Appsec

When it comes to talking about API Security there are many facets and paths the conversation can take. We might want to talk about from an AppDev security perspective; after all, an API is just code, so your SAST/DAST type processes apply. We might want to talk about it in terms of authentication; after all, you need credentials to access an API and there’s many different ways this can be done (Basic Auth, mutual TLS, Oauth, HMAC…); this would also include when anonymous APIs are OK!

Recently I was invited to be part of a panel on Microservice Security. The fools! Normally on these panels they want you to talk for 5-ish minutes; unfortunately I came up with about 15 minutes worth of material! That’s perfect for a blog :-) Older designs Before I talk about microservices I want to take a look at older designs Monoliths. A “monolith” is pretty much an “all in one” application.