3 API security principles
This chapter covers
- What shift left means for API security and its impact on the development cycle
- The Zero Trust Security model and how it applies to APIs
- Why we must secure our internal APIs
- The importance of API documentation for security by design
- Where, how, and why to validate data in our APIs
- The role of security in continuous delivery
You’re building an API, and halfway through the implementation, you start wondering whether the API will be secure. As you approach the release date, your manager also wants to confirm with you that security is being taken care of. Scrambling for an answer, you put together an API security checklist by looking for online resources such as Shieldify’s popular API-Security-Checklist (https://github.com/shieldfy/API-Security-Checklist). You go through the whole checklist and tick all the boxes. You’re confident you’ve addressed security in your API. As you approach the date of the release, your QA and cybersecurity teams run a battery of tests against the API. The results come positive. All seems to be good. You move forward with the release. Two weeks later, you have an API breach. How could it happen? The problem with this approach is it leaves security for the last minute. It treats security as a second-class concern.