Security researcher David Sopas has published a new open-source project: MindAPI, a mind map with resources for making API security research easier.
“I love mind maps. They help me create a fine-tuned methodology and keep the mind organized,” he told Help Net Security. “After years of using it, I decided to implement my API security research experience and apply it on something that I could share not only with the infosec community, but also with developers.”
API security concerns are hindering new application rollouts. It’s understandable, as the risks associated with insecure APIs are many.
MindAPI has a simple structure and can be viewed in a browser.
It’s divided into two sections: Reconnaissance and Testing (which follows OWASP API Security Top 10 guidelines and other security guides).
It links to guidelines, open-source tools and documentation that can help developers, security researchers, pentesters and even bug bounty hunters, Sopas says.
“On the developer side they can test and secure their modern applications from attackers. Security people could use it to hack APIs on their daily assessments.”
The project also lists and links to a variety of resources – talks, educational videos, how-to guides, interesting write-ups, intentionally vulnerable apps, and more.
Sopas plans to expand MindAPI with some help from the open source community.
“This a never-ending project. New open-source tools are being released each day, new API technologies are being created, and MindAPI needs to be updated to include them,” he added.
Any additional advice for researchers looking into API security?
“Start with the OWASP API security project. Following the most common vulnerabilities will help finding issues on an API,” he said.
“Also, don’t think that by using third-party APIs an application is secure – always apply a layer of protection on top of it.”