Dear security-focused developer, share this video with your product manager to convey everything you've been advocating for--in under 2 minutes.🤣🤣 Thank me later. Some really golden advice from @InsiderPhD. PS: What are your thoughts? #softwareengineering #applicationsecurity #apisecurity #apikitchen

When @danbarahona asked if I would prepare a meal without tasting it or only taste it once it's served, I silently shouted, "Preach!" What a powerful analogy! That analogy aptly describes current practices in many engineering teams. In fact, a recently released CrowdStrike report says only 54% of major code changes go through full security reviews. 😒 It's far more embarrassing to correct cooking mistakes after the meal is on the table, and it's also much harder than if you'd been tasting along the way. The best approach is to harness the power of automated testing in your CI/CD pipeline, combined with periodic pentesting. This way, you get the best of both worlds, and security won't slow down your development. PS: What are your thoughts? #softwareengineering #applicationsecurity #apisecurity #apikitchen #cybersecurity #informationsecurity

1 In 3 Organizations release API updates daily but only a small percent of these APIs are continually tested for vulnerabilities. Security simply isn't catching up with the speed of development cycles. How can you tell if your security controls are holding up against the most prevalent threats? How will quickly will you know when your APIs are being abused? Do you know the most likely ways attackers will try to bypass your authentication and authorization? Are there APIs in your ecosystem that you're not aware of and consequently not actively protecting? Everything else I need to say is the video. Enjoy | Repost | Reply | Like #cybersecurity #softwareengineering #apisecurity #APIKitchen #informationsecurity

What is the simplest thing organizations can do to improve their API security posture? @InsiderPhD had this to say at the #APIKitchen. What's your take on Vulnerability disclosure programs? Tell me in the Reply section. Repost | Reply | Like #cybersecurity #apisecurity #APIKitchen #informationsecurity

How will your application behave when a malicious user provides a negative number as an input? My #APIKitchen guest, Corey J. Ball, breaks down input validation in the context of API Security for a Fintech API. This is applicable to any other APIs. Pro Tip: When testing endpoints for your Fintech APIs, create test cases that play around with dates in the past. If your savings app for example, is allowing users to set a date in the past, you're in hot soup! This is a common business logic flaw, developers aren't taking care of. Tag or share this video with your security and development team to discuss and learn. PS: What are other input validation issues you have seen in APIs. #apisecurity #softwareengineering #developer #cybersecurity #informationsecurity

Authorization is a critical API security consideration and according to my #APIKitchen guest, @shehackspurple, we need to fix up on one common mistake! It's crucial to ensure that users can only access the functions and records they are authorized to, even if they are already authenticated to use the API. This involves; ☑Carefully planning the authorization model ☑Denying access by default ☑Thoroughly testing the authorization for every user role and function. Tag or share this video with your security and development team to discuss and learn. #apisecurity #softwareengineering #developer #cybersecurity #informationsecurity #programming

By the end of this episode, you'll understand how to utilize OWASP ASVS as a tool for comprehensive assessment against API vulnerabilities. Can I also mention that Nick made me laugh so hard backstage. Now I wish we had filmed the behind the scenes of this episode, because it was so much fun. PS: What is your biggest takeaway from today's episode of the API Kitchen. Let me know in the comments #APIKitchen #cybersecurity #APISecurity #confidencestaveley #infosec #informationsecurity #sisinerdTV #softwareengineering #tech

Can you believe season 2 of the API Kitchen is coming to an end tomorrow? 😢 It’s been such a great run and we are closing the season with a bang! Just like a kitchen follows specific health codes, our guest Nick Aleks @exploitpapi shared that APIs need security standards like the OWASP Application Security Verification Standard (ASVS) to provide a comprehensive recipe for building robust API defenses. Think of OWASP ASVS as your kitchen’s ultimate hygiene checklist. It outlines crucial security controls at various levels, ensuring your API is secure from the ground up. Implementing these controls is like following a proven recipe for food safety – it guarantees your API serves up a secure experience for your users. PS: What is your key takeaway from the finale’s excerpt? Tell me in the comments. #APIKitchen #cybersecurity #APISecurity #confidencestaveley #infosec #informationsecurity #softwareengineering

Episode 9 is live on YouTube featuring @shehackspurple! Throughout Season 2 of the API Kitchen, we've been dishing out mouthwatering security tips to beef up your APIs against cyber threats. Now, at the Penultimate episode, we're spicing things up with Tanya Janca, the Author of "Alice and Bob Learn Application Security," Founder of SheHackspurple, and Head of community at Semgrep, joining us. By the end of this episode, you'll learn about the three levels of ASVS, how to blend authentication with session management and so much more. Watch the full episode here on X or on YouTube by clicking the link in the comments. PS: What is your biggest takeaway from this episode? Let me know in the comments section. #APIKitchen #APISecurity #cybersecurity #confidencestaveley #infosec #informationsecurity #softwaredevelopment #softwareengineering #tech

For those who may not know what it is, The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. PS: What do you think is the most important takeaway for developers when it comes to successfully applying the OWASP ASVS? Tell me in the comments section. #APIKitchen #informationsecurity #cybersecurity #confidencestaveley

