Getting API security right - Philippe De Ryck - NDC London 2023

API Security Takeaways

• Centralized handling of credentials and client authentication is crucial for security.
• JSON Web Tokens (JWT) are a common solution, but not the only one; Reference Tokens can also be used.
• Token introspection is essential for authorization decisions.
• Authorization policies should be separate from the API code, and use annotations or API contracts for validation.
• Mass assignment vulnerabilities are common and can be addressed through proper permissions and checks.
• Tokens can be validated independently, eliminating the need for client-server communication.
• Tokens should not contain sensitive data, and sensitive data should be separated and carefully handled.
• Real-world applications require careful consideration of security, including token expiration, revocation, and revocation_ENDPOINT.
• Tools like Open Policy Agent (OPA) and OpenAPI can help with security and validation.
• The API firewalls are essential for security, and can help prevent attacks.
• Testing APIs in their natural habitat is crucial for security.
• API gateways and firewalls can help with security and validation.
• Infrastructure as Code (IaC) can help with security and automation.
• Session replication can be used to improve security and availability.
• Educational resources, such as workshops and tutorials, can help developers improve their security skills.
• François Delport and Martin Zugec are experts in API security and can offer valuable insights and training.