tyk.io
Open in
urlscan Pro
2606:4700:10::6816:41b3
Public Scan
Submitted URL: https://cjsy-04.na1.hubspotlinks.com/Ctc/LX*113/cJsY-04/VX63-052HfCfW6zmc8k96KTZSW6N147h4RP-mhN65wGW93q90JV1-WJV7CgG_dVBxF5T3x8121W5q...
Effective URL: https://tyk.io/blog/guide-to-api-security-management/?utm_campaign=API%20Led%20Product%20Growth&utm_medium=emai...
Submission: On November 02 via manual from IN — Scanned from DE
Effective URL: https://tyk.io/blog/guide-to-api-security-management/?utm_campaign=API%20Led%20Product%20Growth&utm_medium=emai...
Submission: On November 02 via manual from IN — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/5898904/b499ad4c-a63b-4614-b24d-a1ed14b05e85
<form id="hsForm_b499ad4c-a63b-4614-b24d-a1ed14b05e85" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/5898904/b499ad4c-a63b-4614-b24d-a1ed14b05e85"
class="hs-form-private hsForm_b499ad4c-a63b-4614-b24d-a1ed14b05e85 hs-form-b499ad4c-a63b-4614-b24d-a1ed14b05e85 hs-form-b499ad4c-a63b-4614-b24d-a1ed14b05e85_a8f46615-1231-418f-bf06-2aac5327fb69 hs-form stacked"
target="target_iframe_b499ad4c-a63b-4614-b24d-a1ed14b05e85" data-instance-id="a8f46615-1231-418f-bf06-2aac5327fb69" data-form-id="b499ad4c-a63b-4614-b24d-a1ed14b05e85" data-portal-id="5898904" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-b499ad4c-a63b-4614-b24d-a1ed14b05e85" class="" placeholder="Enter your Email" for="email-b499ad4c-a63b-4614-b24d-a1ed14b05e85"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-b499ad4c-a63b-4614-b24d-a1ed14b05e85" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_8306239 hs-LEGAL_CONSENT.subscription_type_8306239 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_8306239-b499ad4c-a63b-4614-b24d-a1ed14b05e85" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_8306239-b499ad4c-a63b-4614-b24d-a1ed14b05e85" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_8306239" value="true"><span>I agree to receive other communications from
Tyk.</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
<div class="hs-richtext">
<p>You can unsubscribe from these communications at any time. For more information on how to unsubscribe and our privacy practices, please review our <a href="https://tyk.io/privacy-policy/" target="_blank" rel="noopener">Privacy Policy</a>.
</p>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"formTarget":"#hbspt-form-1667358294000-7937965738","pageUrl":"https://tyk.io/blog/guide-to-api-security-management/?utm_campaign=API%20Led%20Product%20Growth&utm_medium=email&_hsmi=216583952&_hsenc=p2ANqtz--xg3G6clVHyi0GlNVfhqFj6kCy0SahHSMXssEHmiJJmSmYEwoEnpJz5vXMo8XJqBwaTyF28kb1xkRWLO-C6FuG9fnyiLmiS4KWFiXH56JuRnI45u0&utm_content=216583952&utm_source=hs_automation","pageTitle":"An introductory guide to modern API security management","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36","urlParams":{"utm_campaign":"API Led Product Growth","utm_medium":"email","_hsmi":"216583952","_hsenc":"p2ANqtz--xg3G6clVHyi0GlNVfhqFj6kCy0SahHSMXssEHmiJJmSmYEwoEnpJz5vXMo8XJqBwaTyF28kb1xkRWLO-C6FuG9fnyiLmiS4KWFiXH56JuRnI45u0","utm_content":"216583952","utm_source":"hs_automation"},"timestamp":1667358296266,"originalEmbedContext":{"portalId":"5898904","formId":"b499ad4c-a63b-4614-b24d-a1ed14b05e85","region":"na1","target":"#hbspt-form-1667358294000-7937965738","isBuilder":false,"isTestPage":false,"pageTitle":"An introductory guide to modern API security management","pageUrl":"https://tyk.io/blog/guide-to-api-security-management/?utm_campaign=API%20Led%20Product%20Growth&utm_medium=email&_hsmi=216583952&_hsenc=p2ANqtz--xg3G6clVHyi0GlNVfhqFj6kCy0SahHSMXssEHmiJJmSmYEwoEnpJz5vXMo8XJqBwaTyF28kb1xkRWLO-C6FuG9fnyiLmiS4KWFiXH56JuRnI45u0&utm_content=216583952&utm_source=hs_automation","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36","urlParams":{"utm_campaign":"API