We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need.
Commercial products might offer far greater checks, something we might look at in near future.
It depends on what type of API we are talking about. Kong was already mentioned, but there are multiple others as well. One of the best Open Source packages for API management available right now is Gravitee.io. We are both Gravitee and Kong partners, so feel free to reach out if you have any questions.
Usually, you move authentication from your upstream APIs to an API gateway.
Additionally, you can do schema validation, so that the requests that arrive at your backend have been checked for validity. For some extra security, you can sanitize inputs or scan for known injection vectors.
1. For authentication and authorization we can secure our API using plugins on KONG: OpenID Connect and application registration plugin. OpenID Connect can be integrated with IDP provider MS Azure AD.
2. JWT plugin provided in KONG can also be used for authorization purposes.
The principle is to consider every aspect of the API's use and then evaluate and loopholes for security breaches. So one can consider the following:
Securing connection by always using the strongest latest update versions and conveniently available connection securing mechanisms like HTTPS
Adding an additional layer of security by hashing sensitive data like passwords and using strong hashing algorithms
Validating any input parameter by using strong validation checks and rejecting requests if validation fails. It is practical to send specific error messages as a response.
Considering the use of secure authentication and authorization frameworks instead of using basic authentication and always storing sensitive data in a secure framework.
It is also important not to expose information on URLs.
Learn what your peers think about SEEBURGER Business Integration Suite. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
Hello community,
I work for a large governmental organization.
We are building up SDDC using VCF now and considering an API management tool to provide API service to clients. What is the best API management tool for our case?
Thank you for your help.
Hi Zuojun,
The Broadcom Layer 7 API platform is a robust and highly technical solution that gives you several options for building out APIs and can sit well with the portal. I have set the gateway up using Helm charts into Kubernetes (Plain, EKS, and AKS) as well as OCP. All are fairly easy to implement with their new approach to deployment that they have developed recently.
Derek
Most of the API solutions now run in containers (Kubernetes) like the one described by Derek but if you want to avoid the burden of having a container supervisor on top of a VM supervisor my recommendation is that you look for a solution that runs plain on VMWare. One option is IBM API Connect. It includes:
1. API Manager which provides a user interface that facilitates the promotion and tracking of APIs
2. API Gateway which enforces runtime policies to secure and control API traffic, provides the endpoints that expose APIs to the calling applications, and provides assembly functions that enable APIs to integrate with various endpoints
3. Developer portal which provides a customizable self-service web-based portal to application developers to explore, discover, and subscribe to APIs.
4. Analytics server
All of them as VMware images.
Regards
Dear PeerSpot community members,
Welcome to the latest PeerSpot Community Spotlight, where we sum up the most relevant recent postings by your peers in the community.
Check out the latest questions, articles and professional discussions contributed by PeerSpot community members!
Trending
Here are some topics that your peers are discussing at the moment:
What is your recomme...
What is software extensibility?
Extensibility is the ability of the software system to allow and accept the significant extension of its capabilities without major rewriting of code or changes in its basic architecture. Extensible systems provide technology, tools, languages designed so that developers can expand or add to their capabilities.
What are some of the benefits customers get ou...
Download our free SEEBURGER Business Integration Suite Report and get advice and tips from experienced pros
sharing their opinions. Updated: February 2023.
We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need.
Commercial products might offer far greater checks, something we might look at in near future.
Hi Evgeny,
It depends on what type of API we are talking about. Kong was already mentioned, but there are multiple others as well. One of the best Open Source packages for API management available right now is Gravitee.io. We are both Gravitee and Kong partners, so feel free to reach out if you have any questions.
Usually, you move authentication from your upstream APIs to an API gateway.
Additionally, you can do schema validation, so that the requests that arrive at your backend have been checked for validity. For some extra security, you can sanitize inputs or scan for known injection vectors.
You can read more about API security in our blog: The Ultimate Guide to API Security - APIIDA
Hope this helps!
1. For authentication and authorization we can secure our API using plugins on KONG: OpenID Connect and application registration plugin. OpenID Connect can be integrated with IDP provider MS Azure AD.
2. JWT plugin provided in KONG can also be used for authorization purposes.
All these are JWT-based mechanisms.
@Evgeny Belenky Yes , Kong is an API Gateway.
It has good integration capabilities with well-known IDPS.
The principle is to consider every aspect of the API's use and then evaluate and loopholes for security breaches. So one can consider the following:
Securing connection by always using the strongest latest update versions and conveniently available connection securing mechanisms like HTTPS
Adding an additional layer of security by hashing sensitive data like passwords and using strong hashing algorithms
Validating any input parameter by using strong validation checks and rejecting requests if validation fails. It is practical to send specific error messages as a response.
Considering the use of secure authentication and authorization frameworks instead of using basic authentication and always storing sensitive data in a secure framework.
It is also important not to expose information on URLs.
Hi @reviewer1572348,
Possibly you can help in answering this question. Can you?
Thanks