{"id":97141,"date":"2024-08-05T14:17:02","date_gmt":"2024-08-05T14:17:02","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=learn&#038;p=97141"},"modified":"2024-11-05T07:09:57","modified_gmt":"2024-11-05T07:09:57","slug":"ultimate-guide-to-api-security","status":"publish","type":"learn","link":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/","title":{"rendered":"Ultimate guide to API Security 2024"},"content":{"rendered":"<h2 class=\"article-anchor\" id=\"article-anchor-1\">Summary<\/h2>\n<blockquote>\n<p><span style=\"font-weight: 400;\">API security is the practices and technologies used to protect APIs from being exploited. It protects data, helps prevent malicious actors from exploiting API vulnerabilities and helps meet compliance requirements.<\/span><\/p>\n<\/blockquote>\n<h2 class=\"article-anchor\" id=\"article-anchor-2\"><strong>What is API Security? The Ultimate Guide<\/strong><\/h2>\n<h3><strong>What are APIs?<\/strong><\/h3>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-97145\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Hero_API-1536x1352-1-1024x901.webp\" alt=\"api security image\" width=\"1024\" height=\"901\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Hero_API-1536x1352-1-1024x901.webp 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Hero_API-1536x1352-1-300x264.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Hero_API-1536x1352-1-768x676.webp 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Hero_API-1536x1352-1.webp 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">APIs (Application Programming Interfaces) are software intermediaries that enable one application to access features or data of another application without them having to understand its internal workings. This is done by determining communication rules and protocols. APIs support operations like retrieving data, initiating processes, or performing various functions. With APIs, developers can build or update functionalities and improve integrations across different systems at scale and in an accelerated manner.<\/span><\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-3\"><strong>What is API Security?<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">API security refers to the practices and technologies used to protect APIs from being exploited. This involves several layers of security:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Authentication<\/b><span style=\"font-weight: 400;\"> &#8211; Verifying that the parties requesting access to the API are who they claim to be.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Authorization<\/b><span style=\"font-weight: 400;\"> &#8211; Ensuring that the authenticated party has permission to perform the requested actions.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Encryption<\/b><span style=\"font-weight: 400;\"> &#8211; Protecting data in transit and at rest from interception or tampering.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Rate Limiting<\/b><span style=\"font-weight: 400;\"> &#8211; Preventing abuse and denial-of-service attacks by limiting how often a user or service can make requests.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Logging and Monitoring<\/b><span style=\"font-weight: 400;\"> &#8211; Keeping records of API usage to detect and respond to potential security threats or policy violations.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Data Validation<\/b><span style=\"font-weight: 400;\"> &#8211; Ensuring that the data received from an API is correct and safe to process. This helps prevent common attacks such as SQL injection or cross-site scripting (XSS).\u00a0<\/span>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">API security should cover all API endpoints, in real-time and at the code-level. Otherwise, enterprises will find themselves with risks from Shadow APIs or lacking visibility into their endpoints.<\/span><\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-4\"><strong>Why is API Security Important?<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">APIs accelerate and scale the operation of cloud-based applications, from mobile apps to SaaS applications. They often manage sensitive information, including personal data, financial information, proprietary business insights and application logic. APIs can also act as access points to the underlying systems and services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Securing APIs ensures that enterprise data is safely transmitted and remains accessible only to those with proper authorization. It also helps prevent malicious actors from exploiting API vulnerabilities that could allow them to modify system operations, introduce harmful code, or disrupt service availability. Such security breaches could adversely affect not only the enterprise but also its partners, vendors and customers.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition, regulatory frameworks such as GDPR, HIPAA, and PCI DSS require stringent data API security measures. Non-compliance can result in hefty fines and legal issues.<\/span><\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-5\"><strong>What are Common API Security Threats and Attacks?<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">The risk to enterprises through APIs can result from the following threats:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Broken Object Level Authorization (BOLA)<\/b><span style=\"font-weight: 400;\"> &#8211; When an API does not properly enforce user permissions at the level of specific objects or resources. Attackers can exploit this by altering the ID of an object that the API request targets, allowing them to access or manipulate resources.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Broken Authentication<\/b><span style=\"font-weight: 400;\"> &#8211; When API authentication mechanisms are improperly implemented, attackers can authenticate using weak or stolen credentials or exploit flaws such as insufficiently protected API keys. Then, they can gain unauthorized access to systems.