Sep 1, 2023
Ep 2: Ashwani Mahajan from SoFi explores critical security practices for API security
API Security: the good, the bad, the ugly. This time with Ankita Gupta & Ashwani Mahajan.
Join Ankita Gupta, founder of Akto, as she hosts Ashwani Mahajan, a seasoned application security engineer from SoFi, a leading fintech firm. This episode is a deep dive into the realm of API security and the critical elements to keep in mind before rolling out into production.
For additional resources - check out this webinar by Akto on API Security in DevSecOps.
Some Key Takeaways:
Communication is King: Ashwani highlights the indispensability of seamless communication with stakeholders. Aligning with the code warriors, the engineering teams, is the first step to an integrated security approach.
Know Your APIs: An inventory that maps out all existing APIs and those in the pipeline is foundational. Keeping an eye on third-party services integration is equally pivotal.
Tooling Matters: For holistic API security, investing in top-notch tools that detect intricate attacks and spot security misconfigurations is essential.
Talk to Your Developers: Beyond just tools, Ashwani underscores the essence of nurturing a symbiotic relationship with developers—education, resources, documentation, and constructive feedback loop are the cornerstones.
Act, Analyze & Amend: The discovery of a vulnerability is just the beginning. Grading its severity and acting accordingly is crucial. Post-remediation analysis helps understand the 'how' and 'why' of the breach, preventing future lapses.
Developer's Toolkit: From the nitty-gritty of authentication and authorization to the vital aspects of input validation and sanitization, Ashwani shares pro-tips for developers.
Third-party API Security: The world of third-party APIs presents its own set of challenges. The key is to comprehend their integration purpose, be well-acquainted with their docs, keep a tab on data-sharing protocols, and always ensure updated encryption and dependencies.
Golden Advice for Newbies: To budding security engineers, Ashwani’s wisdom? Immerse yourself in the business. A keen understanding of the company's heart and soul—its operations and services—sets the stage for a foolproof security strategy.