Defending APIs: Uncover advanced defense techniques to craft secure application programming interfaces

Defending APIs by Colin Domoney is a great read for anyone interested in the intricacies of API security. The book is structured really well, starting with an accessible introduction to APIs and gradually delving into more complex topics while still being easy to follow along.Colin has done a great job in presenting the intro topics in a manner that is easy to understand while still being engaging making it ideal for readers who are new to API security. As the book progresses into more technical territory, it continues to maintain its accessibility and readability which makes it a solid resource for both beginners and professionals.As someone who regularly performs security testing, including regular pentests against APIs, I found this book to be beneficial. It provided a deeper understanding of how API vulnerabilities occur, which has helped to improve my ability to assist customers in securing their APIs against the vulnerabilities I uncover during testing.I recommend Defending APIs to anyone looking to enhance their knowledge of API security, whether from an offensive or defensive perspective. This book is a valuable asset for security professionals aiming to help customers secure their APIs or for anyone interested in improving their own API security practices.

This book has some valuable foundational information on APIs in general as well as some offense and defense information from a couple angles. While I found it valuable(especially for beginners), there are a few things that I felt could have been further researched and expounded upon. Also note that this book is not really vendor agnostic and has a slight product focus.Part 1 Foundations of API Security: Great information on the fundamentals. He manages to tell the story without getting caught up in scope creep. Chapter 3 is standard OWASP top 10 information with a focus on 2019 and a preview of 2023. The book suffers a little bit from written vs published timing. OWASP top 10 for 2023 has since been finalized, so the 2019 information is a little less valuable than it was before. We also have a chapter dedicated to everyone's favorite topic, recent breaches.Part 2 Attacking APIs: Good foundational offensive information. He goes over the various tools available and how they can be used to exploit APIs. If you want more in depth information on this side of the house, I suggest reading Hacking APIs by Corey Ball.Part 3 Defending APIs: Here we have roughly 160 pages on defensive information. We have a bit about secure coding, OAS/swagger, auth, runtime protections and monitoring, as well as strategy. There are a few things here that unfortunately read like a vendor pitch for his employer. A more vendor agnostic view would have been preferable, but I get it. The section on runtime protections unfortunately misses the mark a bit, especially when it comes to Web App & API Protection(WAAP). Most WAAP platforms now include continuous runtime discovery for OAS drift detection, auth issues, risk assessment, and vulnerability detection. I also think they all now perform OAS enforcement and JWT validation, similar to a gateway. I would have liked to have seen a sections on API threat surface mapping and code(not just OAS testing) scanning. A few thoughts on behavioral WAF, and how machine learning is evolving the space would have been timely as well.All in all a decent read.

I enjoyed how easy it was to read the material and though tools were used or mentioned; The book assumes you have some knowledge in the field. The OWASP Top 10 is a crucial component and is very important to understand. The author did a good job with the subject and a deeper dive that’s more advanced user focused in a second edition would be welcomed!Overall I enjoyed the book which I ordered from Packt directly as I had a coupon to use. If you’re new to defending or attacking APIs I recommend you give this book a go!

The book focuses mostly on vendor tools and doesn't address actually HOW to implement in code.Also does not address OWASP API top10 issues. Alot of this can be fixed with RBAC/ABAC and that never even is mentioned or is glossed over entirely.

Defending APIs is a comprehensive guide focused on the security of Application Programming Interfaces (APIs). The book addresses the critical importance of API security in modern software development, given APIs’ widespread use and the increasing number of security threats targeting them.Key themes include: 1. Understanding API Vulnerabilities: The book explores common vulnerabilities in APIs, such as injection attacks, broken authentication, and sensitive data exposure. It emphasizes understanding these vulnerabilities to build more secure APIs. 2. Best Practices for API Security: Domney provides practical advice on implementing security best practices, including authentication, authorization, encryption, and input validation. He advocates for the use of security frameworks and tools to automate and enforce these practices. 3. Secure API Design and Development: The author discusses the principles of secure API design, such as least privilege, secure defaults, and thorough documentation. He stresses the importance of incorporating security considerations from the early stages of API development. 4. Monitoring and Incident Response: The book covers strategies for monitoring APIs for suspicious activities and responding to security incidents. This includes logging, alerting, and having an incident response plan in place. 5. Case Studies and Real-World Examples: Domney includes case studies and examples of real-world API breaches to illustrate the consequences of poor security and the effectiveness of proper defenses.Overall, “Defending APIs” serves as a practical manual for developers, architects, and security professionals who aim to protect their APIs from evolving security threats, ensuring the integrity, confidentiality, and availability of their applications.

J'utilise ce produit pour améliorer mes connaissances en AppSec pour voir les éléments clés du domaine et contribuer immédiatement au succès de mes projets.