Led Product Growth","utm_medium":"email","_hsmi":"216583952","_hsenc":"p2ANqtz--xg3G6clVHyi0GlNVfhqFj6kCy0SahHSMXssEHmiJJmSmYEwoEnpJz5vXMo8XJqBwaTyF28kb1xkRWLO-C6FuG9fnyiLmiS4KWFiXH56JuRnI45u0","utm_content":"216583952","utm_source":"hs_automation"}},"correlationId":"a8f46615-1231-418f-bf06-2aac5327fb69","lang":"en","legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":8306239,\"label\":\"I agree to receive other communications from Tyk.\",\"required\":false}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree to allow Tyk to store and process my personal data.</p>\",\"privacyPolicyText\":\"<p>You can unsubscribe from these communications at any time. For more information on how to unsubscribe and our privacy practices, please review our <a href=\\\"https://tyk.io/privacy-policy/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy Policy</a>.</p>\",\"isLegitimateInterest\":false}","renderRawHtml":"true","embedAtTimestamp":"1667358295979","formDefinitionUpdatedAt":"1589203821628","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_8306239","__hsfp":3865676674,"__hssc":"151234086.1.1667358296246","__hstc":"151234086.793fcaf69408c1fd983afabc31293feb.1667358296246.1667358296246.1667358296246.1","contentType":"blog-post","hutk":"793fcaf69408c1fd983afabc31293feb","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_8306239"],"captchaStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.2272","sourceName":"forms-embed","sourceVersion":"1.2272","sourceVersionMajor":"1","sourceVersionMinor":"2272"}"><iframe
name="target_iframe_b499ad4c-a63b-4614-b24d-a1ed14b05e85" style="display: none;"></iframe>
</form>Text Content
☰
☰
* Platform
* Tyk API Management
* API lifecycle managementConnect, build and control. Full API lifecycle
management made easy
* Open Source API GatewayCloud native, highly-performant & completely open
source
* Governance and auditingApply policies, enable teams, integrate into
pipelines. Control and visibility
* Gather and export analyticsInterrogate your data in the Dashboard, export
it in real time to any BI tool or application
* Secure, shape and transform trafficConvert to and from SOAP, xml, REST
and GraphQL
* Design, test and publish APIsImport, design, version and publish to the
developer Portal
* Add API management to KubernetesTyk Operator offers Kubernetes-native API
management for your K8s stack
* Tyk GraphQL
* API Management for GraphQLDesign, build and secure GraphQL APIs with Tyk
* No-code GraphQL with Universal Data GraphStitch all of your services into
a single GraphQL endpoint, using the Tyk GUI
* GraphQL and your organisationA single pane of glass view for your entire
organisations services with Tyk UDG
* Open source
* Resources
* Documentation
* Tyk docs
* API Management
* Get started
* The Tyk Stack
* Key Concepts
* FAQs
* Community
* Community Forum
* GitHub
* Your local Tyk Meetup Group
* Tyk Side Project Fund
* API Expertise
* Podcast
* Whitepapers
* Webinars
* Blog
* Videos
* Research Labs
* Solutions
* Use cases
* Microservices with Tyk
* Internal API security and governance
* Introduce GraphQL to your organisation
* Replace an old API platform
* Digital transformation
* Open banking
* Full lifecycle API management
* Enterprise developer portal
* Deployment Patterns
* Tyk Cloud
* API Gateway
* Kubernetes
* GitOps
* Multi-region
* Multi-team walled garden
* Multi-cloud and hybrid
* Pricing
* Case studies
* Case studies
* Customer case studiesOur APIM platform is used to meet business critical
needs around the globe.
