Slide 28
Slide 28 text
🔎 Run an ASVS audit
Some checks are specifically interesting for APIs (eg.
IDOR, schema validation, etc.)
Boost your APIʼs security quickly
Focus on high value items
🏭 Boost your CI security
SCA, Secret Detection, SAST
🧪 Invest in security testing
Deploy a DAST & a bug bounty program
➔ Donʼt hire external help for this
➔ Youʼll find design issues, race conditions,
broken rate limiting, broken authorisation etc.
➔ Fixing them will take a while, thatʼs ok
GitGuardianʼs advice
➔ Introduce Security CI jobs to PR pipelines
➔ Allow failure, monitor failure rates, help
engineers avoid them
➔ Make security check blocking, then fix issues in
the main branch
➔ Feed the DAST your OpenAPI file, fix findings
➔ A bug bounty program will cost you time and
money, but will increase security testing
coverage significantly