Original Post: Threat Modeling Rest API. Rest API Basics | by Mamta Upadhyay | Jul, 2024
The content describes how web services facilitate communication between a client and a server using HTTP as the medium and formats like XML, JSON (commonly used for REST APIs). It explains that REST API is an architectural style that supports various data formats and features a uniform interface where resources can be accessed via URIs.
It also outlines the importance of securing REST APIs by assessing security threats and using authentication mechanisms (like HTTP Basic, JWT, OAuth2) and tokens for programmatic access. Next, the process of threat modeling is detailed, starting with identifying threat agents (e.g., unauthenticated users, authenticated malicious users, insiders) and critical assets (e.g., API endpoints, data at rest and in transit, authentication/authorization mechanisms, access tokens, infrastructure).
The discussion proceeds with a detailed analysis of potential threats (e.g., SQL Injection, CORS misconfigurations, spoofing, XSS, CSRF), mapping them using the STRIDE model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), and assessing the impact (confidentiality, integrity, availability) and likelihood of these threats. Risk levels are calculated based on impact and likelihood.
Security measures should include securing code repositories, proper configuration, implementing secure authentication/authorization methods, and regular audits using techniques like secure code reviews, penetration testing, and static/dynamic code analysis. The piece emphasizes that threat modeling should be an ongoing process integrated into all stages of the software development lifecycle.
Go here to read the Original Post