What this book covers
Chapter 1, What Is API Security?, provides an introduction to the topic of API security and why it is important and distinct from web application security. This chapter also provides an understanding of the basics of APIs and their data formats, covering the key elements of API security and goals.
Chapter 2, Understanding APIs, covers the fundamentals of the HTTP protocol and the different types of APIs currently in use. The key topics of authentication and authorization are covered, along with the use of tokens and keys.
Chapter 3, Understanding Common API Vulnerabilities, provides in-depth coverage of the OWASP API Security Top 10 vulnerabilities (both the 2019 and 2023 variants), how vulnerabilities differ from abuse cases, and how APIs can expose business logic vulnerabilities.
Chapter 4, Investigating Recent Breaches, is an eye-opening look at some of the most significant API security breaches in the last few years, where we examine what went wrong and how such vulnerabilities could be prevented in the future.
Chapter 5, Foundations of Attacking APIs, provides a foundation of how adversaries attack APIs, including their methods, the common tools, and the skills they utilize.
Chapter 6, Discovering APIs, illuminates the various passive and active methods used by adversaries to discover APIs. We will also examine reconnaissance methods used to understand implementations and to evade common defense methods.
Chapter 7, Attacking APIs, provides hands-on guidance on how to attack APIs, focusing on the following areas – authentication and authorization attacks, data-based attacks, injection attacks, and other common attack types.
Chapter 8, Shift-Left for API Security, focuses on core activities that can be used to shift API security left, including leveraging the OpenAPI specification and the positive security model, how to threat model APIs, and the automation of API security within CI/CD pipelines.
Chapter 9, Defending against Common Vulnerabilities, covers the core topics of the defensive patterns and techniques that can be used to defend APIs against the following vulnerabilities – authentication and authorization vulnerabilities, data vulnerabilities, and implementation vulnerabilities.
Chapter 10, Securing Your Frameworks and Languages, moves the focus onto securing languages and frameworks using a “design-first” approach, including the use of code generation tooling, OpenAPI generation with popular frameworks, and patterns to secure these frameworks.
Chapter 11, Shield-Right for APIs with Runtime Protection, emphasizes the critical role played by so-called “shield-right” techniques, including secure and hardened environments, WAFs for API protection, the use of API gateways and management portals, API firewalls and, finally, monitoring APIs at runtime.
Chapter 12, Securing Microservices, looks at the exciting world of APIs within a microservices architecture, where we learn to apply our existing knowledge in a microservices landscape, focusing on securing the foundations, connectivity, and access control.
Chapter 13, Implementing an API Security Strategy, concludes our journey into API security by providing focused guidance on how to build an API security strategy, including the selection of a roadmap and KPIs, and how to plan and execute your strategy.
