Skip to content

Latest commit

 

History

History
18 lines (13 loc) · 2.23 KB

security-reviews.md

File metadata and controls

18 lines (13 loc) · 2.23 KB

Security Reviews

A security review provides an opportunity to pause and ensure that teams are thinking about safety early in the process. Cybersecurity is too important to be simply a concern of the gate team fear before an API moves into production. There are many security considerations teams should think about in the defining and designing phases to provide development teams, and eventually users, with more secure APIs.

Elements

  • Encryption - Make encryption the default for all APIs, covering the transport layer, but also storage and databases behind APIs.You should have a solid encryption plan from the start.

  • Authentication - Use common standards for authenticating API consumers using any API, reducing the complexity for them at this layer.

  • Authorization Variables - Consider an added authorization layer that defines which API- driven resources and capabilities each consumer will be able to access once they start using your APIs.

  • Role Based Access Control - Apply RBAC to all of the elements of API operations, defining who can edit or read artifacts, documentation, testing, and other elements.

  • Contracts - Each API possesses a complete contract, including full details of the authentication and authorization procedures. The contract acts as a menu of security features for each API.

  • Environments - Evaluate the development, staging, sandbox, and production environments teams will use and determine their security strategy.

  • Documentation - Include security fundamentals as part of the documentation for each API, making sure consumers are always fully aware of the controls in use.

  • Tests - Provide collection security tests–modular, reusable, executable, and fully documented tests for all of the most common vulnerabilities your teams will face.

There is plenty more your security team will be considering when it comes to API security, but these fundamentals should be the baseline for your operations. Without these elements, it becomes very difficult to properly secure your APIs at scale. These are the building blocks that enable teams to deliver more secure APIs. Without having to become security experts themselves, they can enjoy the support of centralized security resources.