Academy Central
----
Weather

![[Screenshot 2026-05-02 at 2.21.46 PM.png]]

![[Screenshot 2026-05-02 at 2.23.26 PM.png]]

![[Screenshot 2026-05-02 at 2.24.48 PM.png]]

![[Screenshot 2026-05-02 at 2.25.54 PM.png]]

應用程式安全技術全貌

Overview / 總覽

While the broader cybersecurity market is vast, this section focuses specifically on Application Security (AppSec). Although many mature technologies are widely deployed today, API breaches have revealed a critical gap in standard security coverage.

雖然整體的網路安全市場非常龐大,但本節將重點聚焦於應用程式安全 (AppSec)。儘管現今已廣泛部署許多成熟的技術,但頻傳的 API 漏洞事件揭示了標準安全防護中存在著一個致命的缺口。

1. The API Security Gap / 第一部分:API 安全的防護缺口

When considering API testing, many rely on legacy application scanners. However, these tools are often insufficient for modern API architectures.

在進行 API 測試時,許多人依賴傳統的應用程式掃描工具。然而,這些工具通常不足以應對現代的 API 架構。

  • Legacy Tools (傳統工具):

    • SAST (Static Application Security Testing / 靜態應用程式安全測試)

    • DAST (Dynamic Application Security Testing / 動態應用程式安全測試)

    • These tools excel at finding CVEs (Common Vulnerability Entities), such as SQL injections or Cross-Site Scripting (XSS), which are easily detected and fixed.

      (這些工具擅長尋找常見漏洞與暴露 (CVEs),如 SQL 注入或跨站腳本攻擊 (XSS),這些漏洞通常很容易被發現與修復。)

  • The API Reality (API 的現實挑戰):

    • Attackers rarely exploit APIs via common CVEs. Instead, they look for unique logic flaws, authorization gaps, and ways to abuse API functions.

      (攻擊者極少利用常見的 CVE 來攻擊 API。相反地,他們尋找的是獨特的邏輯缺陷、授權漏洞,以及濫用 API 功能的方法。)

"Most web API flaws are missed by standard security tests." — Corey Ball, Author of Hacking APIs

(「標準的安全測試往往會遺漏多數的 Web API 漏洞。」— Corey Ball,《Hacking APIs》作者)

2. API Security in the Application Lifecycle / 第二部分:應用程式生命週期中的 API 安全

To secure APIs effectively, you must "Shift Left"—incorporating security as early in the development pipeline as possible.

要有效保護 API,必須實行「安全左移 (Shift Left)」——盡可能在開發流程的早期階段就將安全機制納入。

Phase (階段)Key Activities & Security Focus (主要活動與安全重點)
1. Definition<br><br> <br><br>(定義階段)Threat Modeling (威脅建模): Define what the API does, the data it accesses, and its security implications. Ensure security experts are involved early.<br><br> <br><br>(定義 API 的功能、存取的資料及其安全影響。確保安全專家在早期就參與其中。)
2. Development<br><br> <br><br>(開發階段)Code Reviews & Scanning (程式碼審查與掃描): Perform peer code reviews to catch logic flaws early. Run SAST and Software Composition Analysis (SCA).<br><br> <br><br>(執行同儕程式碼審查以及早揪出邏輯缺陷。運行 SAST 與軟體組成分析 SCA。)
3. Testing<br><br> <br><br>(測試階段)API-Specific Security Testing (API 專屬安全測試): The last step before production. Use automated API scanners, legacy DAST tools, or manual/pen testing to find unique vulnerabilities.<br><br> <br><br>(上線前的最後一步。使用自動化 API 掃描器、傳統 DAST 工具或手動/滲透測試來尋找獨特漏洞。)
4. Operations<br><br> <br><br>(營運階段)Runtime Protection (運行時保護): Rely on Web Application Firewalls (WAF), API Gateways, and SIEMs to identify and block live attacks.<br><br> <br><br>(依賴 WAF、API 閘道器與 SIEM 來即時識別並阻擋攻擊。)
5. Retirement<br><br> <br><br>(退役階段)Decommissioning (下線除役): Remove old, unused API versions to eliminate unnecessary attack surfaces.<br><br> <br><br>(移除老舊、未使用的 API 版本,以消除不必要的攻擊面。)

3. Mapping Risks to the Game Plan / 第三部分:制定風險緩解策略

By overlaying your threat modeling with the application lifecycle, you can build a prioritized plan to address specific API risks.

透過將威脅建模與應用程式生命週期結合,您可以制定出一份具優先順序的計畫,以解決特定的 API 風險。

Examples of Mitigation Strategies (緩解策略範例):

  • Risk: Unknown APIs (風險:未知的 API)

    • Upfront (前期): Mandate governance policies where all APIs must be inventoried in an API gateway or marketplace. (強制執行治理政策,所有 API 必須在閘道器或市集中建檔列管。)

    • Runtime (運行時): Use a WAF or runtime detection tool to discover APIs dynamically as they are used. (使用 WAF 或運行時偵測工具,在 API 被使用時動態發掘它們。)

  • Risk: Unauthorized Account Access (風險:未經授權的帳戶存取)

    • Development (開發期): Implement strict access controls in the code to prevent cross-account access (e.g., preventing BOLA). (在程式碼中實作嚴格的存取控制,以防止跨帳戶存取,如防止越權存取。)

    • Testing (測試期): Run automated security tests specifically designed to simulate authorization gaps before deployment. (在部署前,運行專門設計用來模擬授權漏洞的自動化安全測試。)

Conclusion (結論): Create a fully prioritized list of risks and a plan for how and where to mitigate them. All things equal, try to address these issues as early as possible in the lifecycle. (建立一份包含所有風險優先順序的清單,以及規劃在何時、何地進行緩解的計畫。在條件允許的情況下,應盡可能在生命週期的早期解決這些問題。)