Working as a Developer Advocate @ Akamai Technologies has allowed me to see the rise of microservices and APIs in the industry up close. Consulting and collaborating with companies who shifted their traditional web stacks over to a microservices architecture started running into similar security risks - How to best protect their APIs?
In everything that I have learned over the course of roughly 5 years of working with APIs and how to secure them, I am launching a five part video series on Linode's YouTube channel. Thanks, Linode! Each of these videos is roughly 7 to 10 minutes in length and over the course of an hour, you will see the fundamentals of API Security in action with examples, real-life use-cases and demos on how APIs get attacked.
What is AIMM?
There are a ton of different ways APIs can get attacked and many before me have named, tagged and categorized them, especially OWASP. The Open Web Application Security Project, released the API Security Top 10 in 2019 with the most common API threats.
In all the API security research I have done, I came across 4 distinct ways on how to manage API security risks and threats and coined the new acronym 'AIMM'. 'AIMM' to protect your APIs.
AIMM stands for Availability, Intel, Manipulation and Management.
Outside of developing, testing and finally releasing your microservices, once it is out there for consumption, these four areas are key to a healthy security strategy.
Availability is obvious but worth mentioning. If your API is not available, either because it cannot function under high load OR because it is the target of a volumetric DDOS attack, no one can use your API. Availability is a critical part of security and luckily, a relatively easy risk to manage.
Parties aimed at disrupting your APIs will more often than not, have zero information on how your API works including the underlying architecture, endpoints and what information can be passed through. Relying on gaining as much Intel as possible, this risk category aims at mitigating this as much as possible.
How can you make sure that your API gives as little information as possible and makes sure that endpoints are as isolated as possible relying on the concept of least privilege?
After gaining intel, manipulation comes into play. Manipulating your API to modify or delete data becomes key here. User and privacy data has become the target for hackers to steal and sell and APIs can also be modified for short-term gains. Reducing the risks and only allowing legitimate modifications to your data is key here.
And finally, Management. API microservices grow in quantity rapidly, especially larger enterprises will find themselves with more microservices than they can easily manage. Different versions, ever-changing infrastructure the APIs run on and more of these challenges require a careful approach to managing your APIs.
What to expect in the video series?
This is just a very high level look at how to best protect your APIs. In the video series, I will be diving deeper into each of these and show a variety of attacks in action. This would not have been possible if not for the fantastic work that OWASP has done. OWASP released a tool called the completely ridiculous API or simply crAPI.
What is crAPI?
crAPI allows you to use, test and attack a badly-designed API microservices stack mimicking a car mechanic website. This tool has really helped me learn about API attacks back when it released in 2021 and I encourage everyone interested to take a deep-dive: github.com/OWASP/crAPI
My video series shows you several of the attacks you can do within crAPI but there is always more to find, so give it a whirl. All you need is a machine capable of running Docker, Kubernetes or Vagrant.
Take a look?
You can find the video series over on the Linode YouTube channel and if you are reading this in July 2022, the videos will be release every two weeks on Thursday, so please consider subscribing to get notified when new videos come out - of course, there is more great content from my fellow Linode Advocates out there as well.
Here is the first video and playlist:
Creating these video series take a lot of effort, sure, there is my own efforts that go into learning these topics, testing tools, writing scripts, recording but that is the fun part!
A big thank you to our video production at both Akamai and Full Moon Creative for making these videos look amazing! And of course, all of the colleagues, customers and partners that helped me on my journey learning about APIs and how to best protect them!