From the course: GitHub Copilot for Cybersecurity Specialists by Microsoft Press

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

Create secure API gateway authentication and enforce least privilege access controls

Create secure API gateway authentication and enforce least privilege access controls - Github Copilot Tutorial

From the course: GitHub Copilot for Cybersecurity Specialists by Microsoft Press

Start my 1-month free trial Buy for my team

Create secure API gateway authentication and enforce least privilege access controls

Application Programming Interfaces, or APIs, are the new attack surface. Every endpoint is a potential vulnerability if authorization isn't implemented correctly. IDOR, which stands for Insecure Direct Object Reference, is OWASP API number one because it's devastatingly common and devastatingly simple to exploit. This is the classic API vulnerability, an endpoint like getAPIAccountsAccountIDTransactions. An attacker changes account ID to another user's ID and retrieves their data. No authentication bypass needed, no encryption break, just changing one parameter. And this works far too often. The fix here is simple in concept. Every endpoint verifies the authenticated user has permission to access the requested resource. But in practice, this requires thinking through authorization at design time. Who should access this endpoint? Which resources can they touch? This is the practical implementation. Every endpoint taking a user ID parameter validates it matches the authenticated user…

Contents