API authentication failures demonstrate the need for zero trust

2022-10-05 05:30

Authenticating an API requires the developer to have a complete understanding of the transaction - from the user interaction through to the outcome - so it requires them to go beyond the limits of the API specification itself.

These range from HTTPS and a username and password to API keys which generate a unique string of characters for each OAuth authentication request, which sees developers use a well-known authorization framework to automatically orchestrate approvals.

It's a decision that should be part of any "Shift left" strategy during API development, which sees security be given full attention before the API is tested and spun up.

Poor API authentication can therefore lead to significant data losses and threaten the integrity of the brand.

While adhering to respected API standards like the OpenAPI specification and implementing "Shift left" security practices during development can help reduce the likelihood of these authentication and authorization errors occurring, the sheer scale of APIs being deployed means the business is unlikely to catch all instances.

Because of this, it facilitates a Zero Trust approach by assuming that even authenticated and authorized APIs are susceptible to attack and monitoring and analyzing API transactions and user behavior.

News URL

https://www.helpnetsecurity.com/2022/10/05/api-authentication-failures/

#API #authentication #zerotrust