We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need.
Commercial products might offer far greater checks, something we might look at in near future.
It depends on what type of API we are talking about. Kong was already mentioned, but there are multiple others as well. One of the best Open Source packages for API management available right now is Gravitee.io. We are both Gravitee and Kong partners, so feel free to reach out if you have any questions.
Usually, you move authentication from your upstream APIs to an API gateway.
Additionally, you can do schema validation, so that the requests that arrive at your backend have been checked for validity. For some extra security, you can sanitize inputs or scan for known injection vectors.
Solutions Architect at a financial services firm with 1,001-5,000 employees
Real User
Top 10
2021-12-09T11:26:45Z
Dec 9, 2021
1. For authentication and authorization we can secure our API using plugins on KONG: OpenID Connect and application registration plugin. OpenID Connect can be integrated with IDP provider MS Azure AD.
2. JWT plugin provided in KONG can also be used for authorization purposes.
The principle is to consider every aspect of the API's use and then evaluate and loopholes for security breaches. So one can consider the following:
Securing connection by always using the strongest latest update versions and conveniently available connection securing mechanisms like HTTPS
Adding an additional layer of security by hashing sensitive data like passwords and using strong hashing algorithms
Validating any input parameter by using strong validation checks and rejecting requests if validation fails. It is practical to send specific error messages as a response.
Considering the use of secure authentication and authorization frameworks instead of using basic authentication and always storing sensitive data in a secure framework.
It is also important not to expose information on URLs.
API (application programming interface) management is the process of managing different API functions, such as designing, releasing, documenting, analyzing, and monitoring APIs in a safe environment.
We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need.
Commercial products might offer far greater checks, something we might look at in near future.
Hi Evgeny,
It depends on what type of API we are talking about. Kong was already mentioned, but there are multiple others as well. One of the best Open Source packages for API management available right now is Gravitee.io. We are both Gravitee and Kong partners, so feel free to reach out if you have any questions.
Usually, you move authentication from your upstream APIs to an API gateway.
Additionally, you can do schema validation, so that the requests that arrive at your backend have been checked for validity. For some extra security, you can sanitize inputs or scan for known injection vectors.
You can read more about API security in our blog: The Ultimate Guide to API Security - APIIDA
Hope this helps!
1. For authentication and authorization we can secure our API using plugins on KONG: OpenID Connect and application registration plugin. OpenID Connect can be integrated with IDP provider MS Azure AD.
2. JWT plugin provided in KONG can also be used for authorization purposes.
All these are JWT-based mechanisms.
@Evgeny Belenky Yes , Kong is an API Gateway.
It has good integration capabilities with well-known IDPS.
The principle is to consider every aspect of the API's use and then evaluate and loopholes for security breaches. So one can consider the following:
Securing connection by always using the strongest latest update versions and conveniently available connection securing mechanisms like HTTPS
Adding an additional layer of security by hashing sensitive data like passwords and using strong hashing algorithms
Validating any input parameter by using strong validation checks and rejecting requests if validation fails. It is practical to send specific error messages as a response.
Considering the use of secure authentication and authorization frameworks instead of using basic authentication and always storing sensitive data in a secure framework.
It is also important not to expose information on URLs.
Hi @reviewer1572348,
Possibly you can help in answering this question. Can you?
Thanks