Security First

Présentation
API Security: REST
 Table of contents
1 Introduction

2 Common API Security Vulnerabilities

3 Best Practices for Securing APIs

4 API Security Testing

5 Conclusion
Introduction
Common Threats :
Broken Function Level Authorization (BFLA)
Common Threats :
Broken Object Level Authorization (BOLA)
Common Threats :
Injection attacks: SQL Injection
Best Practices for Securing APIs
Broken Function Level Authorization (BFLA)

Use Role-Based Access Control (RBAC): RBAC is a method of controlling access

to resources based on the roles and permissions assigned to individual users.
By using RBAC, organizations can ensure that users only have access to the
resources and functions that they are authorized to use.

Implement Access Control Lists (ACLs): ACLs are a method of controlling

access to resources based on a list of users and their associated access levels.
By implementing ACLs, organizations can ensure that only authorized users
are able to access specific functions and resources.

Use JSON Web Tokens (JWTs): JWTs are a secure method of transmitting
authentication data between two parties. By using JWTs, organizations can
ensure that only authenticated users are able to access specific functions and
resources.
Best Practices for Securing APIs
Broken Object Level Authorization (BOLA)

Implement Role-Based Access Control (RBAC): RBAC is a widely-used access

control model that assigns roles to users and determines their access privileges
based on those roles. By implementing RBAC, organizations can ensure that
only authorized users have access to specific resources or functionality.

Use Access Tokens: Access tokens are a type of security token that is issued by
an application to an authenticated user. These tokens can be used to verify
the user's identity and access privileges without the need for re-
authentication. By using access tokens, organizations can prevent
unauthorized access to resources or functionality.

Use Authorization Policies: Authorization policies are rules that specify which
users or groups are authorized to perform specific actions on resources. By
implementing authorization policies, organizations can ensure that only
authorized users have access to specific resources or functionality.
Best Practices for Securing APIs
Injection attacks: SQL Injection

Use Object-Relational Mapping (ORM) Libraries: ORM libraries such as Hibernate or

Entity Framework provide an abstraction layer between the API and the database.
These libraries can help prevent SQL injection by automatically sanitizing user input
and ensuring that database queries are properly constructed.

Use Database Firewalls: Database firewalls can help prevent SQL injection
attacks by monitoring database traffic and blocking any suspicious queries.
These firewalls can also enforce SQL syntax rules and restrict user privileges to
reduce the risk of SQL injection.

Implement Input Validation: Another way to prevent SQL injection is to

implement input validation. This involves validating user input to ensure that it
is in the expected format and within the expected range of values. Input
validation can prevent attackers from injecting malicious code into the API's
queries.
API Security Testing
Conclusion