Submit Search
Upload
Defensive API programming techniques for Gophers
•
0 likes
•
5 views
Bertold Kolics
Follow
Presentation slide deck from the LASCON '2023 conference.
Read less
Read more
Software
Report
Share
Report
Share
1 of 28
Download now
Download to read offline
Recommended
A Tester's Life
A Tester's Life
Bertold Kolics
The Testers' Secret Weapon - Code Reviews
The Testers' Secret Weapon - Code Reviews
Bertold Kolics
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Zachary Klein
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
SoftInstigate
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
Modern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactor
acogoluegnes
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021
Ieva Navickaite
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
RiskIQ, Inc.
Recommended
A Tester's Life
A Tester's Life
Bertold Kolics
The Testers' Secret Weapon - Code Reviews
The Testers' Secret Weapon - Code Reviews
Bertold Kolics
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Zachary Klein
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
RESTHeart - Modern runtime for microservices with instant Data API on MongoDB.
SoftInstigate
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
Modern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactor
acogoluegnes
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021
Ieva Navickaite
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
RiskIQ, Inc.
Using an API Gateway for Microservices
Using an API Gateway for Microservices
NGINX, Inc.
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
Monitoring with prometheus at scale
Monitoring with prometheus at scale
Juraj Hantak
Monitoring with prometheus at scale
Monitoring with prometheus at scale
Adam Hamsik
2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf
DimitrisFinas1
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
Using Docker Platform to Provide Services
Using Docker Platform to Provide Services
GLC Networks
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
Rethinking The Policy Agent
Rethinking The Policy Agent
ForgeRock Identity Tech Talks
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and Projects
Fedir RYKHTIK
Cncf microservices security
Cncf microservices security
Leonardo Gonçalves
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
Hyperledger community update February 2018
Hyperledger community update February 2018
Christopher Ferris
Microservices on a budget meetup
Microservices on a budget meetup
Matthew Reynolds
Web Performance Optimization
Web Performance Optimization
Livares Technologies Pvt Ltd
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
VMware Tanzu
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Greg Hamer
Asynchronous Frameworks.pptx
Asynchronous Frameworks.pptx
ganeshkarthy
Taskfile - makefiles are fun again
Taskfile - makefiles are fun again
Bertold Kolics
Email privacy
Email privacy
Bertold Kolics
More Related Content
Similar to Defensive API programming techniques for Gophers
Using an API Gateway for Microservices
Using an API Gateway for Microservices
NGINX, Inc.
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
Monitoring with prometheus at scale
Monitoring with prometheus at scale
Juraj Hantak
Monitoring with prometheus at scale
Monitoring with prometheus at scale
Adam Hamsik
2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf
DimitrisFinas1
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
Using Docker Platform to Provide Services
Using Docker Platform to Provide Services
GLC Networks
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
Rethinking The Policy Agent
Rethinking The Policy Agent
ForgeRock Identity Tech Talks
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and Projects
Fedir RYKHTIK
Cncf microservices security
Cncf microservices security
Leonardo Gonçalves
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
Hyperledger community update February 2018
Hyperledger community update February 2018
Christopher Ferris
Microservices on a budget meetup
Microservices on a budget meetup
Matthew Reynolds
Web Performance Optimization
Web Performance Optimization
Livares Technologies Pvt Ltd
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
VMware Tanzu
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Greg Hamer
Asynchronous Frameworks.pptx
Asynchronous Frameworks.pptx
ganeshkarthy
Similar to Defensive API programming techniques for Gophers
(20)
Using an API Gateway for Microservices
Using an API Gateway for Microservices
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Monitoring with prometheus at scale
Monitoring with prometheus at scale
Monitoring with prometheus at scale
Monitoring with prometheus at scale
2307 - DevBCN - Otel 101_compressed.pdf
2307 - DevBCN - Otel 101_compressed.pdf
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
Using Docker Platform to Provide Services
Using Docker Platform to Provide Services
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
Rethinking The Policy Agent
Rethinking The Policy Agent
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and Projects
Cncf microservices security
Cncf microservices security
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Hyperledger community update February 2018
Hyperledger community update February 2018
Microservices on a budget meetup
Microservices on a budget meetup
Web Performance Optimization
Web Performance Optimization
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...
