What's Next For Developers
The task to create and maintain secure applications, or fixing existing applications, can be difficult. It is no different for APIs.
We believe that education and awareness are key factors to writing secure software. Everything else required to accomplish the goal depends on establishing and using repeatable security processes and standard security controls.
OWASP provides numerous free and open resources to help you address security. Please visit the OWASP Projects page for a comprehensive list of available projects.
| Education | The Application Security Wayfinder should give you a good idea about what projects are available for each stage/phase of the Software Development LifeCycle (SDLC). For hands-on learning/training you can start with OWASP crAPI - Completely Ridiculous API or OWASP Juice Shop: both have intentionally vulnerable APIs. The OWASP Vulnerable Web Applications Directory Project provides a curated list of intentionally vulnerable applications: you'll find there several other vulnerable APIs. You can also attend OWASP AppSec Conference training sessions, or join your local chapter. |
| Security Requirements | Security should be part of every project from the beginning. When defining requirements, it is important to define what "secure" means for that project. OWASP recommends you use the OWASP Application Security Verification Standard (ASVS) as a guide for setting the security requirements. If you're outsourcing, consider the OWASP Secure Software Contract Annex, which should be adapted according to local law and regulations. |
| Security Architecture | Security should remain a concern during all the project stages. The OWASP Cheat Sheet Series is a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the REST Security Cheat Sheet and the REST Assessment Cheat Sheet as well the GraphQL Cheat Sheet. |
| Standard Security Controls | Adopting standard security controls reduces the risk of introducing security weaknesses while writing your own logic. Although many modern frameworks now come with effective built-in standard controls, OWASP Proactive Controls gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. |
| Secure Software Development Life Cycle | You can use the OWASP Software Assurance Maturity Model (SAMM) to improve your processes of building APIs. Several other OWASP projects are available to help you during the different API development phases e.g., the OWASP Code Review Guide. |