API Security at the gateway

When it comes to talking about API Security there are many facets and paths the conversation can take. We might want to talk about from an AppDev security perspective; after all, an API is just code, so your SAST/DAST type processes apply. We might want to talk about it in terms of authentication; after all, you need credentials to access an API and there’s many different ways this can be done (Basic Auth, mutual TLS, Oauth, HMAC…); this would also include when anonymous APIs are OK!

Microservice Security

Recently I was invited to be part of a panel on Microservice Security. The fools! Normally on these panels they want you to talk for 5-ish minutes; unfortunately I came up with about 15 minutes worth of material! That’s perfect for a blog :-) Older designs Before I talk about microservices I want to take a look at older designs Monoliths. A “monolith” is pretty much an “all in one” application.