Asynchronous Frameworks.pptx
Asynchronous Frameworks.pptx
More from Bertold Kolics
Taskfile - makefiles are fun again
Taskfile - makefiles are fun again
Bertold Kolics
Email privacy
Email privacy
Bertold Kolics
Password Managers - Lastpass
Password Managers - Lastpass
Bertold Kolics
Make DevOps inclusive
Make DevOps inclusive
Bertold Kolics
GitHub Actions demo with mabl
GitHub Actions demo with mabl
Bertold Kolics
Improve quality culture using visualization
Improve quality culture using visualization
Bertold Kolics
Funnels of Hiring Test Engineers
Funnels of Hiring Test Engineers
Bertold Kolics
Session Based Testing Made Fun
Session Based Testing Made Fun
Bertold Kolics
More from Bertold Kolics
(8)
Taskfile - makefiles are fun again
Taskfile - makefiles are fun again
Email privacy
Email privacy
Password Managers - Lastpass
Password Managers - Lastpass
Make DevOps inclusive
Make DevOps inclusive
GitHub Actions demo with mabl
GitHub Actions demo with mabl
Improve quality culture using visualization
Improve quality culture using visualization
Funnels of Hiring Test Engineers
Funnels of Hiring Test Engineers
Session Based Testing Made Fun
Session Based Testing Made Fun
Recently uploaded
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
DNT_Corporate presentation know about us
DNT_Corporate presentation know about us
Dynamic Netsoft
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
soniya singh
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
OnePlan Solutions
Software Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
Arshad QA
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Christina Lin
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
bodapatigopi8531
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
OPEN KNOWLEDGE GmbH
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
kalichargn70th171
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
Cionsystems
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
stazi3110
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
kaushalgiri8080
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
Jhone kinadey
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
Andolasoft Inc
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
ComplianceQuest1
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
kellynguyen01
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
Evangelist Apps https://twitter.com/EvangelistSW/
Recently uploaded
(20)
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
DNT_Corporate presentation know about us
DNT_Corporate presentation know about us
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Software Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
Defensive API programming techniques for Gophers
1.
© 2023 Verosint.
All rights reserved. © 2023 Verosint. All rights reserved. Defensive API development techniques for Gophers Bertold Kolics 1 LASCON ‘2023, September 27, 2023, Austin, TX USA
2.
© 2023 Verosint.
All rights reserved. My Context ● Question Asker, Bulldog Engineer ● Not a ○ Gatekeeper ○ PEN tester, or even a security tester ● Managing risk ● Verosint - small startup < 20 employees ○ SaaS business ○ Detect & prevent online account fraud ● Past roles ○ IT, pre-sales, QA, developer, manager 2
3.
© 2023 Verosint.
All rights reserved. Motivation ● API as a business for many vendors just like Verosint ○ APIs are accessed directly and indirectly ● Rarely any SaaS application is built in isolation ○ i.e. consumers of 3rd party applications exposed via APIs ● Para-functional requirements are implied to deliver customer value: ○ security ○ reliability/availability ○ scalability/performance ● Malicious actors may cost business $$$ ○ outgages ○ reduced availability ● Defensive posture at the application layer needed for a multi-pronged approach 3
4.
© 2023 Verosint.
All rights reserved. Agenda ● Focus on Go language for building, maintaining and securing HTTP-based APIs ○ code samples, libraries, practices ● Out of scope ○ infrastructure ○ hardware or hosted solutions ○ HTTP/3 ○ Non-HTTP APIs ○ GraphQL ● Basic familiarity with Go, HTTP assumed 4 bit.ly/lascon2023 credit: Pragmatic Programmers
5.
