2021-12-07T09:00:00Z

How do you protect your API from security threats?

EB
  • 5
  • 137
PeerSpot user
5

5 Answers

VG
Real User
Top 5Leaderboard
2022-01-12T11:29:04Z
Jan 12, 2022

We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need.


Commercial products might offer far greater checks, something we might look at in near future.

Search for a product comparison in API Management
MM
User
2021-12-13T09:09:34Z
Dec 13, 2021

Hi Evgeny, 

It depends on what type of API we are talking about. Kong was already mentioned, but there are multiple others as well. One of the best Open Source packages for API management available right now is Gravitee.io. We are both Gravitee and Kong partners, so feel free to reach out if you have any questions. 


Usually, you move authentication from your upstream APIs to an API gateway. 


Additionally, you can do schema validation, so that the requests that arrive at your backend have been checked for validity. For some extra security, you can sanitize inputs or scan for known injection vectors. 


You can read more about API security in our blog: The Ultimate Guide to API Security - APIIDA


Hope this helps!

AY
Real User
Top 5
2021-12-09T11:26:45Z
Dec 9, 2021

1. For authentication and authorization we can secure our API using plugins on KONG: OpenID Connect and application registration plugin. OpenID Connect can be integrated with IDP provider MS Azure AD.


2. JWT plugin provided in KONG can also be used for authorization purposes.


All these are JWT-based mechanisms. 

AY
Real User
Top 5
Dec 10, 2021

@Evgeny Belenky Yes , Kong is an API Gateway. 
It has good integration capabilities with well-known IDPS.

PeerSpot user
Faustine Chisasa - PeerSpot reviewer
Real User
Top 5Leaderboard
2021-12-22T09:40:25Z
Dec 22, 2021

The principle is to consider every aspect of the API's use and then evaluate and loopholes for security breaches. So one can consider the following:


Securing connection by always using the strongest latest update versions and conveniently available connection securing mechanisms like HTTPS


Adding an additional layer of security by hashing sensitive data like passwords and using strong hashing algorithms


Validating any input parameter by using strong validation checks and rejecting requests if validation fails. It is practical to send specific error messages as a response.


Considering the use of secure authentication and authorization frameworks instead of using basic authentication and always storing sensitive data in a secure framework.


It is also important not to expose information on URLs.

EB
Community Manager
2022-01-12T06:06:53Z
Jan 12, 2022

Hi @reviewer1572348


Possibly you can help in answering this question. Can you?


Thanks ​

Find out what your peers are saying about Microsoft, Google, Amazon and others in API Management. Updated: March 2024.
765,386 professionals have used our research since 2012.
API Testing Tools
What is API testing? API testing, otherwise known as application programming interface testing, is a type of software testing that tests the APIs directly, from their performance, functionality, and reliability, to security.
Download API Testing Tools ReportRead more

Related articles