sets quickly become privacy impacting and brand damaging. No quick fixes
exist for these data security and privacy risks. Mitigation requires a
combination of many techniques like limiting how much private data you
collect in the first place, using rate limiting effectively, and limiting how
much data you send to API clients. Attackers will use automation to their
advantage to scrape and aggregate data in large volumes. Attackers employ
a plethora of tooling including intercepting proxies, debuggers, Python
scripting, and command line clients like cURL and HTTPie. Scraped data is
also useful in other attack techniques such as brute forcing, credential
stuffing, phishing, and social engineering. To detect and stop abnormal API
consumption like scraping, you will need to seek API security tooling that
continuously analyzes API telemetry, analyzes behaviors, and identifies
anomalies.
Authentication and authorization
The top 3 recommendations for authentication and authorization include:
1. Continuously authenticate and authorize API consumers
2. Avoid the use of API keys as a means of authentication
3. Use modern authorization protocols like OAuth2 with security extensions
Authentication and
authorization, and by
extension identity and access
management IAM are
foundational to all security
domains, including API
security.
As organizations
have shifted towards heavily
distributed architectures and
use of cloud services, the
traditional security best
practice of locking down a
perimeter has become less
useful. IAM is now used
heavily to control access to
functionality and data, and it
is also an enabler of zero
trust architectures. When considering security best practices for authentication and
authorization, remember that you must account for user identities as well as
machine identities. While it is possible to challenge a user for additional
authentication material in a session, this option is not available for machine
Salt I API Security Best Practices I 20
communication. Externalize your access controls and identity stores wherever
possible, which includes mediation mechanisms like API gateways, user and
machine identity stores, IAM solutions, key management services, public key
infrastructure, and secrets management. Implementation of these technologies is
rarely an application developer responsibility, particularly as you consider the
completely integrated system or digital supply chain.
Best practices for authentication and authorization include:
1.
Dostları ilə paylaş: