Tanya Janca, CEO and founder of We Hack Purple, emphasizes the importance of API security, presenting more than ten best practices to protect APIs, which are vital yet vulnerable parts of web applications. Key recommendations include creating an inventory of all APIs, using API gateways, enforcing strict coding practices, and monitoring through logging and alerting. The document also highlights resources such as a free PDF of the talk, a mini course on API security, and various community engagement options.

1. @SheHacksPurple
Top Ten Security Tips
for APIs
Tanya Janca
CEO & Founder We Hack Purple
Advisor @ Bright Security

2. @SheHacksPurple
• APIs rule the web, but they are being
attacked
• Top Ten API Security Best Practices
• Resources
• PDF of this talk’s 10 tips
• Free Mini Course
What are we going to talk about today?
Photo by Dex Ezekiel on Unsplash

3. @SheHacksPurple
Tanya Janca
About Me
• Technical Advisor at Bright Security
• CEO & Founder @ We Hack Purple
• AKA @SheHacksPurple
• Author: Alice and Bob Learn Application Security
• Advisor: Nord VPN, Cloud Defense, Aiya
• 25 years in tech, Sec + Dev
• Blogger, Podcaster, Streamer, Builder, Breaker
• Nerd at Large

4. @SheHacksPurple
Let’s do this!

5. @SheHacksPurple
So… I lied.
There aren’t ten.
I’m going to give
you way more
than just ten.
Sorry/not sorry.

6. @SheHacksPurple
APIs still need just as much security attention as
web applications; not having a front end does not
make them invisible to attackers.
The Problem
Web apps are the #1 cause of data breach, and
most web apps are now just a bunch of APIs with a
GUI in front.

7. @SheHacksPurple
#1 Create a complete inventory of all APIs
Photo by Petrebels on Unsplash

8. @SheHacksPurple
#2 All external APIs are connected to via an API
gateway
Photo by Laila Gebhard on Unsplash

9. @SheHacksPurple
Throttling and
Resource Quotas
Photo by Donald Giannatti on Unsplash

10. @SheHacksPurple
Logging, monitoring and alerting
The same as for Web Apps!

11. @SheHacksPurple
Block all unused HTTP
methods/verbs
Photo by Dima Pechurin on Unsplash

12. @SheHacksPurple
Use a service mesh for communication management

13. @SheHacksPurple
Enforce Them. Photo by Markus Winkler on Unsplash

14. @SheHacksPurple
Strict
Linting
Photo by Wes Hicks on Unsplash

15. @SheHacksPurple
Avoid verbose
error messages
Photo by Markus Spiske on Unsplash

16. @SheHacksPurple
Decommission old or
unused versions of
APIs.

17. @SheHacksPurple
All the same secure
coding practices you
normally do; input
validation using
approved lists,
parameterized queries,
bounds checking, etc.

18. @SheHacksPurple
What did we learn today?
APIs need just
as much
attention as
web apps!
Best practices
are doable!
Secure SDLCs
produce secure
software

19. @SheHacksPurple
@SheHacksPurple
Resources
newsletter.
wehackpurple.com/
api-security

20. @SheHacksPurple
Free PDF of This Talk!
newsletter.
wehackpurple.com/
api-security

21. @SheHacksPurple
Free API Security
Mini Course!
https://academy.
wehackpurple.com/
courses/api-security-
mini-course

22. @SheHacksPurple
I have a podcast!!!!!
We Hack Purple Podcast, season 2,
offers short security lessons and best
practices! Watch it on YouTube or
subscribe on any podcast platform.
youtube.com/WeHackPurple

23. @SheHacksPurple
Awesome Books!
• The DevOps Handbook
• The Phoenix Project
• Accelerate
• The Unicorn Project
• Alice and Bob Learn Application Security

24. @SheHacksPurple
Join the community!!!!!
Community.WeHackPurple.com
The We Hack Purple
Community is FREE!
Meet like-minded people and nerd out!

25. @SheHacksPurple
#CyberMentoringMonday
Every Monday!

26. @SheHacksPurple
Resources: ME!!!!
Twitter: @SheHacksPurple
https://SheHacksPurple.ca/blog
https://YouTube.com/SheHacksPurple
https://NewsLetter.SheHacksPurple.ca

27. @SheHacksPurple
THANK YOU
Tanya Janca
Advisor @ Bright
We Hack Purple