ECP ID: 7c63467c-3adf-4538-af28-1a9d7d1abb44

API Security ECP

Taxi
ECP Description

APIs are a ubiquitous feature of modern web applications. However, as described in [2] and [3], designing APIs so that they are secure, is very challenging. Subsequently, APIs are a popular attack surface for malicious parties who seek to compromise web applications and more broadly, the organisations that run them.

 

This ECP theme is inspired by work undertaken by the OWASP API Security Project as presented in [1], which aims to understand and mitigate the increasing number of vulnerabilities in APIs deployed by businesses, as part of their software service provisions. Unfortunately, many APIs do not undergo rigorous security testing that would help to improve such security concerns.

 

ECP Designator(s)

The designator for this ECP theme is Dr Charles Clarke (University of Roehampton).

ECP Aims (indicative)

The broad aims of this ECP theme are to investigate, procure, model, document and test case API security good practices. It is anticipated that outcomes of this ECP will be shared with the CISSE UK Cyber Education Community. 

ECP Objectives (indicative)
  • Implement requirements engineering processes, to elicit both functional and non-functional requirements.

  • Research, review and collate API security links, resources, and tools.

  • Elicit input from API developers.

  • Establish a structure for collating research artefacts in a shared project space.

  • Create a report, video or presentation that presents a narrative of API security.

  • Evaluate the utility of the report, video or presentation with developers as part of a test plan.

  • Create examples of before and after good practices within a test environment.

  • Create a debrief report of the project and its outcomes

Indicative Technology Themes

APIs; Cloud Computing; Docker, Virtual Machines, Front End and Back End technologies

Example Resources and Links

[1] OWASP API Security Project | OWASP Foundation

[2] https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c18.pdf

[3] The Cyber Security Body of Knowledge (cybok.org)