Issue 25: NIST microservices guidelines, Facebook opens up to pentesting

This week, NIST has released their microservice security guidelines, Facebook has removed some of their security for whitehat researchers, and we continue the discussion on how to store API secrets safely.

Industry standards and best practices

US National Institute of Standards and Technology (NIST) published their draft on “Security Strategies for Microservices-based Application Systems”. The document includes a lot of API security guidelines, architectures (such as gateways and service meshes), threat background, and security strategies.

The draft is open for commenting until April 26, 2019. Definitely worth checking out!


Facebook has made an interesting move to make pentesting their APIs easier: researches can now disable some of the API protection layers that the company has put in place. This can be done under the Whitehat Settings in the Android apps for Facebook, Messenger, and Instagram.

The Whitehat Settings allow researchers do the following (for their own accounts only):

  • Turn off Certificate Pinning
  • Use a built-in proxy for API calls
  • Disable TLS 1.3
  • Use user-installed certificates

As we all know, API security is all about layers. By allowing researchers to disable some of the layers, Facebook is making it easier to test the other ones.

API keys: the saga continues

In our previous issue, we covered a recent research that found more than 100,000 public repositories that had API keys stored in the clear.

The latest Security Ledger podcast has Paul Roberts and Dmitry Sotnikov discussing that story. They also talk about the best practices for storing secrets and what developers can do about it.

GitHub’s main competitor, GitLab, is also adding key detection to code merges. Not a silver bullet, as only a subset gets detected, but every step in that direction helps!


On April 9, Smartbear is hosting a webinar about dev role in API security. The webinar will cover:

  • General overview of web security
  • API security best practices
  • An introduction to SecOps
  • A demo on how Smartbear Secure Pro finds defects in APIs

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy