Issue 201: API security in Kubernetes, Corey Ball podcast, broken access controls for APIs, 200th issue prize giveaway


This week, we have an article from the NewStack on API security best practices in Kubernetes, a podcast with Corey Ball discussing API security best practices, an article on broken access control concerns in APIs, and 42Crunch’s eBook on API security. Most importantly, we have news of last week’s winner in the 200th-issue giveaway and news on this week’s giveaway.

Article: Best practices for API security in Kubernetes

First up this week is guidance from the team at Curity on best practices for API security in Kubernetes.

The article focuses on the role of the ingress controller in securing Kubernetes API-based implementations. The first recommendation is to provide a single point of entry to the pods in a cluster. While exposing pod ports via services is possible, this approach lacks flexibility and scalability. A more robust approach is to leverage the ingress controller to provide a richer array of enterprise features, such as name-based virtual hosts, path mapping, proxying, caching, and security features such as authentication and TLS termination. The author recommends the NGINX Ingress Controller, Kong Ingress Controller, or the Tyk Operator. I’ve had great success with the Traefik Ingress Controller.

The second recommendation is to restrict access, and the ingress controller is ideally suited to enforcing authentication and authorization at a central point. Using standard protocols such as OAuth 2.0 or OpenID Connect, the ingress controller can validate the tokens at the perimeter and can perform coarse-grained access control. Primarily the ingress controller can offload the task of token validation from the API backend.

Finally, a security truism — trust no one. The author describes the Phantom Token approach to prevent exposing JWTs containing sensitive data outside of the cluster. By using a full-featured ingress controller, Phantom Tokens can be implemented via scripts or plugins.

Thanks to the Curity team for this great read.

Podcast: Corey Ball on API security best-practices

Our good friend Corey Ball (aka. @hAPI_hacker) was featured in the latest Cloud Security Podcast with Ashish Rajan. Most readers will be familiar with Corey’s “Hacking APIs” book, this is a good listen covering topics such as:

  • What is API security, and why is it important in 2022?
  • What are people doing wrong with APIs?
  • Most surprising things being seen in API Security?
  • Learn about API hacking
  • Which APIs should be public?

Thanks to both Corey and Ashish for their contribution to the community.

Article: Broken access control concern for APIs

As readers of this newsletter are only too well aware, broken access control is a persistent problem for APIs. This week InfosecWriteups provided an unusual take on this all too familiar topic.

The article focuses on both broken function level and object level authorization. For me, the most interesting (and oft-overlooked) cause of broken authorization is a combination of trust in client-side parameters or values. By definition, some state history must be maintained on the client-side, and this state can easily be modified by an attacker. If the server-side doesn’t fully validate incoming requests by re-authorizing (or at least re-validating), it may place blind trust in easily modifiable input. As per the first article — trust no one.

The recommendations to protect against broken authorization are twofold:

  • Always re-validate access to records rather than assuming access based on an existing authenticated session.
  • Use a single point of enforcement for authorization.

eBook: 42Crunch ebook on API Security

This week 42Crunch released their eBook on API Security which is intended as a comprehensive guide to the breadth and scope of API security. The guide is aimed at those getting to grips with API security who want an orientation, a set of practical recommendations, and a path to success. The guide covers the six main domains of API security: inventory, design, development, testing, protection, and governance.

Our intent in creating the eBook was to demystify the topic of API security — too often, we encounter concerns that “we don’t know where to start” or “we don’t know what good looks like.” Building any security program is like eating an elephant — one piece at a time. Start small, prioritize sensibly, iterate quickly, learn lessons and shift the dial. Knowing where you are is vital, as is knowing your destination.

Our 200th issue prize giveaway

The winner of last week’s 200th issue prize giveaway is Dan O’Reilly @ Ford Motor Company. Congratulations Dan!

For this week’s giveaway, we’d love you to either download the API security eBook or share the link on your social media. Just remember to tag me (@colindomoney) when you do, and we’ll announce the winner next week.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy