3 API security principles
This chapter covers
- What shift left means for API security and its effect on the development cycle
- The zero-trust security model and how it applies to APIs
- Why we must secure our internal APIs
- The importance of API documentation for security by design
- Where, how, and why to validate data in our APIs
- The role of security in continuous delivery
You’re building an API, and halfway through the implementation, you start wondering whether the API will be secure. As you approach the release date, your manager also wants to confirm with you that security is being taken care of. Scrambling for an answer, you put together an API security checklist by looking for online resources such as Shieldfy’s popular API-Security-Checklist (https://github.com/shieldfy/API-Security-Checklist). You go through the whole checklist and tick all the boxes. You’re confident that you’ve addressed security in your API. As you approach the release date, your quality assurance (QA) and cybersecurity teams run a battery of tests against the API. The results are positive. All seems to be good. You move forward with the release. Two weeks later, you have an API breach. How could that happen? The problem with this approach is it leaves security for the last minute, treating it like a second-class concern.