DEV Community

Arpit Mohan
Arpit Mohan

Posted on • Originally published at

Security tips for APIs & MongoDB

TL;DR notes from articles I read today.

Ways to hack an API and how to defend

  • Use base-level encryption to allow functionality to operate as expected but obscure relationships between data to defend against reverse engineering.
  • To defend against spoofing you can encrypt all traffic in transit. This will ensure that what is captured is only “noise”. Another option is to set up a pre-configured server certificate that is trusted by the API and allowing a handshake to go through only if when the certificate passes. You could also try a two-factor authentication to prevent attacks from the user perspective.
  • Ensure proper session management. Be sure that sessions are invalidated once users get past an idle timeout period or if the user logs out. You should set the session lifespan to terminate at a certain point.
  • Enforce API level security by using opt-in heuristic systems to know when a user is coming from an unknown machine, unknown location, or if there is any other variation in a known behavior. 

Full post here, 11 mins read

Security best practices for MongoDB

  • MongoDB doesn’t have access control enabled by default. You must enable it. Also, configure RBAC (role-based access control).
  • Configure Transport Layer Security to encrypt all traffic to and from the database.
  • Use at rest encryption to protect the contents of the DB in the event that someone is able to copy the database files (in a backup, for instance) or the server image.
  • Restrict network exposure to tighten the security of the network topology that hosts the MongoDB database.
  • Use official MongoDB package repositories. Ensure that the packages are official MongoDB packages and pass the authenticity checks.
  • Disable JavaScript execution where possible. Troublesome operators - $where, mapReduce, and group - can be incredibly dangerous.

Full post here, 7 mins read

Top 5 cybersecurity predictions for 2020

  • Credential stuffing, where hackers steal login credentials from one site and use the same credentials to break into a user’s accounts on other sites, will continue to be an easy attack.
  • AI-focused detection products will lose the hype because of their inability to meet promises.
  • California Consumer Protection Act (CCPA) will have a big impact on many tech companies with regard to their data privacy practices.
  • Cybersecurity breaches for autonomous vehicles will increase because of systems not keeping pace with advancing threats in this area.
  • You will be required to do the operational work of assigning ownership & accountability in your companies to ensure data laws, regulations, norms and best practices are in place to improve cybersecurity.

Full post here, 4 mins read

Get these notes directly in your inbox every weekday by signing up for my newsletter, in.snippets().

Top comments (0)