18 API security resources that you can’t afford to miss

Everywhere we look, hackers are successfully breaching enterprise databases and hijacking sensitive data from billions of people around the world. That’s why CISOs and their teams, the individuals tasked with protecting an organization’s information and systems, are always on the lookout to learn about the latest trends, news and insights in the worlds of cyber security.

Since we do the same, we’ve gone ahead and gathered the resources you need to stay up to date on the topic of API Security. Whether you’re just starting your journey into the world of application security, or are a seasoned industry veteran, there’s something for everyone in the high-value resources presented below, in these 3 different categories:

• API Security 101

• Stories from the front line

• Getting down to business

API Security 101: Get up to speed on the challenges of API security

• OWASP.org — Every security professional knows OWASP Top Ten, but not all are aware that OWASP has a similar list focused exclusively on API security. This should be the first stop on any API security information gathering mission. The nonprofit foundation is focused on improving software security for the greater good. It gathers hundreds of chapters and tens of thousands of members who freely provide important information, news and resources. Their Top Ten list of API security measures is a must read for any cyber professional. For follow up reading, feel free to take a look at our guide on the vulnerabilities included on the OWASP API Security Top 10 list and practical tips for security teams who want lead – and win – the battle to protect their APIs.
• The article “APIs are becoming a major target for credential stuffing attacks” is a great take on the importance of API security, focusing specifically on how hackers are using APIs to perpetrate automated credential stuffing attacks. By reading it you can also get a better understanding of the security challenges faced by the financial sector. 
• This insightful opinion piece, “API Security Vulnerabilities: A Crack in the Foundations of Digital Business,” highlights the more prevalent types of API attacks, reviews common best practices for API protection and discusses a few of the more advanced approaches to API security. 
• Check out “APIs Are the Next Frontier in cybercrime,” a cool piece that transports you into the world of hackers by laying out real-life common API vulnerabilities and describing what you need to do to fix them. 
• Yes, that’s us. Check out our article for further reading on the subject. It is relevant for various reasons, but let’s focus on its two main attributes: It provides quite a robust overview of the API landscape and more specifically, the angle of its security. Its other value is the fact that it contains real life examples of attacks which you can learn from. 

Stories from the front line: Understand vulnerabilities and their potential impact on your business and clients

• Take a look at “Twitter warns of possible API keys leak” to learn how the social media giant sent incorrect instructions to developers that exposed API keys, account access tokens and more. 
• Read “Flaw in Safari browser’s API implementation lets user files to be stolen” to get all the info on this critical Safari bug related to Apple’s new Web Share API. The bug caused users to unknowingly attach files — which could potentially contain sensitive data — when sharing via the Safari browser. 
• “British Airways faces record £183m fine for data breach” turns the spotlight on how governments are ramping up GDPR enforcement and penalizing organizations that don’t act responsibly when it comes to protecting their users’ private data. In this case, a cyber attack on British Airways’ website breached its defences, and data from more than 500,000 customers was exposed. The fine? A record-breaking £183M! 
• Learn about T-Mobile’s latest data breach — its third in as many years — in “T-Mobile Suffers a Data Breach, Again.” The breach revealed the names, addresses, phone numbers, account numbers, rate plans and billing information of an undetermined number of customers. 
• Learn how a vendor’s security failure led to the exposure of sensitive data on millions of Verizon — the largest wireless carrier in the United States — customers. 
• Discover how Panera Bread made it easy for hackers to access sensitive customer data directly from their website database in the article, “Panera leaked customer data on its website for eight months.” 

Getting down to business: Gain a deeper understanding  of the first steps towards API protection

• “Critical API security risks: 10 best practices” goes over the best ways to secure your APIs. It reviews everything from OAuth to tokens, data encryption, API Gateways and parameter validation. 
• AI is poised to impact API security in a big way. “How AI will improve API security” takes a look at the inherent flaws of the more common API security measures, while examining how adding an AI security layer can enhance those existing measures. 
• Get smart tips and tricks in “Guard Your System By Implementing API Security Measures,” a high level review about best practices for securing your organization’s APIs. 
• “What to Consider Before Implementing an API Security Strategy” offers insights into research on the five API security issues you should consider when formulating a holistic API security strategy. Spoiler alert — one interesting data point shows that 75% of respondents think that governments will start targeting APIs soon. 
• The in-depth research paper “API Security: What You Need To Do To Protect Your APIs” offers critical insights about securing your APIs by showing you how to build a holistic security approach. It also highlights the importance of a continuous approach to API security and discusses the use of distributed enforcement models across the entire architecture. 
• Make sure you check out this post from our blog to learn what questions you should be asking yourself before you commit to a specific API security solution.
• Last but not least, take a look at our guide that explains in great details why WAF is not sufficient for protecting your APIs. It’s hard to imagine application security without the Web Application Firewall (WAF). But web APIs aren’t the same as web applications. Same beast, different animals. And what works for applications isn’t enough to protect APIs. In fact, when it comes to protecting APIs, the strengths of WAFs turn out to be their greatest shortcomings. Learn how WAFs are used today to protect APIs; Why are APIs prone to functional attacks; The challenges of protecting against functional attacks; How analyzing the application behavior can protect APIs

While this list offers plenty of great resources and reading materials to satisfy even the most demanding CISO, we know that there are plenty of other good materials out there. If you know a high-quality resource or publication that we failed to mention here, please share it with us.

Recent Articles By Author

• Ensuring visibility across the entire API lifecycle
• Is your security testing ready for the API-first era?
• Sharing is caring: A path for security teams to exercise greater influence

More from Omer Primor

*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Omer Primor. Read the original post at: https://blog.imvision.ai/our-top-list-of-18-api-security-related-articles-and-resources-that-you-cannot-afford-to-miss