© 2023 Verosint.
All rights reserved. © 2023 Verosint. All rights reserved. Deployment View 5
6.
© 2023 Verosint.
All rights reserved. Typical Cloud Deployment ● Often includes ○ Gateways (API, NAT) ○ Load balancers ○ Reverse Proxies ○ External services (e.g. authentication, authorization) ○ Application ● Understand what protection, mitigation techniques are available at each layer ● Overlap is OK 6
7.
© 2023 Verosint.
All rights reserved. API Service Implementation with Go ● Deployment options include: ○ Microservice ○ Serverless ● Implementation will need to address ○ authentication ○ authorization ○ request paths to handle ○ HTTP methods to support (and not support) ○ payload (schema) for requests and responses ○ possibly: resource limits 7
8.
© 2023 Verosint.
All rights reserved. © 2023 Verosint. All rights reserved. Building HTTP APIs with Go 8
9.
© 2023 Verosint.
All rights reserved. Go - The Good Side* ● No 3rd-party library required ○ unlike other languages ○ reduced attack surface ○ much reduced risk for supply chain attacks ● Core language supports testing ○ unit, fuzzing, performance 9 *Is there a bad side? 🤔
10.
© 2023 Verosint.
All rights reserved. When You Need 3rd-Party Libraries ● Carefully consider options ○ not just functionality or licenses ● Support is key for both open-source and commercial libraries ● Criteria for evaluating OSS projects ○ age of the project, adoption, responsiveness of maintainers, openness to contributions, commit activity/history, release history/frequency, documentation, automated test coverage, availability of code quality metrics, presence of security tests/scans, number of open issues, rate of closing issues, number of dependencies ● Run your own scanners ● GitHub/GitLab provides plenty of repository information to help assessments 10 Image credit Mohamed Hassan from Pixabay
11.
© 2023 Verosint.
All rights reserved. GitHub Insights for Assessing 3rd-Party Libraries 11
12.
© 2023 Verosint.
All rights reserved. 3rd-Party Libraries ● Test openness ○ open a pull request ○ open an issue ● And test the time it takes to get a response & the quality of response 12
13.
© 2023 Verosint.
All rights reserved. Example: go-resty ● Makes interacting with RESTful HTTP APIs more convenient ● But … ○ maintainer non-responsive for a long time ○ release frequency was poor until last month ● And with a defect present in 2.7.0 ○ sync pool data race condition ○ occurred a few times a day on a production system ○ spent a lot of time chasing the issue ○ only fixed in March without a release tag 13
14.
© 2023 Verosint.
All rights reserved. Example: go-resty 14 Library used to incorrectly handle buffers across concurrent requests
15.
© 2023 Verosint.
All rights reserved. Keep Go and Dependencies Up-to-Date 15 ● Dependencies - regular updates in all repositories ○ Renovate bot is a life saver ● Use govulncheck to test for vulnerable components ● Go - sign up for release announcements ○ 1.21.3 addresses rapid stream reset vulnerability ● Recent entry from Cloudflare blog ○ HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
16.
© 2023 Verosint.
All rights reserved. Common Pattern for Go API Implementations 16 ● Configure the routes ○ Associate query paths with handler functions using a multiplexer/router ○ Implicitly configure the HTTP methods to handle ● Different router packages available: built-in, chi, gorilla ● Implement the handler function ○ router invokes handler function ○ parallel executions should be expected ● Handler function ○ validates request (request parameters, headers, payload) ○ executes business logic ○ sends response to client
17.
© 2023 Verosint.
All rights reserved. Recovery function ● An unrecoverable issue in the handler might cause unexpected state in the application ○ for example: nil pointer dereference ○ in a go routine: it may crash the app ● Create a recovery function ○ allows graceful recovery ○ and the recovery function can also log the details about the crash for diagnosis 17
18.
