What were the priorities and pain points of security teams in 2022?
Based on our most-read blog posts from last year, API security was on the list. Specifically, 2022 seemed to be the year of API protection education. Case in point: We gave away copies of The Definitive Guide to API Attack Protection at RSA and Black Hat last year, and ran out at both shows.
We had lots of engagement with the blog posts listed below that not only explain the API security problem, but also outline the best practices for addressing it. If you’re getting up to speed on API protection best practices as well, take a look at the posts below that were popular with your peers.
We gave this 5-step checklist an overhaul this year, and it got a lot of traction. Clearly, security teams are trying to figure out: what do we need to know about API security, where do we start, what should we prioritize. This post is both comprehensive, and easy to read and digest. In clear steps, it covers everything from discovering your API endpoints to protecting APIs in production to API authentication and authorization.
Check it out if you need a quick and easy get-started API security post.
This topic came up a lot in 2022, at tradeshow booths, in conversations with customers, in talks with prospects and partners – do I need an API gateway, plus an API protection solution, plus AppSec scanning?
This post breaks down API gateways vs. API protection solutions. It outlines their respective strengths and how API attack protection and API gateways can work together as part of an overall API security strategy.
(Need more? Here’s a datasheet that breaks down the roles and responsibilities of all the API security solutions in one visual page.)
Just about every API attack we saw in 2022 featured bots. Not surprisingly, how to defend against bot-based API attacks was a popular topic last year. This blog by our SOC Manager Neil Weitzel outlines exactly how we are seeing attackers use bots against APIs. Hint: It’s not just to attack. We’re also seeing attackers use bots to perform reconnaissance, and to create distractions while they pursue the real prize.
What about reducing API risk in the development phase? Our Director of Engineering Sam Placette shares his best practices for creating secure APIs in this detailed and actionable post. He covers:
- Using a stateless authorization model
- Deprecating old endpoints
- Pushing functionality to clients
- Being conversative about returned data
- And much more
The OWASP API Top 10 is the gold standard list of API vulnerabilities, and where many security teams turn when starting an API security program. Consequently, any content we create on this list tends to get a lot of attention. Our 2022 blog series on the OWASP API Top 10 list was no exception, and the first post in the series on BOLA was one of our most-read posts of the year.
In this post, our co-founder Bret Settle breaks down exactly what a broken object level authorization vulnerability is, how attackers exploit it, how to avoid it in the development phase, and how ThreatX can help protect against its exploitation.
We’ve got more OWASP Top 10 content coming in 2023, but here are the other vulnerabilities we covered in 2022:
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Broken Function-Level Authorization
- Mass Assignment
Keep up to date on API and web app security trends and best practices in 2023
We’ve got a lot more educational content planned for 2023. Follow ThreatX on LinkedIn to stay up to date with our content.
Happy New Year!