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Excessive Data Exposure<\/b><span style=\"font-weight: 400;\"> &#8211; When APIs expose more data than necessary. Developers often rely on clients to filter the data before displaying it to the user, but if an attacker can access the API directly, they might retrieve sensitive information not intended for exposure.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Lack of Rate Limiting<\/b><span style=\"font-weight: 400;\"> &#8211; When APIs are overwhelmed with a high volume of requests, leading to denial-of-service (DoS).<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Security Misconfiguration<\/b><span style=\"font-weight: 400;\"> &#8211; Mistakes such as incorrect security headers, overly verbose error messages containing sensitive information and misconfigured HTTP methods. These misconfigurations can provide attackers with unnecessary insights into the system&#8217;s architecture that allow them to exploit vulnerable endpoints.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Injection Flaws<\/b><span style=\"font-weight: 400;\"> &#8211; When malicious data sent in requests leads to undesired actions, such as SQL injection, Command Injection, etc. These can result in data breaches or loss of data integrity.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Improper Assets Management<\/b><span style=\"font-weight: 400;\"> &#8211; Improper tracking and securing of the assets APIs access (databases, files, etc.), allowing unauthorized access and data leaks.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Insufficient Logging &amp; Monitoring<\/b><span style=\"font-weight: 400;\"> &#8211; Inadequate logging of API activities and insufficient monitoring for unusual activities. This can prevent the timely detection of security breaches, allowing attackers to exploit APIs without detection for long periods of time.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Shadow APIs<\/b><span style=\"font-weight: 400;\"> &#8211; Undocumented APIs or the use of other APIs that are not officially recognized or managed. Because they aren\u2019t part of the official IT infrastructure, Shadow APIs aren\u2019t subject to the usual security protocols, oversight, or maintenance that sanctioned APIs receive. This makes them more susceptible to security vulnerabilities.<\/span>\n<\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-6\"><strong>Methods for API Security Testing<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">API security testing enables identifying API vulnerabilities that could be exploited. Here are some common methods used:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Static Application Security Testing (SAST)<\/b><span style=\"font-weight: 400;\"> &#8211; Scanning and analyzing the API source code for patterns that are known to lead to security issues, such as hard-coded passwords or SQL injection flaws. <\/span><a href=\"https:\/\/checkmarx.com\/cxsast-source-code-scanning\/\"><span style=\"font-weight: 400;\">SAST<\/span><\/a><span style=\"font-weight: 400;\"> is used to detect security vulnerabilities at an early stage of the software development lifecycle.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Dynamic Application Security Testing (DAST)<\/b><span style=\"font-weight: 400;\"> &#8211; Unlike SAST, <\/span><a href=\"https:\/\/checkmarx.com\/checkmarx-dast\/\"><span style=\"font-weight: 400;\">DAST<\/span><\/a><span style=\"font-weight: 400;\"> tools test the API while it is running. DAST can detect issues like runtime errors and vulnerabilities in authentication, authorization and data handling processes.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Interactive Application Security Testing (IAST) <\/b><span style=\"font-weight: 400;\">&#8211; <\/span><a href=\"https:\/\/checkmarx.com\/product\/application-security-platform\/\"><span style=\"font-weight: 400;\">IAST<\/span><\/a><span style=\"font-weight: 400;\"> combines elements of both SAST and DAST to provide a more comprehensive analysis. It involves monitoring the behavior of the API during normal usage and testing.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Penetration Testing &#8211;<\/b><span style=\"font-weight: 400;\"> Penetration testing, or pen testing, involves attempting to exploit vulnerabilities in an API by mimicking attacks to determine what information and access can be gained.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Fuzz Testing<\/b><span style=\"font-weight: 400;\"> &#8211; Fuzz testing, or fuzzing, is a technique used to discover coding errors and security loopholes in software by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. Fuzzing is effective in finding memory leaks, handling errors and more complex vulnerabilities that other types of testing might not catch.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Threat Modeling<\/b><span style=\"font-weight: 400;\"> &#8211; This is a proactive approach where potential threats and vulnerabilities are identified and mitigated in the design phase of API development. Threat modeling involves defining security requirements, identifying potential threats and designing countermeasures to prevent or mitigate these threats.<\/span>\n<\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-7\"><strong>The API Security Checklist<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Creating a comprehensive API security checklist can help make these practices actionable. Here\u2019s a detailed checklist to ensure your APIs remain secure:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Define security requirements in the initial stages of API development.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Follow API design security guidelines and frameworks, like OWASP Top 10 for APIs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Conduct regular threat modeling sessions during the API design phase to anticipate potential security vulnerabilities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use robust authentication methods like OAuth, OpenID Connect, or API keys to control access.