Api security Checklist
Repurpose vulnerability scanning to identify API infrastructure
Yüklə 2,4 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Analyze API code automatically where possible
|
Repurpose vulnerability scanning to identify API infrastructure:
most organizations have established vulnerability assessment and vulnerability management VA/VM scanning capabilities. These services are helpful for identifying some misconfigurations and well-known vulnerabilities, typically reported as common vulnerabilities and exposures identifiers CVE IDs), but this information applies only to published software. For custom API development or integration work, vulnerability scanning benefits are limited. These scanning services can still be useful for identifying exposed servers or workloads that may be listening on well-known TCP ports like 80 and 443 for API requests. Bear in mind that API services may also be configured to listen on other TCP ports, so scanning larger port ranges is advisable. Vulnerability scanners should also support ephemeral and containerized environments to adequately assess API hosting infrastructure. 2. Analyze API code automatically where possible: analyze code automatically with static analysis tools like code quality checkers and static application security testing SAST upon code commit in version control systems such as git and/or in CI/CD build pipelines. If you are reviewing code manually, the process will quickly hit a wall with the rate of change most organizations see in their code and APIs. Scan the integrated code base as part of build within CI/CD to obtain the most accurate scan, but some organizations also opt to scan pieces of code as they are committed to version control for speediness. A code quality checker is the least Salt I API Security Best Practices I 8 purpose-built, but they are often plentiful in organizations since many design and development tools include native code quality checking capabilities. SAST may be delivered through language-specific linters or a commercial-grade scanning offering. Regardless of the tool you select, prepare for high numbers of findings of potential conditions and false positives, particularly if a codebase has never been scanned. Static analyzers notoriously need tuning to be used effectively. Static analysis will not be able to cover business logic flaws by design. 3. Yüklə 2,4 Mb. Dostları ilə paylaş:
|