Learning API security from scratch

[Dark Brains Decoder Access]

Dear All

This is my first post and I found this group following my quest to know API and its security.

I am sorry if I am asking a very open ended question but I really need some help from all of you. 

I am standing at zero. Want to learn API security. How to go about it? 

I know on net there are tons of resources but that is again puzzling me as to where I should start from. A pathway should be very helpful. One more thing. When I am learning I want to learn API security beyond OWASP Top 10 API vulns. One more question - Do I really need to know how to build an API in order to understand API security. I started one book called API Security in action by Neil Madden but it started very technical from the first chapter.

Any videos, links, books, anything that you people may suggest 

[Owen Rubel]

"Do I really need to know how to build an API in order to understand API security"

In order to implement? Yes. In order to understand it? Absolutely

API's require OAUTH, CORS, Rate limiting, caching and all done within a distributed architecture. They have complex routing (forward vs redirect) and proxying/load balancing at the gateway.

If you have never implemented these, you will have a hard time understanding how to advise on these.

Owen Rubel
oru...@gmail.com

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/c828d436-e8fa-40f5-8343-58346c2f2c09n%40owasp.org.

[ke...@caseysoftware.com]

There are tons of different threads you can pull on depending on what you want to learn, where your interests/abilities are, and what your stack is.

A few years back, I co-edited this book to cover many of the topics: https://developer.okta.com/books/api-security/

It is NOT exhaustive and there are still more topics but it covers the basics and you can find more places to explore. Also, while we wrote it at Okta, it is NOT Okta-specific or a pitch for any of its products.

keith

[David Biesack]

In addition to Casey’s book, Nordic APIs has a book on Identity and APIs

Manning has a curated summary book Inherently Secure API Design.

API Academy lists several books for learning including O’Reilly’s Securing Microservice APIs: Sustainable and Scalable Access Control

Other vendors such as Noname Security and Traceable also offer some free ebooks (which I’ve not evaluated) which you must sign up to download.

 

HTH,

djb

 

David Biesack | Chief API Officer | @davidbiesack

--

You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/d64c01bb-5eaf-4b7b-afda-e664d7fccdadn%40owasp.org.

Disclaimer: The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify Apiture immediately by replying to this message and deleting it from your computer.

[Dark Brains Decoder Access]

I am so grateful to have joined to this group. I know it will take million miles to be an expert. A ton of thanks to all who suggested me as to how I can go about learning API security. This will help a lot like me and all who are confused at the beginning.