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Implement RBAC to ensure users have access only to the resources necessary for their roles.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Store API keys securely, avoid hardcoding them in your application and rotate them regularly.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use TLS to secure data during transmission.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use strong encryption standards to protect data stored on servers.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ensure encryption keys are stored securely and managed properly.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Check all API inputs against a strict schema to prevent injection attacks.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use data sanitization methods to prevent malicious data from affecting your servers or database.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Implement rate limiting to prevent denial-of-service attacks and API abuse<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use throttling and slow down API request speed in real-time based on usage patterns to control traffic.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Maintain detailed logs of API traffic and monitor them for unusual activities that could indicate a breach.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u00a0Implement real-time monitoring tools to detect and respond to security threats swiftly.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use an API gateway that can handle authentication, rate limiting, and other security policies.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Set up your API gateway to be the enforcer for security policies like authentication and access control.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use HTTP headers like Content Security Policy, X-Frame-Options, and X-XSS-Protection to enhance security.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ensure Cross-Origin Resource Sharing (CORS) settings are configured correctly to protect against unauthorized API requests.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Conduct regular security audits of your API and its security measures.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Periodically pen test your API with simulated attacks to identify and rectify vulnerabilities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Regularly update and patch to keep all your software and dependencies up-to-date to protect against known vulnerabilities.<\/span><\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-8\"><strong>How to Keep API security Knowledge Updated<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Keeping your API security knowledge up-to-date is an inseparable part of your security strategy. Here are some strategies to stay informed and enhance your API security expertise:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enroll in cybersecurity courses that focus on API security.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Participate in cybersecurity and API-specific conferences, seminars and webinars. OWASP conferences, API World and Black Hat provide valuable insights into the latest security threats and networking opportunities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<span style=\"font-weight: 400;\">Subscribe to reputable cybersecurity publications, blogs, and newsletters. Websites like Security Boulevard, CSO Online, Krebs on Security and the <\/span><a href=\"https:\/\/checkmarx.com\/blog\/\"><span style=\"font-weight: 400;\">Checkmarx newsletter<\/span><\/a><span style=\"font-weight: 400;\"> regularly publish articles on the latest security trends and threats. Additionally, reading academic journals can provide deeper insights into new research and developments.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Join cybersecurity and API development communities and forums, such as those found on Reddit, Stack Overflow, and LinkedIn groups. You can share knowledge, ask questions and learn how peers are handling security challenges.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Follow industry leaders and security experts on social media platforms like X (Twitter) and LinkedIn for commentary and resources.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Make use of tools and platforms that offer security testing and monitoring. Many of these tools also provide updates and alerts on new vulnerabilities, which can help in staying informed about potential threats.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Regularly perform security audits and code reviews to identify and rectify vulnerabilities. This practice not only enhances security but also reinforces your knowledge through practical application.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Obtain certifications related to API security and general cybersecurity.<\/span><\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-9\"><strong>API Security Best Practices<\/strong><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Enable HTTPS<\/b><span style=\"font-weight: 400;\"> &#8211; Secure data transmission between clients and the API server using HTTPS to prevent man-in-the-middle attacks. This will ensure the safe transfer of sensitive data such as authentication tokens and personal information.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Strengthen Authentication and Authorization<\/b><span style=\"font-weight: 400;\"> &#8211; Use robust mechanisms like OAuth, API keys and JWT for authentication, and implement RBAC or ABAC for authorization, to manage access to your APIs effectively.