Instant Threat Modeling - #19 API Security

Показать описание

Threats:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API4:2019 Lack of Resources & Rate Limiting
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- API8:2019 Injection
- API9:2019 Improper Assets Management
- API10:2019 Insufficient Logging & Monitoring

Instant mitigations:
- Centralised authorization mechanism - OWASP Access Control Cheatsheet
- OWASP Authentication Cheatsheet and Session Management Cheatsheet
- Verify the API response against the UI design, don't serialize the objects.
- Introduce lockout mechanism, rate limiting - OWASP Blocking Brute Force Attacks doc
- OWASP Top 10 2013 A7 - Missing Function Level Access Control - make sure before running each method that the user is allowed to execute it.
- Verify the server-side backend code against the API design - OWASP Mass Assignemnt Cheatsheet
- A base threat model for the corresponding components - web or mobile front-end, back-end frameworks and operating systems
- OWASP Injection Prevention Cheatsheet - validate all input against specific format. Cast input to a pre-defined types with prototype validators.
- Introduce asset inventory - servers, environments, API deployments and their versions - list of all endpoints
- OWASP logging cheatsheet and C9 in the OWASP Proactive Control doc.

Instant Threat Modeling by Jakub Kaluzny (SecuRing).

SecuRingPL

Рекомендации по теме

Комментарии

I am your 700th subscriber as this video was so helpful.

Masjid-dsem

This is extremly helpful. Thank you very much for taking the time to produce free & good videos.

Also, I worked with SecuRing in the past. They are good, professional, knowledgeable and communicative pentesters.

MrTimeWarps

If there are good practices for apis that can be applied globally, why do we need a diagram or even the need of threat modelling for apis? Arent all api threat modelling coming to the same conclusions?

shikida

Instant Threat Modeling - #19 API Security

Instant Threat Modeling - #19 API Security

Instant Threat Modeling - #03 CAPTCHA

Instant Threat Modeling - #15 Mobile Apps

Instant Threat Modeling - #14 AWS Infrastructure

Instant Threat Modeling - #21 Coworking / Shared Office Physical Security

How to do Real World Threat Modeling

Instant Threat Modeling - #22 Google Cloud Platform

Use STRIDE To Do A Quick Threat Modeling On A Simple Web Application (Step by Step Guide)

OWASP Timisoara #19 - Threat Modeling, Iterative Security

OWASP Standard Classification: Threat Modeling the CI/CD Pipeline to Improve Softwar... - D. Cornell

Instant Threat Modeling - #11 Face Biometrics

Instant Threat Modeling - #13 CI/CD Tools

Instant Threat Modeling - #16 Hacking Webinars

Instant Threat Modeling - #23 NPM Security

Optimize GCP's Security Architecture for Maximum Protection (Cloud Next '19)

Instant Threat Modeling - #06 SMS-based 2-FA

The Use of Large Language Models (LLM) for Cyber Threat Intelligence (CTI) in Cybercrime

📣 Evolution of Threat Modeling | Shift from DevOps to DevSecOps | @Akeyless

S2E19: Privacy Threat Modeling - Mitigating Privacy Threats in Software with Kim Wuyts (KU Leuven)

Value Driven Threat Modeling - Security by Design - Avi Douglen - PyCon Israel 2018

Mario Areias - Threat Modelling the Death Star - DEF CON 28SM AppSec Village

Agile Threat Modeling with Open-Source Tools

Getting Started with Software Threat Modeling

Instant Threat Modeling - #05 Voice Biometrics