In today’s hyper-connected digital world, APIs are ubiquitous in providing the connecting tissue between systems and services. The growth of APIs continues at an exponential pace, with almost every developer either responsible for creating APIs of their own or consuming APIs as part of their solution. Unfortunately, attackers have shifted their focus to attacking APIs first, and the alarming rise in API incidents and breaches is testimony to the challenges developers face in producing APIs that are secure and robust.

This book is intended to be the primary reference for developers wishing to build secure APIs, and for security teams wanting to get a grip on the unique challenges of securing APIs. The book has a strong practical focus, with extensive code samples and tooling and references to real-world API breaches. The first part covers the basics of APIs and security, including common API vulnerabilities.

As a defender, it is essential to understand the methods of your adversaries, and I will guide you through the common skills and techniques employed by attackers. This will equip you with the skills to thoroughly test your APIs for common API weaknesses and vulnerabilities. The book addresses the full spectrum of API security, from pre-emptive secure-by-design practices as part of a shift-left approach to state-of-the-art runtime protection as part of a shield-right approach.

Finally, I draw on my experience of building large-scale software security programs to provide you with insights and strategies to establish and then mature your own API security programs.

Join me on this exciting journey into the world of API security and ensure that your APIs are never a point of weakness for attackers.

This book is a perfect companion for security professionals responsible for API security. For AppSec teams, there is a focus on security tooling and integration and guidance on how to build an AppSec program targeting API security. For SecOps teams, there is in-depth coverage of API protection and monitoring to protect APIs at runtime.

The book is intended to be a reference for API developers, helping them understand the threats and attacks their APIs are likely to face and how to defend against the most common attack types, with a focus on API design first to enable shift-left for API security.

Finally, the book will appeal to system architects needing to understand best practices for secure API design and implementation.

Chapter 1, What Is API Security?, provides an introduction to the topic of API security and why it is important and distinct from web application security. This chapter also provides an understanding of the basics of APIs and their data formats, covering the key elements of API security and goals.

Chapter 2, Understanding APIs, covers the fundamentals of the HTTP protocol and the different types of APIs currently in use. The key topics of authentication and authorization are covered, along with the use of tokens and keys.

Chapter 3, Understanding Common API Vulnerabilities, provides in-depth coverage of the OWASP API Security Top 10 vulnerabilities (both the 2019 and 2023 variants), how vulnerabilities differ from abuse cases, and how APIs can expose business logic vulnerabilities.

Chapter 4, Investigating Recent Breaches, is an eye-opening look at some of the most significant API security breaches in the last few years, where we examine what went wrong and how such vulnerabilities could be prevented in the future.

Chapter 5, Foundations of Attacking APIs, provides a foundation of how adversaries attack APIs, including their methods, the common tools, and the skills they utilize.

Chapter 6, Discovering APIs, illuminates the various passive and active methods used by adversaries to discover APIs. We will also examine reconnaissance methods used to understand implementations and to evade common defense methods.

Chapter 7, Attacking APIs, provides hands-on guidance on how to attack APIs, focusing on the following areas – authentication and authorization attacks, data-based attacks, injection attacks, and other common attack types.

Chapter 8, Shift-Left for API Security, focuses on core activities that can be used to shift API security left, including leveraging the OpenAPI specification and the positive security model, how to threat model APIs, and the automation of API security within CI/CD pipelines.

Chapter 9, Defending against Common Vulnerabilities, covers the core topics of the defensive patterns and techniques that can be used to defend APIs against the following vulnerabilities – authentication and authorization vulnerabilities, data vulnerabilities, and implementation vulnerabilities.

Chapter 10, Securing Your Frameworks and Languages, moves the focus onto securing languages and frameworks using a “design-first” approach, including the use of code generation tooling, OpenAPI generation with popular frameworks, and patterns to secure these frameworks.

Chapter 11, Shield-Right for APIs with Runtime Protection, emphasizes the critical role played by so-called “shield-right” techniques, including secure and hardened environments, WAFs for API protection, the use of API gateways and management portals, API firewalls and, finally, monitoring APIs at runtime.

Chapter 12, Securing Microservices, looks at the exciting world of APIs within a microservices architecture, where we learn to apply our existing knowledge in a microservices landscape, focusing on securing the foundations, connectivity, and access control.

Chapter 13, Implementing an API Security Strategy, concludes our journey into API security by providing focused guidance on how to build an API security strategy, including the selection of a roadmap and KPIs, and how to plan and execute your strategy.

The following are the software/hardware covered in the book and OS requirements:

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Defending-APIs. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “In this example, we can see that a combination of hellopixi and user@acme.com resulted in a 200 OK status code and the return of a JWT.”

A block of code is set as follows:

<note> 
    <to>Colin</to> 
    <priority>High</priority> 
    <heading>Reminder</heading> 
    <body>Learn about API security</body> 
</note> 

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

{
   "openapi": "3.0.0",
   "info": {
       "version": "1.0.0",
       "title": "Swagger Petstore",
       "license": {
           "name": "MIT" }

Any command-line input or output is written as follows:

colind@mbm: ~ # sudo nmap -sn 192.168.9.0/24 

Bold: Indicates a new term, an important word. For instance, words in menus or dialog boxes appear in bold. Here is an example: "YAML Ain’t Markup Language (YAML) is another common internet format, similar to JSON in its design goals".

Tips or important notes

Appear like this.

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at customercare@packtpub.com and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Once you’ve read Defending APIs, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below

https://packt.link/free-ebook/9781804617120

2. Submit your proof of purchase
3. That’s it! We’ll send your free PDF and other benefits to your email directly