How to hack your APIs Are you doing all you can to ensure that your APIs are secure? If you haven’t started security testing yet, now is the time. It is estimated that by 2020 there will be more than 50 billion objects connected to the Internet, and most of those objects will be using APIs. Not sure where to start?
Troy Hunt, author of the Pluralsight course Hack Your API First, shares all you need to know about the basics of API security testing, including the tools and techniques you’ll need to quickly get started. Troy’s motto is, “Hack yourself before you get hacked!”
About Troy Hunt
Troy is a Software Architecture Lead for a Fortune 50 healthcare company, Microsoft MVP for Developer Security and ASPInsider who's been building software for browsers since the very early days of the web. He blogs regularly about web security at troyhunt.com and is the author of the OWASP Top 10 for .NET developers series and the free eBook of the same name. He's also a frequent conference speaker and the creator of the Automated Security Analyzer for ASP.NET Websites (ASafaWeb) at asafaweb.com. Away from electronic devices, Troy is an avid snowboarder, windsurfer, tennis player and regular motor sport participant.
Quotes & Insights from this Test Talk
- The earlier we can find security issues in the APIS we’re developing, the better.
- It’s a good idea to have a dedicated security professional on your team.
- The life of an app doesn’t end after we release; ongoing, continuous monitoring is always a good idea.
- Never get lulled into thinking your API/Application is safe; it’s kind of like saying your car is safe. Validation is needed on the client and the server.
- Just look at the HTTP request and forget about the client, and see what you can find.
- You’ve got to assume that an attacker owns the device and the connection, and he can manipulate anything on either the client or server side.
- Not expecting your services to be discoverable is a common blind spot in API security.
- Returning excessive data is a common issue with Rest service security.
Resources
- OWASP
- Hack Your API First – Must view training for API security testing
Tools
- Fiddler – a free web debugging proxy for any browser, system or platform
- Wireshark
- Metasploit
Connect with Troy
- Twitter: @TroyHunt
- Troy's blog – http://www.troyhunt.com/
May I Ask You For a Favor? Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.