API Security Newsletter - Issue #1
API Security News
APIs cannot remain the most used, most abused and least visible part of our enterprise infrastructure. Though APIs have enormous benefits for those who utilize them, the extent to which they are used can, unfortunately, lead to blind spots in our security programs, particularly with the increased use of zombie and shadow APIs
According to the Google Cloud's "The State of API Economy 2021 Report" API security is amongst the most critical components of a successful API program.
https://pages.apigee.com/api-economy-report-confirmation-ty.html
According to our survey data, technology leaders recognize API performance analytics (26%) and API security and governance (23%) capabilities as the most critical components of a successful API program.
A buggy app with one-star reviews led one student to discover a glaring security flaw.
The API was not checking if a student’s credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student’s account without having to know their password. Johnson said the API only checked the student’s unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret.
Security can also be an issue when low-code or no-code software connect to your APIs and your critical infrastructure. Giving “citizen developers” the ability to create applications can create new vulnerabilities.
API Security Tooling and Best Practices
The implementation and deployment are where most security vulnerabilities arise. For example, one financial institution’s implementation of the Financial Data Exchange API may be secure, whereas another institution’s offering of the same API may have serious security vulnerabilities. By incorporating security in design, teams can contribute significantly to secure delivery.
API Video Series
On this episode of Erik Wilde's YouTube Series, former Postman Director of API Ecosystems Matthew Reinbold talks us through the key findings of the 2021 State of the API Report.
The report shines a light on general trends in the API space, and shows where and how the API community is developing and investing
In this episode of API Shorts, Brenton House shows how to equip yourself and your organization to defend against API attackers with a solid API Security strategy.
Upcoming API (Security) events
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM's are open).