APIs are a ubiquitous feature of modern web applications. However, as described in  and , designing APIs so that they are secure, is very challenging. Subsequently, APIs are a popular attack surface for malicious parties who seek to compromise web applications and more broadly, the organisations that run them.
This ECP theme is inspired by work undertaken by the OWASP API Security Project as presented in , which aims to understand and mitigate the increasing number of vulnerabilities in APIs deployed by businesses, as part of their software service provisions. Unfortunately, many APIs do not undergo rigorous security testing that would help to improve such security concerns.
The designator for this ECP theme is Dr Charles Clarke (University of Roehampton).
The broad aims of this ECP theme are to investigate, procure, model, document and test case API security good practices. It is anticipated that outcomes of this ECP will be shared with the CISSE UK Cyber Education Community.
Implement requirements engineering processes, to elicit both functional and non-functional requirements.
Research, review and collate API security links, resources, and tools.
Elicit input from API developers.
Establish a structure for collating research artefacts in a shared project space.
Create a report, video or presentation that presents a narrative of API security.
Evaluate the utility of the report, video or presentation with developers as part of a test plan.
Create examples of before and after good practices within a test environment.
Create a debrief report of the project and its outcomes
Resources and Links
 The Cyber Security Body of Knowledge (cybok.org)