How do you keep your team apprised on emerging security risks for APIs? Looking for insights and best practices for consistently protecting against API vulnerability.

Applications & PlatformsEngineering
4.3k viewscircle icon2 Upvotescircle icon3 Comments
Sort by:
CISOa year ago

The OWASP API Security Top 10 is not a bad start but is not updated very regularly...
https://owasp.org/API-Security/

CTO in Mediaa year ago

Overall awareness building is good: https://owasp.org/www-project-top-ten/ is a good resource to just impress upon your team that security doesn't happen by accident and every year companies suffer attacks that lead to massive reputation damage or financial penalties.

Ensure you have some sort of monitoring on your API's as anything that is publicly exposed is likely to be probed at some point.  Showing your team that even "private" endpoints that are exposed on the internet will quickly become known by bots can help them understand "security through obscurity" is no security at all.

Lightbulb on2
CISO in IT Services2 years ago

Acknowledge the risks associated with APIs, API Lifecycle Management, and your data. Understand the entire attack surface, both internal and external, and be sure you're aware of all API assets. Know the tools used in your environment, their roles, and capabilities well. Many believe that an API Gateway is the source of truth for their API inventory and that couldn't be further from the truth. 

To fully understand the attack surface you'll need to get into the code repos and understand what, when, where, and how APIs are being used from Code to Runtime. Numerous tools on the market can help with this and also help prioritize findings from multiple tools that are more than likely in use today. This can help build trust between security and development teams over time, but it comes down to minimizing false positives and focusing on real-world risks to the organization. Vulnerabilities and findings must be prioritized based on risk and those are dependant on proprietary context and variables in your specific environment. 

Artificial Intelligence fuels the fire, increasing risk and minimizing the window to respond to and defend new vulnerabilities. In the future, exploits will be crafted in days, hours, and possibly even minutes.

Changing our security approach and mindset from Defend Today, Secure Tomorow, to Secure Today, Defend Tomorrow is paramount. 

Content you might like

What common obstacles can one expect during the development process of a product system within Salesforce CRM?

Some reviews on Gartner Peer Insights mention limitations in the flexibility of customization through coding in Salesforce, stating that users are often bound to the GUI. Have you experienced these limitations?

As an engineering leader, how do you prevent burnout? Select all that apply.

Frequent 1:1s to monitor workload46%

Frequent 1:1s to monitor employee wellness55%

PTO after a launch37%

Wellness benefits41%

Hiring more people to reduce individual workload25%

Additional work comes through tickets (not email)17%

Other (please tell us in the comments)8%

View Results

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Read More Comments

As a technical leader, which of the following is the highest priority for you in 2022?

Providing technical upskilling opportunities21%

Reskilling internal employees for new technical roles65%

Effectively onboarding new technical talent10%

Hiring more technical talent3%

View Results

Does anyone currently use Athena Security, a company that offers software for security portal management? I’d love to get feedback from anyone who has experience with their platform.