* Financial services
* Healthcare
* Government bodies
* Consumer
* View all
* The Tyk WayWe empower engineers to make things better – supported, plug and
playable, always open source.
* Company
* Company
* About TykOur founders story, our presence, our mission
* Our partnersFind a reseller or System Integrator in one of 50 countries
* Life at TykOur values, our culture, your future
* Current vacanciesBecome a Tykling today
* Inclusion commitmentReal humans, with real lives, doing real work
* ContactGet in touch with our team for more API expertise or to discuss your
use case
* Cloud Login
* Free trial
AN INTRODUCTORY GUIDE TO MODERN API SECURITY MANAGEMENT
Publish on 24 Jan, 2022 - by Budha Bhattacharya
API Security API Strategy
Modern digital transformation is built on APIs, driving a new operating model
that provides direct access to business logic, applications, and institutional
data. While this access is invaluable for partners and customers, it also makes
APIs attractive targets for hackers and cybercriminals. Therefore, it is very
important to focus on API security.
In this article, you will learn why it is so important to protect your API, some
API security methodologies and best practices, and the role APIs play in the
DevSecOps paradigm.
IMPORTANCE OF API SECURITY
Organisations use APIs (Application Programming Interfaces) to communicate with
other systems and transfer data. A poorly developed API can expose sensitive
personal data and depending on the nature of the applications even medical
and/or financial data. Data privacy is therefore high on the priority list for
both the users and the organisations.
There have been several cases in which companies have been hacked because of an
open and insecure API, thereby exposing user data. Venmo, a peer-to-peer mobile
payment service, was hacked by a computer science student who was able to access
information on seven million Venmo transactions, including the full names of
people sending money through the platform. This happened, at least in part,
because Venmo didn’t appropriately handle the challenges while making data
accessible through a public API.
Similarly, Ledger, a French cryptocurrency hardware wallet company, experienced
a data breach due to an insecure API. While the wallets and cryptocurrencies
were well protected, a third-party API misconfiguration ended up leaking the
personal data of their customers. The breach resulted in over 270,000 phone
numbers and addresses being leaked and the exposure of more than a million
customer email addresses. As you can see, ensuring that your API is well
developed and properly protected is of huge importance.
API SECURITY METHODOLOGIES
There are several techniques you can implement to increase your API’s security,
each with a unique set of benefits. There are two aspects of API security –
authentication, which tells an application who you are, and authorisation, which
tells the application what you can or have permission to do. Here are a few
common API security methods:
API KEYS
API keys are good for developer quick-starts and allow users to have access to
all the resources on a platform as long as the `API-Key` is provided on every
request. Essentially, it’s an encrypted string that identifies an application
without paying attention to the user of the application. API keys provide
application authorisation and identification; in other words, the platform
identifies the project or application making a request to the API and checks to
see if the application is authorised to make a request to the platform. The
calling application needs to add the key to each API request, and the API can
use the key to identify the application and authorise the request.
However, API keys are not totally secure as they are usually accessible to the
client. This may make it easy for a hacker to steal the key, and if the API key
doesn’t have an expiration time, a stolen key can be used indefinitely unless
the owner revokes or generates a new key.
On the plus side, API keys can be used when you need to block anonymous traffic
if you want to allow only traffic from a particular application. You can also
use them to control and limit the number of calls made to your API, to filter
application logs or to identify application usage patterns.
BASIC AUTHENTICATION
Basic Authentication, or basic auth for short, is a simple method of
authenticating API requests. It uses a header called Authorisation, with a
base64 encoded representation of the username and password of the user. For
example, a request using basic authentication for the user `tomiwa` and password
`123456` looks like this:
Copy to clipboard
GET / HTTP/1.1
Host: example.com
Authorization: Basic dG9taXdhOjEyMzQ1Ng==
Even though basic auth is easy to implement and suitable for server-to-server
communication, using it for client-server communication can pose several
threats. Sending user credentials for every request would be considered bad
practice, as the user is not aware of what the app will use the credentials for,
and the only way to revoke access is to change the password. Also, the passwords
are usually long-lived, and if an attacker has access to the password and
username, this can lead to significant damage.
