Securing APIs and Chaos Engineering

Suppose information security starts to embrace the reality that failure will happen. In that case, we can move from trying to build the perfectly secure system to continue asking questions like “how much vulnerability do I have and what control do I need to be effective?” This paper proposes Security Chaos Engineering as a method to expose API vulnerabilities and enhance API security. RESTful API has gained popularity in recent years due to its reusability, flexibility and natural adaptation to modern web application, mobile application, and cloud computing. However, ensuring secure API/data access and hence mitigating reputational and/or financial damage to the organization is still in its early stage. Foundational security protection mechanisms include transport layer security, authentication / authorization of the consumer (either individual or application). To complete the spectrum of secure API access and provide advanced protection, there is much more to consider: mitigation of API specific vulnerabilities at design and implementation time. API Security using Chaos Engineering is an approach for learning about system security behavers when using APIs by applying empirical exploration. Security Chaos Engineering is the discipline of experimenting to build confidence in the system’s security and see how a system can withstand threats in production. Security Chaos Engineering isn’t about creating chaos. It is about making the security chaos inherent in the system visible.