A new episode of API Kitchen is live! Last week, we laid the foundation in the conversation on logging and monitoring challenges, and today, we're delving even deeper. Our guest speaker, @khal_lodbrok is the Chief Solution Officer at Cybervergent, and brings a wealth of expertise to the table as a seasoned Business Information Systems and Enterprise Security leader, boasting nearly two decades of experience in crafting, constructing, and overseeing secure systems and infrastructure. On a personal note, Gbolabo Awelewa is a technical reviewer for my book, API Security for White Hat Hackers. At the end of this episode you will know more on what to log and what not to log as it concerns your APIs. Watch the full episode here on X or use the link in the comments section to watch on YouTube. I am a sisi that's also a nerd #sisinerd #APIKitchen #APISecurity #cybersecurity #security #testing #ConfidenceStaveley #informationtechnology #informationsecurity #securecoding

Our guest, Gbolabo Awelewa @khal_lodbrok swung by the API Kitchen once more to spill the beans on logging unwanted data. Remember last week's episode where we established some of the challenges with Logging and Monitoring in API Management? Well, turns out, there's some data you definitely don't want cluttering up your logs. What exactly counts as unwanted data? Why does it matter? Unwanted data isn't data that isn't needed in operations but it is data that could cause a real headache if it ends up in your logs, like sensitive customer details or confidential company info. That's why it's crucial to get a handle on what you're logging. PS: What's your key takeaway from this excerpt from my chat with this week's virtual kitchen guest? Let me know in the comments. #APIKitchen #APISecurity #cybersecurity #confidencestaveley #infosec #sisinerd

Episode 7 of the API Kitchen is served! 🥳 What should you be logging? What should you not be logging? How can you tie these metrics to security objectives? We answered these questions and many more in this episode with our guest @ThisIsAnuprita, a Product Security Professional at eBay. At the end of this episode, you'll gain better understanding of logging and monitoring. PS: What stood out the most for you in this episode? Tell me in the comment section. #APIKitchen #APISecurity #softwareengineering #applicationsecurity #cybersecurity #confidencestaveley #infosec

What are the most typical mistakes businesses make regarding logging and monitoring of APIs? I asked our guest for this week's episode of #APIKitchen @ThisIsAnuprita and her answer was very insightful. Logging and monitoring plays an extremely important role in API management as well as in secure #SDLC because it not only focuses on the security aspect of it but also covers the performance and availability aspects of the Apis which are crucial to gain customer trust and the success of most businesses. PS: Feel free to join the conversation in the comments section and share what your take was from episode 7 excerpt and any other typical mistakes with API logging and monitoring. #devsecops #confidencestaveley #softwareengineering #apisecurity #informationsecurity #infosec #cybersecurity

🔐New Episode Alert! 🔐 Watch the full episode here on X. A chef preparing a dish without knowing the basics of food safety is super risky. Similarly, developing APIs without a solid understanding of secure coding practices can lead to loads of security loops. In this episode, we have @InsiderPhD in our virtual kitchen to discuss her thoughts on secure coding, especially in the context of APIs. Katie Paxton-Fear is an ethical hacker, an educational content creator at Traceable and a lecturer of cybersecurity at The Manchester Metropolitan University. At the end of this episode, you'll gain knowledge that will be help you develop secure APIs that stand the test of time. PS: What was your biggest takeaway from today's episode? Tell me in the comment section. #APIKitchen #APISecurity #API #Tech #informationsecurity #infosec #cybersecurity #confidencestaveley

🔐New Episode Alert! 🔐 Watch the full episode here on X Managing API versions to ensure backward compatibility and maintaining security is a challenge to many organizations. So how do we overcome this versioning challenge? In this episode, we have @danbarahona in our virtual kitchen to discuss his thoughts on how to manage this issue. Dan is the co-founder of APIsec University, a learning platform dedicated to sharing API security knowledge with the community. APISec got over 70,000 students in its first year with over 75% of them working for Fortune 500 companies. PS: What was your biggest takeaway from today's episode? Tell me in the comment section. #confidencestaveley #api #apikitchen #apisecurity #cybersecurity #infosec #informationsecurity

I asked @danbarahona "what is one underutilized API security best practice that you consider the salt of the earth—a basic yet potent aspect that may greatly improve an organization's security posture?" His answer is insightful...Watch the excerpt from the episode to be published tomorrow...Enjoy a sneak peek. PS: What do you think about this best practice? #APIKitchen #cybersecurity #infosec #informationsecurity #confidencestaveley

🔐 New Episode Alert! 🔐 Watch the full episode here on X. Keeping your APIs secure, isn't just about building secure APIs but also ensuring that integration with third-party tools is also carefully done. In this episode, we have @Gabrielle_BGB 🔑 in our virtual kitchen to discuss her thoughts on how to manage this issue. Gabrielle is an award winning pentester with extensive experience testing APIs for vulnerabilities. What was your biggest takeaway from today's episode? Tell me in the comment section. #api #apikitchen #apisecurity #cybersecurity #infosec #informationsecurity #tech #cyber

PS: Do you think content type and content length are such a big deal? Is your team using these headers? Is this something you'll adopt going forward? #apisecurity #api #apikitchen #cybersecurity #cyber #informationsecurity #tech #apidevelopment #software #appdevelopment #infosec #softwareengineering

Episode 2 of API Kitchen is live! In today's episode, we discuss how lack of input validation poses a major risk to to our APIs and how you can you can mitigate these risks. @hAPI_hacker joined me in the API Kitchen this week and served up some really thought provoking scenarios and actionable tips. Click the link below to watch the full episode. youtu.be/x_-BkRfsxk8 PS: What was your biggest takeaway from this episode and what are you changing going forward? #APIKitchen #apisecurity #cybersecurity #informationsecurity #infosec #tech #apis #devsecops