Basic Authentication can be used in a scenario where you want a simple way of
authenticating users while enforcing security. It can also save a lot of time
when you need to quickly get up and running with authentication and don’t want
to spend much time thinking about roles, permissions scopes, etc.
JSON WEB TOKENS (JWT)
JSON Web Tokens, also known as JWT, is a standard for safely exchanging claims
between two parties. These claims are assertions about a certain object to
ensure its validity. JWT provides various types of signatures and encryption.
The signatures are used for validation to guard against data tampering, while
the encryption is useful for protecting data from being accessed by third
parties. The process starts by sending a username and password to the server and
then validating the information sent.
Once validated, the server generates a token, which is usually made up of a
header, payload and signature separated by dots based on a secret key that only
the server knows. The client can then include this token in the headers of
subsequent requests, and the server will validate it using the secret key. The
generated token is usually valid for a period of time, after which the client
can use a refresh token to request a new one. This allows the server to block
access to clients, if required.
There are several benefits of using JWTs. They are more secure as they provide a
public/private key pair in the form of a X.509 certificate for signing. They can
also be used in federated identities. For example, the ID Token returned when a
user logs in successfully with their credential in the OpenID Connect’s spec is
a JSON Web Token. JSON Web Tokens are very common and are used at internet
scale. They can also be used on multiple platforms, especially mobile.
AUTHORISATION METHODS
While Authentication checks if a user exists on a platform, authorisation
focuses more on verifying if a user or entity has the right to perform certain
operations, such as whether a user can view the photos of other users in a
photo-sharing application. There are several methods to be aware of, some of
which include the following:
ROLE-BASED ACCESS CONTROL (RBAC)
Role-Based Access Control (RBAC) is a security paradigm that allows users to
have restricted access to resources based on their roles in the organisation.
RBAC allows you to assign roles to users; each role grants access to one or more
sets of rights and that in turn determines the kind of operation that particular
user can perform on the platform.
The basic principle of Role-Based Access Control is simple; for example, the
Human Resource department can’t see Finance data, and vice versa. When
implemented correctly, RBAC will be transparent to the users. Role assignment
happens behind the scenes, and each user has access only to the applications and
data that they need to do their job. When you have a structured workgroup and
want to be able to define the rights to a system by specific roles, RBAC is a
great option.
ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
Attribute-Based Access Control (ABAC) is an authorisation model that evaluates
the characteristics or attributes of an entity, instead of roles, to determine
access. For example, you might only want to allow users of a particular type,
such as permitting employees in the HR department to access the HR/Payroll
system, and only during business hours within the same time zone as the company.
At its core, ABAC enables flexible and fine-grained access control that allows
for more input variables into an access control decision. Any available
attribute in the directory can be used by itself or in combination with another
to define the right filter for controlling access to a resource.
Because you can define access by employee type, location and business hours,
ABAC is usually suitable for geographically dispersed workgroups, or when you
want fine-grained access control policies.
OAUTH2.0
OAuth 2.0, which stands for “Open Authorization,” is a standard that allows a
website or application to access resources hosted by other web apps on behalf of
a user. It’s a way of securely saying that it’s okay for a platform to use one
of your trusted authentications to allow access to the platform resources. For
example, you might use it to tell GitHub that it’s okay for Linkedin to use your
GitHub profile.
OAuth is mainly used for authorisation and doesn’t share password data, but
instead uses tokens to prove an identity between consumers and service
providers. It also provides consented access and restricts actions that the
client app can perform on resources on behalf of the user, without ever sharing
the user’s credentials.
It is important to note that OAuth 2.0 is an authorisation protocol and **not**
an authentication protocol. As such, it is designed primarily as a means of
granting access to a set of resources available on another system, such as
remote APIs or user data. It is therefore frequently paired with OpenID Connect
(OIDC) to add authentication to the security workflow.
OPEN POLICY AGENT (OPA)
The Open Policy Agent (OPA) is a domain agnostic, general-purpose policy engine
that gives you the ability to decouple policy and decision-making of a dedicated
system. It automates and unifies policy enforcement and implementation across a
wide range of technologies and across several IT environments, especially in
cloud-native applications. OPA was originally created by Styra and has since
been accepted by the Cloud Native Computing Foundation. The OPA is offered for
use under an open-source licence.
