Issue 198: API security certification, API authentication webinar, optimizing API security

This week, we have news of the recently released API security training course from Corey Ball and an excellent webinar from Redmonk and FusionAuth. Also, we have an article from TheNewStack on optimizing API security for cloud-native and coverage of a REST API fuzzing tool.

Training: API security training with Corey Ball

This week’s biggest story is the release of Corey Ball’s API security certified expert training course, currently available for free. For those who may have missed it, Corey is the author of the excellent “Hacking APIs” book, and this course is a great accompaniment to the book. The certification is a three-part course starting with API security (from an offense perspective), then an API security defender, and finally an APIsec certified user.

For the API security certified expert, the course outline is:

  • Introduction
  • Lab Setup
  • API Reconnaissance
  • Endpoint Analysis
  • Scanning APIs
  • API Authentication Attacks
  • Exploiting API Authorization
  • Testing for Improper Assets Management
  • Mass Assignment
  • Injection Attacks
  • Rate Limit Testing
  • Combining Tools and Techniques

According to Corey, the full course will be available by the middle of September. Who’s gonna be the first to complete the course? Keep me up to date on @apisecurityio !

Webinar: API authentication with Redmonk and FusionAuth

Another popular feature this week was the webinar with Rachel Stephens (RedMonk) and Dan Moore (Head of DevRel, FusionAuth) discussing methods for securing your API.

The webinar covered the OAuth in a lot of details focusing on three areas:

Client Responsibilities:

  • Protect the token
  • Provide token for resource server requests
  • Handling token expiration

Authorization Server Responsibilities:

  • Protect the user data
  • Authenticating the user and issuing the token
  • Follow the standards and implementing grants
    • Authorization Code grant for user based interactions
    • Client Credentials grant for machine to machine scenarios
  • Support token validation

Resource Server Responsibilities:

  • Validate the token
  • Validate the claims
    • Expiration time
    • Issuer
    • Audience
    • Business specific claims

Moore gave the following recommendations for securing your APIs:

  • Build in API authentication and authorization from the beginning
  • Avoid the OWASP Top 10 API issues:
  • Lean towards OAuth
    • Authorization Code grant is for users
    • Client Credentials grant is for machines

A great listen – strong recommended.

Article: Optimizing API security for cloud-native

This week TheNewStack featured thoughts on how to use cloud-native approaches to improve API security. Their top five recommendations are:

  • Distributed Authorization and Authentication
  • API Request and Response Handling
  • Sensitive Data Handling
  • API Egress Protection
  • Security Testing and Shifting Left

The article concludes on a note of high optimism:

Developers can instead rely on API security tools to enforce distributed access controls, inspect API requests and responses, drive security testing and much more.

Ideally, the best security solutions should be unobtrusive and be frictionless for developers.

Tools: CATS REST API fuzzing tool

Although it’s been around for some time, I’ve only recently looked at the CATS REST API fuzzer and negative testing tool, which can generate, run, and report automatically based on a pre-defined set of 89 fuzzers. According to the project’s GitHub repository, the key features include:

By using a simple and minimal syntax, with a flat learning curve, CATS (Contract Auto-generated Tests for Swagger) enables you to generate thousands of API tests within minutes with no coding effort. All tests are generated, run and reported automatically based on a pre-defined set of 89 Fuzzers. The Fuzzers cover a wide range of input data from fully random large Unicode values to well crafted, context dependant values based on the request data types and constraints. Even more, you can leverage the fact that CATS generates request payloads dynamically and write simple end-to-end functional tests.

This tool looks like it holds a lot of promise, and I’d love to hear from anyone with personal experience.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy