2 Aligning API security with your organization
This chapter covers
- Evaluating your API security posture
- Modeling threats for your APIs
- Kicking off your API security journey with low-hanging fruit
- Creating an API security program for your organization
- Getting buy-in from your organization to tackle API security
- Navigating API security audits
As we saw in chapter 1, APIs are becoming the main vector of attack on the internet. If you work or plan to work with APIs, it’s crucial to start thinking about security as early as possible. The questions are
- How do you factor security into your API development?
- How do you align security with your product goals and requirements?
- How do you implement continuous security checks as part of your API development process?
Software development is a social activity. We build software as part of a team, which is part of a bigger organization. Building software involves talking with stakeholders, understanding product requirements, prioritizing features and concerns, and working together toward a common solution. We must factor in deadlines, which means not all features get the same attention or are developed at the same time.
The style and performance of a user interface (UI), for example, have a direct effect on the user experience (UX), so organizations prioritize those elements. But what about something like API security? API security also has a direct effect on the user, but it’s not as obvious—at least not until you get a data breach.