Organisations use the OPA to automatically enforce, monitor and remediate
policies across all relevant components. You can use OPA to centralise security,
compliance and operational functions across Kubernetes, API gateways, continuous
integration/continuous delivery (CI/CD) pipelines, data protection and more.
OTHER API SECURITY BEST PRACTICES
Finally, there are a few other best practices in API security that are worth
mentioning:
SHIFTING LEFT ON API SECURITY WITH DEVSECOPS
While traditional security teams rely on testing software at the end of the
build process, this often causes inefficiencies and delays as developers must
spend time implementing security fixes to new versions before releasing features
to the end customer. However, with DevSecOps—a philosophy that involves
integrating security best practices during the development and operations
processes—performing security tests is no longer done at the end of the build
pipeline. Instead, it has become an integral part of the development process,
allowing issues like vulnerable or outdated libraries, wrong API configurations,
or possible sensitive data leakages to be discovered and fixed earlier.
DEFINING OWNERSHIP FOR SECURITY
With the introduction of the DevSecOps paradigm, security becomes the
responsibility of everyone on the team—from the developers to the QA and DevOps
engineers. That means not only the security team is responsible for ensuring the
software’s security, but all stakeholders must take a vested interest in the
API’s security.
The benefits of ensuring that all stakeholders accept responsibility for a
software’s security are enormous. It reduces the time it takes to identify
issues and bottlenecks in software and the time it takes to resolve them. It
also speeds up the time it takes to deliver value to end customers, and
encourages accountability at each stage of the development as each stakeholder
must put their best foot forward toward the achievement of the team goal.
AUDIT LOGS
An audit log is a record of events as they happen within a computer system. A
system of log-keeping and records becomes an audit trail where anyone
investigating actions within a system can trace the actions of users, access to
given files, or other activities, such as the execution of files under root or
administrator permissions, or changes to OS-wide security and access settings.
Audit logs are very useful when there is a need to identify or track the cause
of an issue or event. For example, they can be used to track how data went
missing on a platform. They can also be used to make informed decisions in the
future as the data logged in real time can also serve as feedback on how to
improve the system going forward.
IDENTITY PROVIDERS (IDPS)
An identity provider (IdP or IDP) stores and manages users’ digital identities.
Think of an IdP as being like a guest list, but for digital and cloud-hosted
applications instead of an event. An IdP may check user identities via
username-password combinations and other factors, or it may simply provide a
list of user identities that another service provider (like an SSO) checks.
IdPs are not limited to verifying human users. Technically, an IdP can
authenticate any entity connected to a network or a system, including computers
and other devices. Any entity stored by an IdP is known as a “principal”
(instead of a “user”). However, IdPs are most often used in cloud computing to
manage user identities.
IdPs can be used when organisations need to delegate or outsource the managing
and controlling of employee information from a central source without having to
build a custom solution to do so. This can save time as well as provide a
platform to manage all employee data in the long run, while ensuring that the
security of user information remains tight.
HOW TYK’S API MANAGEMENT PLATFORM ENABLES API SECURITY
Tyk is a cloud-native API management platform for modern software. We enable
users to use REST, GraphQL, gRPC and even SOAP-based APIs to connect to one
another through our open source API gateway, while also providing an intuitively
designed interface for monitoring and controlling the APIs.
Being one of the leaders in full life cycle API management, API security is top
of our priority list. Here’s how Tyk enables organisations to secure their APIs:
SEPARATION OF CONCERNS
Tyk’s API gateway enables developers to abstract their security layer from the
back-end. This way the microservices can focus on the business logic of the
application, while the API gateway can tackle the administrative aspects of the
architecture. Tyk provides the flexibility of using Tyk’s out of the box
authentication and authorisation capabilities, or delegating your security needs
to external systems such as Identity Providers(IdPs) for Single Sign-On (SSO) or
Dynamic Client Registration (DCR). Whichever the case, the consistent security
policies provided at the gateway level ensures that all underlying microservices
follow the same security standards across the application, thereby laying the
foundation for scaling the application in a secure manner.
