Hello world! From my 10 yrs as a dev working at scale and talking to 300+ security engineers, I have been meaning to share some dos-and-don'ts of API Security. 🤠
This is my first time posting on Twitter. Shower some love 🕺 #apisecurity #securecodingpractice #devsecops
This is my first time posting on Twitter. Shower some love 🕺 #apisecurity #securecodingpractice #devsecops
Starting with the most common practice - API Keys 🔑. These are
- used for many 3rd party integrations
- given to clients to access data programatically
- for inter-service communications
It'd be awesome 😃 if you can add more or share any bitter experiences around API keys 🤐
- used for many 3rd party integrations
- given to clients to access data programatically
- for inter-service communications
It'd be awesome 😃 if you can add more or share any bitter experiences around API keys 🤐
0⃣/9⃣
API Keys aren't as secure as authentication tokens. Tokens like JWT are far stronger and have an expiration date by nature.
API Keys aren't as secure as authentication tokens. Tokens like JWT are far stronger and have an expiration date by nature.
1⃣/9⃣
API Keys should be rotated periodically ♻️. This could be hard if API Keys are being used by clients. Generally, 3-month or a 6-month period is considered good.
API Keys should be rotated periodically ♻️. This could be hard if API Keys are being used by clients. Generally, 3-month or a 6-month period is considered good.
2⃣/9⃣
Never hard code API Keys into source code 😱. This is a crime! Never hard code API Keys anywhere. Just don't do it - yea!
Never hard code API Keys into source code 😱. This is a crime! Never hard code API Keys anywhere. Just don't do it - yea!
3⃣/9⃣
API Keys should be scoped with limited permissions ✂️. Thank your devs if they rotate the keys and associate scopes to them 🙇♂️
API Keys should be scoped with limited permissions ✂️. Thank your devs if they rotate the keys and associate scopes to them 🙇♂️
4⃣/9⃣
Use Secure Random String generators to generate your API Keys 🔒. Please no MD5 hash or java.util.Random 😰. If your random number generator doesn't have "Secure" in it, don't use it.
Use Secure Random String generators to generate your API Keys 🔒. Please no MD5 hash or java.util.Random 😰. If your random number generator doesn't have "Secure" in it, don't use it.
5⃣/9⃣
Revisit all unused API Keys every week or month (ok fine! at least once a quarter!). You'd be surprised ex-employees' keys are still active 😲!
Revisit all unused API Keys every week or month (ok fine! at least once a quarter!). You'd be surprised ex-employees' keys are still active 😲!
6⃣/9⃣
Associate an expiry date with them ⚔️ - and make sure the expiry code gets invoked! API Keys with God-mode powers should have quickest expiry. More power, quicker expiry 🔫
Associate an expiry date with them ⚔️ - and make sure the expiry code gets invoked! API Keys with God-mode powers should have quickest expiry. More power, quicker expiry 🔫
7⃣/9⃣
Store encrypted API Key rather than plain text in the database. And to maintain the encryption key.... (you see how quickly things go recursive 😉)
Store encrypted API Key rather than plain text in the database. And to maintain the encryption key.... (you see how quickly things go recursive 😉)
8⃣/9⃣
Are you on HTTP or any other unsecured protocols? Move away from API Keys please. Any MITM can get your key 😕. Why you not on HTTPS/TLS by the way? 😐
Are you on HTTP or any other unsecured protocols? Move away from API Keys please. Any MITM can get your key 😕. Why you not on HTTPS/TLS by the way? 😐
9⃣/9⃣
OK. This is a technicality - but if you are going to enable key rotation, you should allow multiple API Keys to be active for the users. 😇
Happy API-keying ✌️
OK. This is a technicality - but if you are going to enable key rotation, you should allow multiple API Keys to be active for the users. 😇
Happy API-keying ✌️
I am building @Aktodotio. If you are into API Security, fill out bit.ly/3EAuy6v for beta access to my product. I promise no spams and you won't be disappointed 😀😃
• • •
Missing some Tweet in this thread? You can try to
force a refresh
