API Security Best Practices
Good kick off point
- https://owasp.org/www-project-api-security/
- https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
- https://github.com/OWASP/wstg
- https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/
Around the industry
- https://www.f5.com/labs/learning-center/securing-apis-10-best-practices-for-keeping-your-data-and-infrastructure-safe
- https://blog.axway.com/learning-center/digital-security/keys-oauth/api-security-best-practices
- https://curity.io/resources/learn/api-security-best-practices/
- https://medium.com/apis-and-digital-transformation/best-practices-for-building-secure-apis-2b4eb8071d41
- https://learn.microsoft.com/en-us/azure/api-management/mitigate-owasp-api-threats
- https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/
State of API Security
- https://content.salt.security/gartner-2022-predicts
- https://content.salt.security/state-api-report.html
Service-to-service authentication
- https://hackernoon.com/service-to-service-authentication-for-microservice-apis-ccf4ab8073e6
- https://cloud.google.com/docs/security/beyondprod
- https://cloud.google.com/api-gateway/docs/authenticate-service-account
- https://spiffe.io/docs/latest/spire-about/spire-concepts/
- https://cerbos.dev/blog/service-to-service-authorization-non-user-principles
- https://thenewstack.io/4-best-practices-for-microservices-authorization/
Comments