AUTHENTICATION AND AUTHORISATION
Tyk provides out of the box support for a variety of authentication and
authorisation methodologies including those mentioned in this article
previously. From Authentication (bearer) Tokens to OAuth2.0, from JSON Web
Tokens (JWTs) to Role-based Access Control (RBAC), Tyk’s got your application
covered. What’s even better is that if you wanted to combine or chain together
multiple security methodologies, you could easily do that too!
DYNAMIC CLIENT REGISTRATION (DCR)
Dynamic Client Registration (DCR) enables the dynamic registration of clients
with your organisation’s existing authorisation server. Whether your
organisation is using Keycloak, Gluu or Okta as your external Identity Provider
(IdP), our DCR capability integrates with the Tyk developer portal without the
need to overhaul the underlying authorisation mechanism.
OPEN POLICY AGENT (OPA)
API governance is an integral part of the modern enterprise FLAPIM (full
lifecycle API management) stack. A key aspect of this is fine-grained access
control. To enable this, Tyk has baked the OPA rule engine right into the
gateway making it possible to create custom permissions securely and
effectively. The OPA rule engine sits in front of the Tyk Dashboard, providing a
high-level declarative language (Rego) that lets you specify policy as code and
simple APIs, to offload policy decision-making from your software.
API MONITORING AND AUDIT LOGS
Tyk provides the ability to monitor all API traffic in and out of the gateway.
You can access and store detailed logs and audit trails of your entire API
portfolio within Tyk’s dashboard. If you want to use an external monitoring
system together with alerts such as Logstash or DataDog, you can easily do so by
connecting to the Pump, which is responsible for the observability of your APIs.
CONCLUSION
API security is a very important topic as many applications today use APIs to
communicate between systems. In this article, you have learned what API security
is, how it can affect your software, and various methods and best practices you
can apply to mitigate cybercrime or exposure of confidential data. You also
learned the role DevSecOps culture plays in securing APIs, how security testing
should be performed at each stage of the software development lifecycle, thereby
reducing the time it takes to develop and deploy applications to the end users.
Finally, by using tools like Tyk’s API management platform, you can ensure
security across your entire application in a powerful, flexible and efficient
way.
--------------------------------------------------------------------------------
Share with your network
RELATED POSTS
* 5 best practices for API security
* OWASP API security – 10: Insufficient logging & monitoring
* OWASP API security – 9: Improper assets management
* OWASP API security – 8: Injection
* OWASP API security – 7: Security misconfiguration
RECENT POSTS
* How does Tyk work with a service mesh?
* DevEx-powered API-led product growth
* 5 best practices for API security
* Service mesh and APIM – which one to use?
* How – and why – to monetize your APIs
WANT TO GET IN TOUCH?
Feel like you need a bit more help with your choice? Contact us and we’ll
happily help you further.
SPEAK TO OUR TEAM FOR MORE API EXPERTISE.
Get in touch
* Extra
* Cloud status
* Raise a bug
* Legal
* Terms & Conditions
* Privacy and Cookies Policy
* GDPR
* Responsible Disclosure
SUBSCRIBE TO OUR MAILER
Email*
* I agree to receive other communications from Tyk.
You can unsubscribe from these communications at any time. For more information
on how to unsubscribe and our privacy practices, please review our Privacy
Policy.
Github Twitter LinkedIn Facebooks All about APIs podcast
© Tyk Technologies, 2022
We use cookies to make this website better, improve your experience and offer
you personalised content. If you wish to opt-out from the use of cookies please
see our Cookies Policy or Reject all no essential ones.
SettingsReject Accept all
Privacy & Cookies Policy
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are as essential for the working of basic
functionalit...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Analytics
analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics the number of
visitors, bounce rate, traffic source, etc.
Functional
functional
Functional cookies help to perform certain functionalities like sharing the
content of the website on social media platforms, collect feedbacks, and other
third-party features.
Performance
performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
Non-necessary
non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
Save & Accept
Powered by