0

In my current project I am also setting up the area of security testing. So far there was no way to use security within the REST API development. Beside the known approach, e.g. using static software solutions within a staging environment, the topic Rest API Security Guideline came up.

Of course, there are always articles and blogs that deal with this topic, but often at least in my opinion do not cover all aspects.

Beside the known hints to the REST API design and the Security https://restfulapi.net/security-essentials/

As well as best practice, I really miss concrete approaches to development. What do I have to pay attention to on the development side in order to be able to better plan the quality of the API, especially with regard to security aspects.

Mornon
  • 131
  • 6
  • This is a very good description of what you should consider from the developer's point of view. – Mornon Aug 05 '19 at 09:11
  • Yes, I think this topic is relevant for everyone who is developing a REST API. Often there is no uniform information available. – Mornon Aug 05 '19 at 09:22
  • 1
    With regard to a development in the area of API Gateway, where customers develop APIS themselves, security planning is useful even before the first line of code. Also a point, the adaptation of the definition of Ready and Done in this context. – Mornon Aug 05 '19 at 09:24
  • I deleted my comments to make an answer. – A. Hersean Aug 07 '19 at 09:58

2 Answers2

2

Depending on your approach to delivering software, I believe the implementation of this can take different forms. I appreciate your question was looking for something concrete, and perhaps this is a little more opinionated but I have seen this done in a number of different ways on several projects. Here is some first off's for getting started:

First off, follow @A. Herseans suggestion and head to OWASP cheatsheets.

Second do some Threat Profiling. Similar to user profiles (persona's) (your UX person will know about this) do some misuser profiles. Understand where the threat is likely to come from, i.e are you more likely to have a Nation State black ops hit you with a sophisticated attack, or is it more likely that Jo from accounts has just lost their job and is trying to download a load of personal user data to hurt the company on their way out the door? It matters so you know what level of technical ability you're likely to need to protect against.

Next, I always think Threat Modelling is useful to consider the types of attacks you're likely to face when given the context of your system. Head back to OWASP and check out the Threat Modelling Cheatsheet, or try Jim Gumbley & Fraser Scott's presentation on the subject, slides 15 to 20 can really point you in the right direction of thinking.

Last suggestion, but definitely not completing the list is to have regular conversations with your BA's. Get involved with stories before the development is started and consider the threats that could creep in early. Make sure dev's are aware of the threats when they pick up a story and make sure they're building it in from the start.

A good read that really considers all of the bit's outside of automated software testing is Agile Application Security. I'd definitely suggest checking it out.

Joe
  • 121
  • 4
2

As always when the subject is web security, you should start with OWASP resources: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html

(This answer was previously a comment made under the question, due to its brevity. I moved it here as suggested by the OP.)

A. Hersean
  • 10,046
  • 3
  • 28
  • 42