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Data Validation and Sanitization<\/b><span style=\"font-weight: 400;\"> &#8211; Check and cleanse all input data to protect against common security vulnerabilities like SQL injection, cross-site scripting (XSS) and command injection attacks.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Implement Rate Limiting<\/b><span style=\"font-weight: 400;\"> &#8211; Set limits on the number of requests a user can make to an API within a specified timeframe. This will\u00a0 prevent DoS attacks and ensure API availability.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Utilize API Gateways<\/b><span style=\"font-weight: 400;\"> &#8211; Employ API gateways to manage SSL\/TLS termination, authentication, rate limiting and IP whitelisting.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Secure All Endpoints<\/b><span style=\"font-weight: 400;\"> &#8211; Ensure comprehensive security across all API endpoints, including less obvious or undocumented ones, to prevent unauthorized access and potential backdoor exploits.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Secure all Dependencies<\/b><span style=\"font-weight: 400;\"> &#8211; Ensure security across third-party APIs, which can introduce vulnerabilities through the supply chain.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Encrypt Stored Data &#8211;<\/b><span style=\"font-weight: 400;\"> Protect data stored by the API from unauthorized access and breaches by using strong encryption standards and securely managing encryption keys.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Monitor and Log API Activity <\/b><span style=\"font-weight: 400;\">&#8211; Continuously monitor API usage and maintain logs to detect, troubleshoot and investigate suspicious activities or security incidents.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Update and Patch Regularly<\/b><span style=\"font-weight: 400;\"> &#8211; Keep APIs and their dependencies up-to-date to defend against known vulnerabilities. Stay informed about new security issues and patches through security feeds and automated tools.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Implement Security Headers<\/b><span style=\"font-weight: 400;\"> &#8211; Use security headers like CSP to prevent XSS attacks, X-Content-Type-Options to block MIME-sniffing, and HSTS (HTTP Strict Transport Security) to enforce secure connections.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Adopt an API Security Solution <\/b><span style=\"font-weight: 400;\">&#8211; Consider integrating a comprehensive API security solution like Checkmarx One to help detect and address API vulnerabilities early in the development cycle.<\/span>\n<\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-10\"><strong>The Role of API Security in the SDLC<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">By embedding API security practices into the SDLC, developers can find and fix vulnerabilities earlier. This starts by shifting left and integrating security practices into the initial stages of development:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Using automated tools for static code analysis and vulnerability scanning can help identify potential issues as the code is written.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Incorporating these tools into the CI\/CD pipeline ensures continuous monitoring and immediate feedback on code changes, allowing developers to address vulnerabilities promptly.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Conducting threat modeling and security reviews during the design phase can preemptively address potential vulnerabilities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Regular code reviews help recognize API vulnerabilities and assist in promoting secure development practices.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Make It Easier for Developers to Fix Vulnerabilities<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">As a security professional, you can encourage development cooperation by recommending user-friendly security tools that integrate directly into the development workflow and CI\/CD pipelines. These are tools that provide clear, actionable feedback on identified vulnerabilities and help developers quickly understand and address issues without disrupting their ongoing tasks. Additionally, automation reduces the burden on developers to manually search for issues.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Another effective approach is to foster a security-first culture within the development team. This can be achieved by offering ongoing security training and ensuring developers are well-versed in secure coding practices. When developers understand the common pitfalls and best practices, they are better equipped to identify and fix vulnerabilities.<\/span><\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-11\"><span style=\"font-weight: 400;\">Standalone API Security Solution vs. Appsec Platform<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">When considering API security, organizations often face the decision between using standalone API security solutions or integrating these protections within a broader AppSec platform. Each approach has its advantages and considerations. Here\u2019s how to decide:<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Comparing Types of API Security Solutions<\/span><\/h3>\n<table>\n<tbody>\n<tr>\n<td>\u00a0<\/td>\n<td><b>Standalone API Security Solutions<\/b><\/td>\n<td><b>AppSec Platforms<\/b><\/td>\n<\/tr>\n<tr>\n<td><b>Scope<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Solely API protection. Might miss broader application security issues that could affect the APIs indirectly.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A holistic approach covering the entire application ecosystem.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Integrations<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Requires additional work to ensure seamless data sharing and threat detection response across systems.