APIs are more important than ever in these challenging times where everything is being operated remotely. APIs make it easy to provide access to information and keep businesses running smoothly. They can also create new challenges and risks if they are not properly managed. First, security is paramount to ensure only those that are allowed…
Category: API Security
The Importance of API Testing
Like any software, APIs are subject to bugs and other errors. That makes API testing at least as important as other software testing, likely more-so. With potentially hundreds or thousands of consumers, an issue in your API could have a magnifying effect. To maintain software quality, it makes sense to have a robust approach to…
Securing Microservices with API Management
Today more and more enterprises are jumping into the bandwagon of digital transformation. To be competitive and aligned with this digital strategy, many enterprises started converting their monolithic and/or legacy applications into microservices to achieve: Speed to market Improve evolvability Scalability Enhance composability API’s, which are the building blocks of digital transformation, have become the…
Why Insufficient Logging and Monitoring Can Help Attackers Hide in Plain Sight
I’ve been working in information security for nearly 45 years and started my long journey with punch cards and mainframes leading to today’s cloud and zero-trust. Our world of computing has certainly evolved, and I can’t even recall how many post-security breach investigation teams I’ve been part of or how many cyber incident management teams…
Gateway Secure Deployment Architecture
In today’s digital world, API gateways are often the first interaction of incoming requests from the outside world. In most scenarios, enterprises place the gateways in DMZ strategically to secure, protect and throttle their internal digital assets. Hence, security for these gateways becomes crucial and they need to be properly configured and hardened. Whether it…
How-To: Create a Private Key for Signing JWT ID Tokens
Feel free to jot this down: RFC7519. We all have our favourite IETF standards, don’t we? Something we read again and again in front of the roaring fireplace with our slippers on. Something to chuckle at in darker times, to ponder over, and oh yes, to shed a tear for, whilst contemplating the sheer brilliance…
How to Beat Cross-Site Request Forgery Attacks
Cross-Site Request Forgery (CSRF) is a type of security threat in which malicious actors can steal user data and authentication information by gaining access to HTTP Cookies. Cookies are small nuggets of information which are sent in responses from web servers to the browser. The browser stores this information and will include these cookies in…
How-to: OpenID Connect Authentication for OAuth
As we know by now, the OAuth 2.0 protocol was built for authorization, not authentication. It excels at delegated authorization. Log in with Google? Sure. The OAuth protected API endpoint never sees your Google username and password. It doesn’t need to know who you are. In fact, like a discreet bouncer at an exclusive club,…
Secure your GraphQL Implementation with an API Gateway
Do APIs, not security in your GraphQL I can’t remember the last time I was excited about a new technology like I am with GraphQL. I don’t think there is anything I don’t like about it- at least not yet! I have not been leveraging it every day as my job so keep that in…
How-to: OAuth and SAML – A Love Story for Valentine’s Day
Naturally, OAuth 2.0 is the shining star of the OAuth Toolkit (OTK), the prima donna that performs center stage in Layer7’s API security implementation. But waiting in the wings with a bouquet of slightly wilted flowers is an older standard who once shone just as brightly before all those mobile apps came along. His name…