Api security Checklist
Avoid sending too much data to API clients
Yüklə 2,4 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Plan for risks of scraping, data aggregation, and data inference
|
Avoid sending too much data to API clients:
back-end APIs are sometimes designed to serve up a great deal of data in responses to API calls, and it becomes the duty of the front-end client code to filter out what should be visible based on the goals of the user experience UX or permission levels. This design pattern goes against API security best practice since that data is fully visible by observing API requests and responses. Attackers commonly reverse engineer front-end code and sniff API traffic directly to see what data is actually being transmitted. The issue ranks as one of the OWASP API Security Top 10 as API3 2019 Excessive Data Exposure because it is so commonplace. Don’t send too much data, particularly sensitive or private data, to front-end clients and always presume that they are compromised. Filter data appropriately in the back-end and send only the data that is necessary for that particular API consumer. 5. Plan for risks of scraping, data aggregation, and data inference: a few pieces of data may be innocent, but when data is collected and aggregated at scale, the situation becomes much more precarious. The resulting data Salt I API Security Best Practices I 19 sets quickly become privacy impacting and brand damaging. No quick fixes exist for these data security and privacy risks. Mitigation requires a combination of many techniques like limiting how much private data you collect in the first place, using rate limiting effectively, and limiting how much data you send to API clients. Attackers will use automation to their advantage to scrape and aggregate data in large volumes. Attackers employ a plethora of tooling including intercepting proxies, debuggers, Python scripting, and command line clients like cURL and HTTPie. Scraped data is also useful in other attack techniques such as brute forcing, credential stuffing, phishing, and social engineering. To detect and stop abnormal API consumption like scraping, you will need to seek API security tooling that continuously analyzes API telemetry, analyzes behaviors, and identifies anomalies. Authentication and authorization The top 3 recommendations for authentication and authorization include: 1. Continuously authenticate and authorize API consumers 2. Avoid the use of API keys as a means of authentication 3. Use modern authorization protocols like OAuth2 with security extensions Authentication and authorization, and by extension identity and access management IAM are foundational to all security domains, including API security. As organizations have shifted towards heavily distributed architectures and use of cloud services, the traditional security best practice of locking down a perimeter has become less useful. IAM is now used heavily to control access to functionality and data, and it is also an enabler of zero trust architectures. When considering security best practices for authentication and authorization, remember that you must account for user identities as well as machine identities. While it is possible to challenge a user for additional authentication material in a session, this option is not available for machine Salt I API Security Best Practices I 20 communication. Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management. Implementation of these technologies is rarely an application developer responsibility, particularly as you consider the completely integrated system or digital supply chain. Best practices for authentication and authorization include: 1. Yüklə 2,4 Mb. Dostları ilə paylaş:
|