Downloaded 30 times
![FX LABS
AUTOMATED API SECURITY & QUALITY TESTING
Automatically Generate API Security
Tests
Run Tests in Parallel Across Any Region
[Instant Security Coverage] Automatically
generate API security coverage spanning critical
categories like login attack, DDoS, RBAC, ABAC,
SQL injections and many others.
[Data-Driven Testing] Generate data-driven
tests in simple, declarative YAML files with a test
composition framework that supports API chaining,
all assertions, and local/remote data injection.
Run tests in parallel from any region with the FX
Super Bot Network or provision Bots within your
VPC on any cloud
Automate bug management (file, triage, validate
and close)
Set up notifications via Email and Slack
View detailed dashboards and wire logs to quickly
piinpoint security issues](https://cdn.statically.io/img/image.slidesharecdn.com/the2018platformsummit-bestpracticesforapidesigntokeepyourappsecurescalableefficient-181101133932/75/Best-Practices-for-API-Design-to-Keep-Your-App-Secure-Scalable-Efficient-21-2048.jpg)
Uploaded byNordic APIs
Best Practices for API Design to Keep Your App Secure, Scalable & Efficient
The document outlines best practices for API design, emphasizing the importance of using nouns for resources, handling errors with HTTP status codes, and ensuring secure communication through HTTPS. It compares monolithic architectures to microservices, advocating for the latter due to its scalability and independent deployment capabilities. Additionally, it discusses security practices, common vulnerabilities, and testing strategies to enhance API resilience and quality.
Best Practices for API Design to Keep Your App Secure, Scalable & Efficient
- 1. THE 2018 PLATFORMSUMMIT Amjad Afanah FX Labs, Inc. Intesar Mohammed FX Labs, Inc. BEST PRACTICES FOR API DESIGN TO KEEP YOUR APP SECURE, SCALABLE & EFFICIENT founders@fxlabs.io https://fxlabs.io
- 2. AGENDA API Design BestPractices Microservices Architecture for Agility & Scalability Best Practices for Securing APIs Benefits of Continuous Testing & Compliance
- 3. API DESIGN BESTPRACTICES HTTP METHODS / URIS FOR COLLECTION
- 4. API DESIGN BESTPRACTICES USE NOUNS BUT NO VERBS Prefer Nouns to Verbs Nouns refer to resources Resources are handled with HTTP verbs Verbs can be used for Actions or Calculations /login, /logout /convertTemperature /repositories/123/star
- 5. API DESIGN BESTPRACTICES USE SUB-RESOURCES FOR RELATIONS If a resource is related to another resource use subresources. GET /cars/711/drivers/ Returns a list of drivers for car 711 GET /cars/711/drivers/4 Returns driver #4 for car 711
- 6. API DESIGN BESTPRACTICES HANDLE ERRORS WITH HTTP STATUS CODES
- 7. API DESIGN BESTPRACTICES PROVIDE HELPFUL ERROR PAYLOAD
- 8. MICROSERVICES MONOLITH VS. MICROSERVICES Businessrequirements change rapidly and continuously. The need for shipping updated versions of your app become increasingly critical.
- 9. MICROSERVICES MICROSERVICES PRINCIPLES Developed Independently DoesOne Thing Well Deployment Independence API Focused Decentralized Data Management Easy to Scale Polygot
- 10. MICROSERVICES MONOLITH PROS &CONS MICROSERVICES PROS & CONS
- 11. BEST PRACTICES FORSECURING APIS HTTPS Secure REST services must only provide HTTPS endpoints. This protects authentication credentials in transit, for example passwords, API keys or JSON Web Tokens. It also allows clients to authenticate the service and guarantees integrity of the transmitted data.
- 12. BEST PRACTICES FORSECURING APIS PAGINATION LIMITS TO PREVENT DDOS ATTACKS Most endpoints that returns a list of entities will need to have some sort of pagination. Without pagination, a simple search could return millions or even billions of hits causing extraneous network traffic. This is the simplest form of paging. Limit/Offset became popular with apps using SQL databases which already have LIMIT and OFFSET as part of the SQL SELECT Syntax. Very little business logic is required to implement Limit/Offset paging. Client makes request for most recent items: GET /items?limit=20 On scroll/next page, client makes second request GET /items?limit=20&offset=20 Offset Pagination Other Types of Pagination Include Keyset Pagination and Seek Pagination
- 13. BEST PRACTICES FORSECURING APIS ROLE BASED ACCESS CONTROL Permissions are granted to each role based on requirements Users are assigned to a specific role Users can be assigned to multiple roles What is RBAC?
- 14. BEST PRACTICES FORSECURING APIS ROLE BASED ACCESS CONTROL Determining the permissions to assign to each role is very time consuming RBAC needs attention all the time. The Joiner- Mover-Leaver process is extremely critical. Users can often accumulate unnecessary roles leading to excess permissions. Limitations of RBAC? Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested.
- 15. 5 BEST PRACTICES IN APITESTING STANDARDIZING TESTS Leverage a markup language for self-documentation and to enforce standardization across the team DATA-DRIVEN TESTING Move towards data-driven testing to promote reusability of tests and to eliminate the pain of preparing data-sets DISTRIBUTED TEST EXECUTION Build for scale from the beginning with the objective of having distributed, parallelized testing to shorten test cycles AUTOMATED BUG MANAGEMENT Automate bug management or incur huge delays as a result API SECURITY TESTING Include security testing with the deepest coverage to prevent vulnerabilities in the future
- 16. TRADITIONAL SOFTWARE TESTING COSTOF A BUG CAN BE $1,500 IF FOUND IN PROD AVERAGE COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS INTEGRATION TESTS TEST MONITOR CURRENT BUG DISCOVERY END-TO-END TESTS LOAD TESTS SYNTHETIC MONITORING
- 17. SHIFT LEFT IS YOUREFFORT DIRECTED AT YOUR RISK? AVERAGE COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS TEST MONITOR LOAD TESTS END-TO-END TESTS INTEGRATION TESTS SYNTHETIC MONITORING SHIFT LEFT BUG DISCOVERY
- 18. DEVSECOPS PREVENTION VS. DETECTION Themost effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle
- 19. COMMON API VULNERABILITIES RBAC& ABAC VULNERABILITIES DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACKS Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested. API DDoS attacks are executed to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect. With the right credentials, insiders and hackers can access any system or data. Examples include Data Extraction or Theft, Data Deletion or Manipulation, Data Injection, Malicious Code Injection, and Extreme Application Activity.
- 20. AVERAGE COST OFA DATA BREACH 60% of startups go out of business within six months of an attack 89% of breaches and data loss could have been prevented
- 21. FX LABS AUTOMATED APISECURITY & QUALITY TESTING Automatically Generate API Security Tests Run Tests in Parallel Across Any Region [Instant Security Coverage] Automatically generate API security coverage spanning critical categories like login attack, DDoS, RBAC, ABAC, SQL injections and many others. [Data-Driven Testing] Generate data-driven tests in simple, declarative YAML files with a test composition framework that supports API chaining, all assertions, and local/remote data injection. Run tests in parallel from any region with the FX Super Bot Network or provision Bots within your VPC on any cloud Automate bug management (file, triage, validate and close) Set up notifications via Email and Slack View detailed dashboards and wire logs to quickly piinpoint security issues
- 22.
- 23.