Shulou(Shulou.com)06/01 Report--

Application programming Interface (API) is a good way for companies to increase the value of their products for their customers. By providing digital assets and services to a wider audience, API has grown into a core business focus, and "API economy" has become a fixed phrase in business jargon.

In the API project, it is very important to manage access and protect the system while participating in the security policy of the digital ecosystem. Application managers must design, enforce, and supervise effective API security policies, including the use of API gateways. With the development of this field and the increase of the number of players in the industry, the danger brought by the adoption of enterprise unsafe API is also increasing. In fact, by 2022, API abuse will be the most common attack that leads to data disclosure of enterprise Web applications.

In October 2018, for example, Facebook disclosed a major data breach that affected more than 50 million accounts. The attacker used Facebook developer API to collect information about the affected users, including name, gender, and hometown. Even leading players like Facebook are not immune to API security issues.

API is the gateway to data and applications, where integrating security is as important as protecting Web applications.

To fully protect API, it is important to address architectural, DevOps, and production security requirements. The inflection point of security assessment in the software development lifecycle (SDLC) depends on whether the development team enables API in legacy applications or builds new API priority applications. Although most of the assessment and mitigation requirements are the same, the team still needs to do:

1. Perform a dynamic Application Security Test (DAST) on API to create a mitigation / fix plan for discovered vulnerabilities. two。 Implement code execution service component architecture (SCA) and static analysis security test (SAST) analysis for API in the DevOps process. 3. Use security design patterns in enterprise application architectures. Some examples of security design patterns include: automatically coding templates to prevent cross-site scripts (XSS) from using output encoding through templates; using contextual input validation to prevent input attacks; using synchronous tokens to prevent cross-site request forgery (XSRF) attacks using tokens; and using variable binding to prevent SQL injection using object relational mapper (ORM) Use encryption appearance to reduce password vulnerabilities and implement a robust feedback loop in SDLC that responds to the findings of various scans.

These steps ensure that API has complete security coverage, and the team can find and fix vulnerabilities before problems occur.

You may think you already have a management tool to solve API security problems, but owning the tool is only the first step to achieving API security. The security policy provided by the API management tool applies to the border, but has no effect on the business logic security that presents the API. Our goal is to embed application security (DAST, SAST and SCA) in the software lifecycle and write an API with security from the inside out as part of the overall API security policy.

In summary, the results of the security assessment are critical to the development and security stakeholders in the sprint cycle, and the above technologies can improve the integrity and adoption rate of the company's API.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.