Thank You Chicago! Earlier this week we had the pleasure of hosting a regional API Security Summit in Chicago (well, actually in Lombard). These summits bring together the local cybersecurity community for half-day of API Security-focused content, including expert speakers and panelists. While this isn’t the first time we’ve organized an event like this, it was memorable for the quality of content and participants. I won’t attempt to repeat all of the content here, but a summary might be useful for those who couldn’t attend in person. 5 Essential Lessons for Building and Securing APIs, Aaron Bedra, CTO Aaron Bedra provided clear guidance for practitioners who are responsible for APIs, encapsulated into 5 lessons: Lesson 1: Have a firewall You don’t only need a traditional network firewall (though you need that too), but make sure that you have the controls in place to block unwanted traffic. Aaron advised that organizations “restrict the space to only the actors who are viable,” by blocking things like TOR exit nodes or specific geographies. Don’t ask your application to process traffic that isn’t valid. Lesson 2: Implement rate limiting Related, make sure your application can degrade gracefully in the face of broken clients (or attackers). Rate limiting should be dynamic and responsive to the clients’ behavior. With APIs, we’re not talking about human beings, so don’t expect human behavior. Lesson 3: Record everything If you don’t record or log everything, you can’t…Read More