supporting infrastructure of your APIs, opting for TLS termination points Salt I API Security Best Practices I 16 that allow you to maintain traffic visibility while still mitigating security risk of encryption protocol attacks. 2. Set IP address allow and deny lists for small numbers of API consumers: a common control used to restrict what API callers can even make a network connection to your API, let alone authenticate or transact with it, is the IP address allow and deny list. This network security control is often found within APIM, API gateways, and network infrastructure elements like a load balancer. The lists may also be based on threat intelligence feeds of known malicious IP addresses. IP address allow and deny lists can be useful if your API is interacted with by a limited set of partners or consumers. If your API is public or open though, it is extremely difficult to scale this type of control for the larger Internet. You may opt to block certain blocks of IP addresses allocated to geographical regions, but know that attackers can circumvent IP address deny lists with proxies and VPNs. Attackers will also spin up ephemeral workloads in cloud providers to launch their attacks, which is often allowed address space as organizations adopt cloud technology. Attackers may also use networks of compromised endpoints to perpetuate attacks. In practice, IP address allow and deny lists need to be much more dynamic and paired with behavior analysis and anomaly detection engines to be effective. 3. Yüklə 2,4 Mb. Dostları ilə paylaş:
|