What's Next For Developers
The task to create and maintain secure software, or fixing existing sofware, can be difficult. APIs are no different.
We believe that education and awareness are key factors to write secure software. Everything else required to accomplish the goal, depends on establishing and using repeatable security processes and standard security controls.
OWASP has numerous free and open resources to address security since the very beginning of the project. Please visit the OWASP Projects page for a comprehensive list of available projects.
Education | You can start reading OWASP Education Project materials according to your profession and interest. For hands-on learning, we added crAPI - Completely Ridiculous API on our roadmap. Meanwhile, you can practice WebAppSec using the OWASP DevSlop Pixi Module, a vulnerable WebApp and API service intent to teach users how to test modern web applications and API's for security issues, and how to write more secure API's in the future. You can also attend OWASP AppSec Conference training sessions, or join your local chapter. |
Security Requirements | Security should be part of every project from the beginning. When doing requirements elicitation, it is important to define what "secure" means for that project. OWASP recommends you use the OWASP Application Security Verification Standard (ASVS) as a guide for setting the security requirements. If you're outsourcing, consider the OWASP Secure Software Contract Annex, which should be adapted according to local law and regulations. |
Security Architecture | Security should remain a concern during all the project stages. The OWASP Prevention Cheat Sheets are a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the REST Security Cheat Sheet and the REST Assessment Cheat Sheet. |
Standard Security Controls | Adopting Standard Security Controls reduces the risk of introducing security weaknesses while writing your own logic. Despite the fact that many modern frameworks now come with built-in standard effective controls, OWASP Proactive Controls gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. |
Secure Software Development Life Cycle | You can use the OWASP Software Assurance Maturity Model (SAMM) to improve the process when building APIs. Several other OWASP projects are available to help you during the different API development phases e.g., the OWASP Code Review Project. |