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Built-in integration improves response times to security incidents and streamlines security policy enforcement.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>User Experience<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Easy for teams to manage API security without the complexities of a larger platform.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A single pane of glass for security management, simplifying security operations.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00a0<\/p>\n<p><span style=\"font-weight: 400;\">The decision between a standalone API security solution and an integrated AppSec platform often depends on the specific needs and resources of the organization. Here are a few considerations:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Organizational Focus<\/b><span style=\"font-weight: 400;\"> &#8211; If an organization\u2019s primary exposure to risk is through APIs, a standalone API security solution might be sufficient. However, if the organization is an enterprise managing a diverse and complex application landscape, an AppSec platform is probably be necessary.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Resource Availability<\/b><span style=\"font-weight: 400;\"> &#8211; Smaller organizations or teams with limited cybersecurity resources may benefit from the simplicity and direct focus of standalone tools, while larger organizations might be able leverage the comprehensive features of a full AppSec platform and see high ROI.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Regulatory Requirements<\/b><span style=\"font-weight: 400;\"> &#8211; Organizations in highly regulated industries might find that AppSec platforms offer more in terms of compliance tools and reporting features that can help meet stringent security requirements.<\/span>\n<\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-12\"><span style=\"font-weight: 400;\">Leveraging Infrastructure-as-Code (IaC) into API Security<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Infrastructure as Code (IaC) practices can help secure APIs. They allow:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automated deployment of security policies across all API deployments, ensuring consistent security standards are maintained.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Version-controlling API security configurations along with the API&#8217;s code, allowing easy tracking of changes and quick rollback if needed.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Immutable infrastructure, where any change requires redeploying a new instance. This reduces the risk of runtime attacks on APIs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Defining and tracking security configurations in code.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Scaling security configurations up or down automatically based on the deployment size and requirements.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Visibility into the infrastructure and security layers, helping teams understand and manage security risks more effectively.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Minimization of human errors that can occur during manual setup of API security measures.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The establishment of a &#8220;security as code&#8221; culture within organizations.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Encouragement of DevSecOps practices, to fortify API security throughout the development cycle.<\/span><\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-13\"><span style=\"font-weight: 400;\">How Checkmarx One Helps Secure Your APIs<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">APIs are spread across your organization, making them hard to track, manage and secure. Checkmarx One provides <\/span><span style=\"font-weight: 400;\">a comprehensive approach to <a href=\"https:\/\/checkmarx.com\/product\/api-security\/\">API security<\/a><\/span><span style=\"font-weight: 400;\">. While other solutions provide limited visibility or only real-time security, we discover <\/span><i><span style=\"font-weight: 400;\">all<\/span><\/i><span style=\"font-weight: 400;\"> APIs as early as code so security issues can be promptly addressed in the SDLC. With Checkmarx One, AppSec teams no longer need multiple API-specific tools.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Capabilities include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Automated API discovery<\/b><span style=\"font-weight: 400;\"> &#8211; Identification of API endpoints without necessitating manual API definition or registration by AppSec teams or developers.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Comprehensive API inventory<\/b><span style=\"font-weight: 400;\"> &#8211; Discovering newly created or updated APIs as developers check in or compile the source code as early as possible in the software development cycle.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Identification of Unknown APIs<\/b><span style=\"font-weight: 400;\"> &#8211; Comparing the full API inventory of an application with its API documentation to identify unknown, Shadow and Zombie APIs.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Prioritized Remediation<\/b><span style=\"font-weight: 400;\"> &#8211; Helping developers and AppSec teams to solve the most critical issues by prioritizing API vulnerabilities based on their real impact and risks.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>Complete Application Coverage<\/b><span style=\"font-weight: 400;\"> &#8211; Providing a single AST solution for the entire application, which may have API- and non-API-based components, for a holistic view of security risk and prioritization for vulnerability remediation.<\/span>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<b>True Shift-left Approach<\/b><span style=\"font-weight: 400;\"> &#8211; Discovering APIs in application source code to identify and fix problems early in the software development cycle.