Zero Trust APIs with Python — Jose Haro Peralta

Learn essential API security strategies using Python, from preventing BOLA attacks to implementing zero trust principles, data validation, and proper authorization controls.

Key takeaways
  • BOLA (Broken Object Level Authorization) is one of the most common API vulnerabilities, allowing unauthorized access to other users’ data

  • ~80% of API attacks come from authenticated users, making proper authorization critical

  • Key API security principles:

    • Don’t trust any request regardless of source
    • Validate and sanitize all input/output data
    • Use strict data models and explicit access controls
    • Implement proper pagination limits
    • Parameterize database queries to prevent SQL injection
  • Common API vulnerabilities:

    • Mass assignment attacks
    • SQL injection
    • Pagination attacks exposing too much data
    • Schema enumeration revealing internal properties
    • Insufficient input validation
  • Protection strategies:

    • Use tools like Pydantic for data validation
    • Implement proper model constraints and enumerations
    • Test APIs at both design time and runtime
    • Use parameterized queries for database operations
    • Limit maximum page sizes and implement proper pagination
  • Modern APIs face extensive attack surfaces:

    • Microservices interactions
    • Third-party integrations
    • Database operations
    • User input/output flows
    • Authentication/authorization
  • Testing tools recommended:

    • Schema Thesis for runtime testing
    • Spectral for design-time testing
    • API Threads for vulnerability discovery