© 2023 Verosint.
All rights reserved. Example Recovery Handler 18
19.
© 2023 Verosint.
All rights reserved. Basic Checks ● Disable methods not used: ○ TRACE, HEAD, OPTIONS (may be needed for CORS) ○ but possibly other unused ones: GET, PUT, POST, DELETE ● Check request headers 19 Header Questions Accept can the client accept the content you produce? Content-Type do you support this content from the client? Content-Length is it present, is valid, is it too large? Content-Encoding do you really need to accept chunked encoding?
20.
© 2023 Verosint.
All rights reserved. Rate limiting ● Rate limits could be tied to ○ source IP/port (if no authorization is needed), ○ access token, ○ or a combination of rules ● Go has simple built-in rate limiting ○ better to use a library such as redis-go ○ especially when multiple containers/apps are serving ● Most implementations provide hints to the clients about rate limits using response headers ○ Ratelimit-Limit, Ratelimit-Remaining, Ratelimit-Reset 20
21.
© 2023 Verosint.
All rights reserved. Fuzzing ● Fuzzing framework built into Go ○ can be run for a limited time ○ can be pre-seeded with corpus (~ test data) ● Best option: fuzz the business logic ● Alternatively: ○ fuzz the handler ○ fuzz the API over network - don’t run it against production(!) 21
22.
© 2023 Verosint.
All rights reserved. Payload Validation Using JSON Schema ● JSON payload in HTTP requests may have malicious content ● JSON schema has powerful ways to validate content ○ libraries such as gojsonschema makes eliminates the need for writing additional code ● Examples of rules: ○ setting minimum / maximum length for strings ○ leveraging built-in types (e.g. IPv4 address, UUID) ○ limiting possible property values with a regular expression ○ setting minimum, maximum size for arrays, mandating unique values ○ disabling additional properties to prevent actors using undefined properties ○ allow only a list of fixed values (enumerations) ○ making properties mandatory ● Relevant specifications: OpenAPI, JSON Schema 22
23.
© 2023 Verosint.
All rights reserved. Payload Validation Using JSON Schema 23 Example from Verosint API docs at https://docs.verosint.com
24.
© 2023 Verosint.
All rights reserved. Payload Validation Using JSON Schema 24
25.
© 2023 Verosint.
All rights reserved. There is so much more to cover … That we did not talk about. ● HTTP Server configuration options ○ timeouts (read, header read, idle time out) ○ connection management ○ maximum size of header ○ TLS configuration ● Rate limiting headers ● Authentication/authorization ● Nuances of each HTTP method ○ e.g. GET - URL escaping, leakage of information in logs ● Preventing caching of responses 25
26.
© 2023 Verosint.
All rights reserved. Recap ● Understand the deployment of your application ○ what protections are available at what layer ● Building secure APIs require secure toolchain ○ including Go runtime and 3rd-party dependencies ○ keep them up to date ○ be selective about dependencies - less is more ● Make your APIs resilient ○ protect the application from crashes ○ rate limit clients ● Inspect incoming requests ○ headers, payload length, format ○ reduce manual coding using JSON schema validation ○ emit logs that can trigger automated defensive actions ● Test your APIs, business logic with fuzzing 26
27.
© 2023 Verosint.
All rights reserved. Additional Resources ● OWASP Top 10 API Security Risks ● Open Source Security Foundation ○ scorecard app ● Getting started with Fuzzing ● How to Parse a JSON Request Body in Go ● Make resilient Go net/http servers using timeouts, deadlines and context cancellation ● Tool selection from ISTQB Certified Tester Advanced Level Test Manager Syllabus 27 bit.ly/lascon202 3
28.
© 2023 Verosint.
All rights reserved. © 2023 Verosint. All rights reserved. Thank you 28 See you at https://bit.ly/bertold https://www.verosint.com
Download now