<\/span>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Learn more about Checkmarx API Security <\/span><a href=\"https:\/\/checkmarx.com\/request-a-demo\/\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n\n<section class=\"section-block-info light-theme\">\n    <div class=\"main-wrapper block-info__wrapper\">\n        <div class=\"block-info center\">\n\t\t\t\n\t\t\t<h2 class=\"section-title article-anchor\" id=\"article-anchor-14\">Discover How Checkmarx makes securing APIs easier<\/h2>\t\t\t<p class=\"section-description\">Book your custom demo and learn what makes our API security tool the right match for your enterprise.<\/p>\n\t\t\t<div class=\"actions\">\n\t\t\t\t        <a href=\"https:\/\/checkmarx.com\/product\/api-security\/\" class=\"btn btn-2 btn-bg white demo\">Book a Custom Demo<\/a>\n        \t\t\t\t        <a href=\"https:\/\/checkmarx.com\/resources\/ebooks\/a-guide-to-modern-api-security\/\" class=\"btn btn-2 btn-bg border-2 demo\">Download &#8220;Guide to Modern API Security&#8221;<\/a>\n        \t\t\t<\/div>\n        <\/div>\n    <\/div>\n<\/section>","protected":false},"author":84,"featured_media":97193,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":true,"footnotes":""},"learn-cat":[851],"class_list":["post-97141","learn","type-learn","status-publish","has-post-thumbnail","hentry","learn-cat-api-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ultimate guide to API Security 2024 - Checkmarx<\/title>\n<meta name=\"description\" content=\"API security - Everything you need for all API endpoints, including in the code. Get tools, best practices and solutions to eliminate API risk\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ultimate guide to API Security 2024 - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"API security - Everything you need for all API endpoints, including in the code. Get tools, best practices and solutions to eliminate API risk\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-05T07:09:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1792\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\"},\"author\":{\"name\":\"Avi Hein\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/3546917fa0246ce4d997275a745acd79\"},\"headline\":\"Ultimate guide to API Security 2024\",\"datePublished\":\"2024-08-05T14:17:02+00:00\",\"dateModified\":\"2024-11-05T07:09:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\"},\"wordCount\":2774,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\",\"url\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\",\"name\":\"Ultimate guide to API Security 2024 - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg\",\"datePublished\":\"2024-08-05T14:17:02+00:00\",\"dateModified\":\"2024-11-05T07:09:57+00:00\",\"description\":\"API security - Everything you need for all API endpoints, including in the code. Get tools, best practices and solutions to eliminate API risk\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg\",\"width\":1792,\"height\":1024,\"caption\":\"API Security Hero image\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/3546917fa0246ce4d997275a745acd79\",\"name\":\"Avi Hein\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_84.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_84.png\",\"caption\":\"Avi Hein\"},\"url\":\"https:\/\/checkmarx.com\/author\/avihein\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ultimate guide to API Security 2024 - Checkmarx","description":"API security - Everything you need for all API endpoints, including in the code. Get tools, best practices and solutions to eliminate API risk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/","og_locale":"en_US","og_type":"article","og_title":"Ultimate guide to API Security 2024 - Checkmarx","og_description":"API security - Everything you need for all API endpoints, including in the code. Get tools, best practices and solutions to eliminate API risk","og_url":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2024-11-05T07:09:57+00:00","og_image":[{"width":1792,"height":1024,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/"},"author":{"name":"Avi Hein","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/3546917fa0246ce4d997275a745acd79"},"headline":"Ultimate guide to API Security 2024","datePublished":"2024-08-05T14:17:02+00:00","dateModified":"2024-11-05T07:09:57+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/"},"wordCount":2774,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/","url":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/","name":"Ultimate guide to API Security 2024 - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg","datePublished":"2024-08-05T14:17:02+00:00","dateModified":"2024-11-05T07:09:57+00:00","description":"API security - Everything you need for all API endpoints, including in the code. Get tools, best practices and solutions to eliminate API risk","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/learn\/api-security\/ultimate-guide-to-api-security\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/08\/Ultimate-guide-to-API-Security-2024-v2.jpg","width":1792,"height":1024,"caption":"API Security Hero image"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/3546917fa0246ce4d997275a745acd79","name":"Avi Hein","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_84.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_84.png","caption":"Avi Hein"},"url":"https:\/\/checkmarx.com\/author\/avihein\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn\/97141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/learn"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/84"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn\/97141\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/97193"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=97141"}],"wp:term":[{"taxonomy":"learn-cat","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/learn-cat?post=97141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}