How do you keep your team apprised on emerging security risks for APIs? Looking for insights and best practices for consistently protecting against API vulnerability.

4.3k views2 Upvotes3 Comments

Sort by:

CISO10 months ago

The OWASP API Security Top 10 is not a bad start but is not updated very regularly...
https://owasp.org/API-Security/

CTO in Media10 months ago

Overall awareness building is good: https://owasp.org/www-project-top-ten/ is a good resource to just impress upon your team that security doesn't happen by accident and every year companies suffer attacks that lead to massive reputation damage or financial penalties.

Ensure you have some sort of monitoring on your API's as anything that is publicly exposed is likely to be probed at some point. Showing your team that even "private" endpoints that are exposed on the internet will quickly become known by bots can help them understand "security through obscurity" is no security at all.

CISO in IT Servicesa year ago

Acknowledge the risks associated with APIs, API Lifecycle Management, and your data. Understand the entire attack surface, both internal and external, and be sure you're aware of all API assets. Know the tools used in your environment, their roles, and capabilities well. Many believe that an API Gateway is the source of truth for their API inventory and that couldn't be further from the truth.

To fully understand the attack surface you'll need to get into the code repos and understand what, when, where, and how APIs are being used from Code to Runtime. Numerous tools on the market can help with this and also help prioritize findings from multiple tools that are more than likely in use today. This can help build trust between security and development teams over time, but it comes down to minimizing false positives and focusing on real-world risks to the organization. Vulnerabilities and findings must be prioritized based on risk and those are dependant on proprietary context and variables in your specific environment.

Artificial Intelligence fuels the fire, increasing risk and minimizing the window to respond to and defend new vulnerabilities. In the future, exploits will be crafted in days, hours, and possibly even minutes.

Changing our security approach and mindset from Defend Today, Secure Tomorow, to Secure Today, Defend Tomorrow is paramount.

Content you might like

Not-for-profit healthcare systems are currently facing the prospect of sinking revenue as ransomware attacks continue to disrupt daily operations. What should healthcare providers focus on in the next 6 months to protect their data from future attacks?

Develop a malware incident recovery plan22%

Implement anti-ransomware technology49%

Hire Information Security / Data experts57%

Deploy layered protection to endpoints20%

All of the Above22%

Other (Please share below)1%

View Results

We’re using Nextcloud for most of our data storage and collaboration, and Microsoft 365 E3 for email and productivity. As we work toward compliance with the NCA’s Data Cybersecurity Controls, we’d like your help assessing:
• What security capabilities in Nextcloud (e.g., access control, encryption, logging, watermarking, DLP) support DCC compliance?
• Where Microsoft 365 E3 can help fill any gaps—especially for classification, watermarking, DLP, and audit/logging?
• Any recommended Nextcloud apps or configurations that can accelerate compliance?
We’re working under tight timelines, so a prioritized list of quick wins and a roadmap for deeper integrations would be very helpful.

How long does it take for you to feel comfortable making fast, high-impact decisions when you’re in a new leadership role? What’s your secret to getting comfortable quickly?

Has anyone recently implemented platform engineering? Could you share the pros and cons that your team is experiencing?

Which of the following do you find most challenging in managing technical skills training at your organization? Select 3:

Onboarding junior technical employees27%

Providing added value to enhance employee retention57%

Increased company demand to grow technical skills54%

Adapting to changing technologies26%

Addressing skill gaps that are barriers to day-to-day work26%

View Results

How do you keep your team apprised on emerging security risks for APIs? Looking for insights and best practices for consistently protecting against API vulnerability.

Sort by:

Content you might like

Not-for-profit healthcare systems are currently facing the prospect of sinking revenue as ransomware attacks continue to disrupt daily operations. What should healthcare providers focus on in the next 6 months to protect their data from future attacks?

How long does it take for you to feel comfortable making fast, high-impact decisions when you’re in a new leadership role? What’s your secret to getting comfortable quickly?

Has anyone recently implemented platform engineering? Could you share the pros and cons that your team is experiencing?

Which of the following do you find most challenging in managing technical skills training at your organization? Select 3:

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

Generative AI and Software Engineering Teams: Adoption and Training

Generative AI and ChatGPT: Adoption and Use

DevSecOps: Strategies, Organizational Benefits and Challenges

2024 Software Engineering Priorities and Challenges

Take Your Insights On-the-Go