Neil Madden, author of the API Security in Action book and Security Director of ForgeRock, discusses the key technical features of securing an API. Host Gavin Henry spoke with Madden about API versus Web App security, choice of authentication tokens, the various security models you can follow, NIST-800-92, ISO27001, STRIDE, CIA Triad, audit log best practices, mistakes that have been made, what to log, how to protect yourself from bad users, when to log something, the benefits of HTTPS, using Encrypted JWT, which is harder; API or Web App dev and the ongoing security battle of change.
Show Notes
Related Links
- OAuth2 Main site
- Guest site
- API Security Book
- ForgeRock
- Guest Twitter
- OpenID Connect
- https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
- API Security
- Logging Cheat Sheet
- NIST SP 800-92
- ISO 27001 Annex A.12.1
- (https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en )
- libsodium
- ELK
- 373: Joel Spolsky on Startups: Growth, and Valuation
- 376: API Security with OAuth 2 – Justin Richer
- 220: Jon Gifford on Logging and Logging Infrastructure
- 370: chris-richardson-on-microservice-patterns
- 213: James Lewis on Microservices
- 351: Bernd Rücker on Orchestrating Microservices with Workflow Management
- 337: Ben Sigelman on Distributed Tracing
- 210: Stefan Tilkov on Microservices and Architecture
- 314: Scott Piper on Cloud Security
- 309: Zane Lackey on Application Security
SE Radio theme: “Broken Reality” by Kevin MacLeod (incompetech.com — Licensed under Creative Commons: By Attribution 3.0)
