Api security Checklist
Repurpose what you have as a start
Yüklə 2,4 Mb. Pdf görüntüsü
|
|
Repurpose what you have as a start:
most organizations have some data sources they can tap into to build a basic inventory. Commonly, these data sources include the catalog of APIs and data sources within API management and integration platforms. Traffic analysis may also be useful, as can dynamic testing tools run as part of application scanning. Using those methods, you will need to ensure you are scanning all of your known network address space to be reasonably sure you are finding all APIs. Stay away from manually updated or static data sources, which includes many asset databases and configuration management databases CMDB . Repurposing the data you collect for an API inventory will be an extensive and ongoing exercise in data aggregation, correlation, and analytics, but it can be a stopgap solution until you are equipped to procure an API security offering with discovery capabilities. Security testing The top 3 recommendations for security testing include: 1. Statically analyze API code automatically as part of version control and CI/CD 2. Check for known vulnerable dependencies in your API code 3. Dynamically analyze and fuzz deployed APIs to identify exploitable code in runtime Salt I API Security Best Practices I 7 Often viewed as the backbone of an application security program, security testing is a significant focus area of many organizations’ API security strategies. The emphasis on investing in security testing tooling and integrating it as part of development and release processes has only grown as industry has pushed the ideal of shift-left more heavily. While it is possible to scan for certain types of security issues automatically, particularly known vulnerabilities in published software, this type of scanning is less useful for the world of APIs. Traditional scanning technologies struggle with parsing custom developed code, since design patterns and coding practices vary per developer. As a result, organizations often struggle with high false positive and false negative rates. No scanner is adept at parsing business logic, which also leaves organizations exposed to major forms of API abuse. Use traditional security testing tools to verify certain elements of an API implementation such as well-known misconfigurations or vulnerabilities, but you must operate these tools with awareness of the limitations. Traditional testing tools often fail to identify flaws, or zero-day vulnerabilities, in the application and API code you create. Best practices for security testing include: 1. Yüklə 2,4 Mb. Dostları ilə paylaş:
|