How do you test and monitor the security of your web app's APIs?

Testing and monitoring the security of web app APIs involves a multi-layered approach. If within an AWS Ecosystem; we could leverage the following services: 1. AWS WAF (Web Application Firewall) to implement custom rules to filter malicious traffic. 2. Amazon GuardDuty to detect threats and continuous monitoring. 3. AWS Inspector to automate security assessments and vulnerability scanning. 4. Amazon CloudWatch to set up custom metrics and alarms for anomalous activities. 5. AWS CloudTrail for logging and monitoring API activity for auditing and compliance. Combine these with automated penetration testing, static code analysis, and regular security audits to maintain a robust security posture. Refine security policies regularly.

Protection testing is a field on its own and is closely related to other testing and evaluation fields. Generally speaking, protection testing should be done to verify that the protections in place are operating as intended. Thus you start with the protections you have in place, devise tests with defined coverage, perform those tests, and verify that the coverage meets your specifications. And testing API interfaces, we typically isolate those interfaces in a test environment so it's not interfere with the normal operations of the system, and so as to bypass other surrounding controls that might prevent the test from effectively revealing the effectiveness of the mechanisms.

Authentication and authorization are distinct but interrelated concepts in the realm of security. Authentication involves verifying the identity of a user, ensuring they are who they claim to be. This is typically achieved through credentials like usernames and passwords. Authorization, on the other hand, focuses on permissions, determining what actions or resources a verified user is allowed to access or manipulate. While authentication establishes trust in a user's identity, authorization defines the scope of their permissible actions within a system. Together, they form essential layers of access control, safeguarding against unauthorized access and ensuring the appropriate use of resources.

Keep in mind that authentication and authorisation are two different things - but are often combined when people speak about them, and these concepts go far beyond web APIs. Authentication is more about verifying a user or an identity - think of things like passwords or MFA. Authorisation on the other hand, is more about granting or denying access to something, based on the users' permissions - think of things like role-based access controls, or SAML auth.

As a security professional, I have seen first-hand how important monitoring authentication and authorization is in ensuring the security and integrity of web app's and API’s. By tracking and analysing the activity of your web app's and APIs, you can quickly detect and resolve any errors, bugs, or vulnerabilities that may compromise the security of your systems. Plenty of great tools can help you collect and visualize this data, allowing you to identify and prevent any unauthorized or suspicious access or activity, but what you do with that data is the most critical part. Combine automation and people to create high-fidelity alerts and be wary of alert fatigue when relying solely on automation, and no one likes the server that cried wolf.

The concept of Defence in depth is absolutely essential, even when monitoring. Often you can only find out an API is allowing excessive access by monitoring data and privileges out of the API scope

1. Manual Security Testing- - Authentication and Authorization Testing - Input Validation Testing - Error Handling 2. Automated Security Testing - SAST - DAST - IAST 3. Penetration Testing- OWASP API Security Top 10