2 Aligning API security with your organization

 

This chapter covers

  • Evaluating your API security posture
  • Modeling threats for your APIs
  • Kicking off your API security journey with low hanging fruits
  • Creating an API security program for your organization
  • Getting buy-in from your organization to tackle API security
  • Navigating API security audits

As we saw in chapter 1, APIs are becoming the main vector of attack on the Internet. If you work or are planning to work with APIs, it’s crucial to start thinking about security as early as you can. The questions are, how do you factor security into your API development? How do you align security with your product goals and requirements? How do you implement continuous security checks as part of your API development process?

Software development is a social activity. We build software as part of a team, which is part of a bigger organization. Building software involves talking with different stakeholders, understanding product requirements, prioritizing features and concerns, and working together towards a common solution. We must factor in deadlines, which means not all features get the same attention or get to be developed at the same time.

For example, the style and performance of a user interface (UI) have a direct impact on the user experience (UX), so we prioritize them. But what about something like API security? API security also has a direct impact on the user, but it’s not as obvious, at least not until you get a data breach.

2.1 Evaluating your API security posture

2.2 Threat modeling is a team sport

2.2.1 Application decomposition

2.2.2 Threat identification and ranking

2.2.3 Response and mitigations

2.2.4 Review and validation

2.3 Act now!

2.3.1 Document your APIs

2.3.2 Strengthen authentication and authorization

2.3.3 Use proper API libraries

2.3.4 Leverage cloud protection tools

2.4 Creating an API security program

2.5 Aligning API security with your organization

2.6 Navigating API security audits

2.7 Summary