Master the Secure REST API Before Your Next Interview.png

Digital threats emerge every day around the world. This course will help you build REST APIs with minimal vulnerabilities.

This course diligently crafts the security design around the REST API and gears you up to a Secure Software Development Life Cycle (SSDLC). You’ll learn REST security from start to finish. This includes client and server rendering, the architectural constraints of REST, SSL/TLS/X.509 certificates, choosing the right TLS protocol, version, ciphers, forward secrecy, and the seven tenets of Zero Trust. You’ll also learn how and where to position access control in monolithic and microservices. You’ll also learn to make your application stateless using JWT, and learn the nuances of JWT security, how to put input validation to good use, choosing the right HTTP method to use, and the best practices for various content types.

By the end of this course, you’ll be able to build your next REST API and be confident in its security as measured by the common vulnerability scoring system (CVSS3.1).

Will be provided later

Securing REST API for Web Applications and Services

## The zero trust model

The **zero trust (ZT)** model provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate decisions in information systems and services in the face of a network that could be compromised. **Zero trust architecture (ZTA)** is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise.

## The seven tenets of zero trust

Zero trust provides a set of principles and concepts around moving the policy decision and enforcement points closer to the resource. The idea is to explicitly authenticate and authorize all subjects, assets, and workflows that make up the enterprise.

Below are the seven tenets of zero trust. Authentication and access control are some of the key tenets:

1. All data sources and computing services are considered resources.

2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset. It may include other behavioral and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.


## Design IAM for diverse applications
**IAM** is identity and access management. There are two different approaches to application design, monolithic and microservices.

**Monolithic** architecture is built as one large system and is usually one codebase. **Microservices** architecture is built as a small independent module based on business functionality.

For any kind of application, it’s better to have one centralized approach to authentication. With modern technology, multi-factor authentication is needed given the possibility of security infringements. There are several factors that need to be considered during multi-factor authentication, but these are beyond the scope of this course.

> **Note:** We do not authenticate for each REST endpoint. We only authenticate the architecture once, and.  we’ll have to be re-authenticated based on timeout controls.

Now that we have understood where authentication should be, let’s move to access control.

# The zero trust model

The **zero trust (ZT)** model provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate decisions in information systems and services in the face of a network that could be compromised. **Zero trust architecture (ZTA)** is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise.

# The seven tenets of zero trust

Zero trust provides a set of principles and concepts around moving the policy decision and enforcement points closer to the resource. The idea is to explicitly authenticate and authorize all subjects, assets, and workflows that make up the enterprise.

Below are the seven tenets of zero trust. Authentication and access control are some of the key tenets:

1. All data sources and computing services are considered resources.

2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset. It may include other behavioral and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.


# Design IAM for diverse applications
**IAM** is identity and access management. There are two different approaches to application design, monolithic and microservices.

**Monolithic** architecture is built as one large system and is usually one codebase. **Microservices** architecture is built as a small independent module based on business functionality.

For any kind of application, it’s better to have one centralized approach to authentication. With modern technology, multi-factor authentication is needed given the possibility of security infringements. There are several factors that need to be considered during multi-factor authentication, but these are beyond the scope of this course.

> **Note:** We do not authenticate for each REST endpoint. We only authenticate the architecture once, and.  we’ll have to be re-authenticated based on timeout controls.

Now that we have understood where authentication should be, let’s move to access control.

Understand Zero Trust and how to logically place authentication and access control for better security of REST APIs. 

REST API Authentication and  Access Control

Understand Zero Trust and how to logically place authentication and access control for better security of REST APIs.