Search⌘ K
Home
Courses
Distributed Systems: Building Software for the Real World

The Principle of Least Privilege

Explore the principle of least privilege and its critical role in securing APIs within distributed systems. Understand best practices for minimizing privileges to reduce risks, including avoiding root-level access, isolating applications, securing communication, and managing container vulnerabilities. This lesson equips you to design more secure software that limits damage from compromised credentials and malicious input.

We'll cover the following...

Protecting APIs

The final entry in the Top 10 is also a newcomer to the list. The rise of REST and rich clients elevated APIs to a primary architectural concern. For some companies, the API is their entire product. It’s essential to make sure that APIs are not misused.

Security scanners have been slow to tackle APIs. In part, this is because there’s no standard metadata description about how an API should work. That makes it hard for a testing tool to glean any information about it. After all, if we can’t tell how it should work, how do we know when it’s broken?

To make things even harder, APIs are meant to be used by programs. Well, attack tools are also programs. If an attack tool presents the right credentials and access tokens, it’s indistinguishable from a legitimate user.

There are several keys to defense. The first is a kind of bulkheading (see Bulkheads). If one customer’s credentials are stolen, that’s bad. If the attacker can use those to get other customers’ data, that’s ...