Subscribe to the Salt blog

API Security Best Practices

Read the guide
Posts  by
Michael Isbitski
Technical Evangelist
Subscribe to Salt blog

API Security Checklist

This API Security Checklist will help you close the gaps in your API security strategy based on industry best practices.

Michael Isbitski
September 20, 2021

What is Credential Stuffing – and How to Defend Against it

Credential stuffing is a type of attack in which bots are used to breach a network using lists of compromised usernames and passwords.

Michael Isbitski
July 12, 2021

What Does the Biden Administration’s Cybersecurity Executive Order Mean for API Security?

The latest executive order (EO) zones in on a few areas of cybersecurity, but a primary focus is software supply chain security after incidents such as the SolarWinds attack

Michael Isbitski
May 24, 2021

The Peloton API Security Incident - What Happened and How You Can Protect Yourself

Researchers found Peloton APIs were leaking PII. Learn how to avoid this with your APIs.

Michael Isbitski
May 13, 2021

The Experian API Security Incident - What Happened and How can you Protect Yourself

While it is technically true that Experian’s systems weren’t directly breached, private data was most certainly leaked

Michael Isbitski
May 5, 2021

How Shift-Left Extremism is Harming your API Security Strategy

Establishing and gaining adoption of secure build pipeline approaches is a multi-year endeavor for organizations.

Michael Isbitski
April 26, 2021

MythBusters API Edition: Zero Trust and its limitations for API Security

Zero trust principles and the technologies that have emerged inevitably promote dynamic access control that is informed by application context, identity, and behaviors.

Michael Isbitski
April 20, 2021

Salt Security + MuleSoft – Supercharge Your API Security Strategy

Salt Security is combining efforts with MuleSoft to bring best-of-breed API security to the market leader in API management and integration, the MuleSoft Anypoint Platform.

Michael Isbitski
April 1, 2021

Understanding the Security Impacts of the iPhone Call Recording App Vulnerability

Our discussion focuses on steps you can take for better API security, and we also include some interesting mobile security and cloud security aspects.

Michael Isbitski
March 18, 2021

API10:2019 Insufficient Logging & Monitoring

Insufficient logging and monitoring combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.

Michael Isbitski
February 18, 2021

API9:2019 Improper Assets Management

Maintaining a complete, up to date API inventory with accurate documentation is critical to understanding potential exposure and risk.

Michael Isbitski
February 17, 2021

API8:2019 Injection

Injection flaws are very common in the web application space, and they carry over to web APIs.

Michael Isbitski
February 16, 2021

API7:2019 Security Misconfiguration

This issue is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.

Michael Isbitski
February 15, 2021

API6:2019 Mass Assignment

API security solutions must be able to identify anomalous API activity where attackers send manipulated API requests with unauthorized parameters.

Michael Isbitski
February 12, 2021

API5:2019 Broken Function Level Authorization

API security solutions must be able to identify and prevent attackers or unauthorized users from accessing administrative level capabilities or unauthorized functionality.

Michael Isbitski
February 11, 2021

API4:2019 Lack of Resources & Rate Limiting

API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint.

Michael Isbitski
February 10, 2021

API3:2019 Excessive Data Exposure

Exploitation of Excessive Data Exposure is simple, and is usually performed by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user.

Michael Isbitski
February 9, 2021

API2:2019 Broken User Authentication

Authentication in APIs is a complex and confusing topic. Software and security engineers might have misconceptions about what the boundaries of authentication are and how to correctly implement it.

Michael Isbitski
February 8, 2021

API1:2019 Broken Object Level Authentication

APIs often expose endpoints that handle object identifiers, creating a wide potential attack surface. Object level authorization is an access control mechanism usually implemented at the code level to validate a user’s ability to access a given object.

Michael Isbitski
February 5, 2021

OWASP API Security Top 10 Explained

In this post and subsequent additions to the series, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.

Michael Isbitski
February 4, 2021

Unpacking the Parler Data Breach

While the shutdown of Parler remains politically charged, the event offers some valuable technical lessons worth reviewing, many of which tie directly into API security and how best to protect sensitive data.

Michael Isbitski
January 21, 2021

GET ‘https://salt.security/ api/v1/ helloworld?id=michaelisbitski’

Yes, that’s a vain attempt at an API joke and not your browser having issues. I wanted to draft this post to shed some light...

Michael Isbitski
January 8, 2021

Tags

API Attack Analysis
API Attack Methodology
API Attack Prevention
API Security 101
API Security Strategy
API Vulnerability Analysis
Awards
CISO
Company Updates
Compliance
Customers
Events
Financial Services
OWASP API Top 10
Product Updates
Research
Salt Labs
Technology Partners
Video
Webinar

More Posts Authors