The new certification course for API Security Architect is now available. This is an in-depth, self-paced course, and by completing this course, you will be able to: Explain the unique security risks of APIs and identify typical areas of API vulnerabilities Explain the purpose of OAuth 2.0 as a framework for authorization Describe the current…
Category: API Security
TechTalk: A Panel Discussion on OWASP Top 10/API Top 10
June 2020’s TechTalk had Joe Krull from Aite Group and API Academy’s own Jay Thorne join hosts Aran and Bill on a discussion around OWASP Top 10 and the newer API Top 10 and how enterprises can address common security issues around these problem areas. They also discussed the relationship between app developers and security…
A Solid Investment – Don’t Skimp on Security Training for Developers
Over the past months in API Academy blogs I’ve provided my observations and recommendations on the importance of event and access logging and the compelling reasons why you want to avoid security misconfigurations. This month, I’ll focus on security training for developers and why you should make this investment. To remind, I’m a bit of…
API Keys are not API Security
I recently had an interesting article show up in my Google newsfeed on API Keys, their generation, and their distribution. A group of developers posed the following question to the community: how do you build and distribute your API keys to your API consumer audience? Being immersed in APIs and API developer communities every day,…
How to Protect Existing GraphQL Endpoints using an API Gateway
You’ve spent months building a GraphQL API. The schema is just right, and your front-end developers are thrilled with it. At first it’s only exposed internally, so you’re not that worried about security, but then as different clients find out that you have this awesome API out there, they want to start using it as…
TechTalk: A Panel on API Security
May’s TechTalk had hosts Aran and Bill joined by Dmitry Sotnikov, CPO of 42Crunch, for a panel discussion on common API security issues and how to mitigate them. In addition to addressing these common issues, the panel also took questions from the audience. Definitely a topic of interest. API Academy encourages those who are interested…
Advice to Developers: Double-check Configurations to Avoid Cybersecurity Pain
Last month in my API Academy blog I provided my observations and recommendations about the importance of logging and monitoring from a cybersecurity perspective. This month, I’ll focus on the importance of avoiding security misconfigurations when building and updating applications. As I noted last month, I’m a bit of an old salt in security, having…
The Challenging Times of Delivering on OpenBanking, Part 2
In Part 1 of this 2 part series, I discussed the challenges of the open sharing of data, and consent management model. Now I’ll wrap it up with the need for a common authentication model, shareability, and we’ll start with the most important part – who’s paying for this? Banks have to foot the billThe…
The Challenging Times of Delivering on OpenBanking, Part 1
The terms, OpenBanking and PSD-2 (Payment Services Directive-2) are largely used interchangeably nowadays to summarise the very significant challenges that are being experienced by the Global financial and Banking sector today. As a response to global financial crisis of 2006, the European Banking Association, 4000+ member banks were mandated, under the regulation, PSD-2, to empower…
TechTalk: OAuth and OpenID Connect
Hosts Aran and Bill were joined by Aric Day, Layer7 Solution Strategist, for an introduction to OAuth and OpenID Connect, and how these work together to ensure a hardened solution.