{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,9]],"date-time":"2026-05-09T16:43:36Z","timestamp":1778345016666,"version":"3.51.4"},"publisher-location":"Singapore","reference-count":17,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789811692284","type":"print"},{"value":"9789811692291","type":"electronic"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>With the mass application of virtualization, micro-services, and cloud-native technologies, the interaction between service entities through APIs has become a norm. Many platforms are still maintaining a large number of old APIs due to business needs. At the same time, many new APIs are gradually going online. Both of these statuses put forward higher requirements for API security. Focusing on old APIs\u2019 security protection and other issues, this article starts from the process of asset discovery, vulnerability detection, and security auditing. Aiming at the problem of API asset discovery, this article summarizes the technical methods of automatically clustering unowned API assets using the characteristics of various commonly used APIs. Aiming at new API vulnerability detection, a security analysis method based on finite state machine is proposed. For the first time, the cross-network communication taint propagation based on dynamic taint analysis technology and system-level simulation technology is realized, enabling sensitive data flow tracing in API communication become feasible. We designed a flowbased API security audit system to improve automated API protection. Finally, We analyzed technical opportunities and challenges of API security in detail and prospected for API security research\u2019s next direction and development trend.<\/jats:p>","DOI":"10.1007\/978-981-16-9229-1_11","type":"book-chapter","created":{"date-parts":[[2022,1,21]],"date-time":"2022-01-21T12:03:56Z","timestamp":1642766636000},"page":"179-192","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":13,"title":["Research Towards Key Issues of API Security"],"prefix":"10.1007","author":[{"given":"Ronghua","family":"Sun","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qianxun","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Liang","family":"Guo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,1,21]]},"reference":[{"key":"11_CR1","doi-asserted-by":"crossref","unstructured":"Corral, L., Sillitti, A., Succi, G., Garibbo, A., Ramella, P.: Evolution of mobile software development from platform-specific to web-based multiplatform paradigm. In: Proceedings of the 10th SIGPLAN Symposium on New ideas, New Paradigms, and Reflections on Programming and Software, pp. 181\u2013183 (2012)","DOI":"10.1145\/2048237.2157457"},{"key":"11_CR2","unstructured":"Davanian, A., Qi, Z., Qu, Y., Yin, H.: Decaf++: elastic whole-system dynamic taint analysis. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pp. 31\u201345 (2019)"},{"issue":"5","key":"11_CR3","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11432-016-5521-0","volume":"60","author":"Y Ding","year":"2017","unstructured":"Ding, Y., Wei, T., Xue, H., Zhang, Y., Zhang, C., Han, X.: Accurate and efficient exploit capture and classification. Sci. China Inf. Sci. 60(5), 1\u201317 (2017)","journal-title":"Sci. China Inf. Sci."},{"key":"11_CR4","unstructured":"Fielding, R.T.: Architectural styles and the design of network-based software architectures. University of California, Irvine (2000)"},{"key":"11_CR5","unstructured":"Gandert, N., et al.: Method and system for searching for digital assets, uS Patent 9,251,172 (2016)"},{"key":"11_CR6","unstructured":"Hartig, O., P\u00e9rez, J.: An Initial Analysis of Facebook\u2019s GraphQL Language (2017)"},{"issue":"2","key":"11_CR7","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1109\/TSE.2016.2589242","volume":"43","author":"A Henderson","year":"2016","unstructured":"Henderson, A., Yan, L.K., Hu, X., Prakash, A., Yin, H., McCamant, S.: Decaf: a platform-neutral whole-system dynamic binary analysis platform. IEEE Trans. Softw. Eng. 43(2), 164\u2013184 (2016)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"11_CR8","doi-asserted-by":"crossref","unstructured":"Hussain, F., Li, W., Noye, B., Sharieh, S., Ferworn, A.: Intelligent service mesh framework for API security and management. In: 2019 IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON). pp. 0735\u20130742. IEEE (2019)","DOI":"10.1109\/IEMCON.2019.8936216"},{"key":"11_CR9","doi-asserted-by":"crossref","unstructured":"Jia, Y., et al.: Burglars\u2019 IoT paradise: understanding and mitigating security risks of general messaging protocols on IoT clouds. In: 2020 IEEE Symposium on Security and Privacy (SP). pp. 465\u2013481. IEEE (2020)","DOI":"10.1109\/SP40000.2020.00051"},{"key":"11_CR10","doi-asserted-by":"crossref","unstructured":"Mendoza, A., Gu, G.: Mobile application web API reconnaissance: web-to-mobile inconsistencies & vulnerabilities. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 756\u2013769. IEEE (2018)","DOI":"10.1109\/SP.2018.00039"},{"key":"11_CR11","unstructured":"OWASP Foundation (2019). https:\/\/owasp.org\/www-project-api-security\/"},{"key":"11_CR12","doi-asserted-by":"publisher","first-page":"113400","DOI":"10.1016\/j.dss.2020.113400","volume":"138","author":"G Ramesh","year":"2020","unstructured":"Ramesh, G., Menen, A.: Automated dynamic approach for detecting ransomware using finite-state machine. Decis. Supp. Syst. 138, 113400 (2020)","journal-title":"Decis. Supp. Syst."},{"key":"11_CR13","unstructured":"Song, Y.: Resarch and implementation of monitoring of monitoring oriented open API service. Ph.D. thesis, Beijing University of Posts and Telecommunications (2017)"},{"key":"11_CR14","unstructured":"StackOverflow Survey (2020). https:\/\/insights.stackoverflow.com\/survey\/"},{"key":"11_CR15","unstructured":"Sucuri Guides (2021). https:\/\/sucuri.net\/guides\/owasp-top-10-security-vulnerabilities-2021\/"},{"key":"11_CR16","unstructured":"Wang, J., et al.: Understanding malicious cross-library data harvesting on android. In: 30th {USENIX} Security Symposium ({USENIX} Security 21) (2021)"},{"key":"11_CR17","unstructured":"Zhou, W., et al.: Discovering and understanding the security hazards in the interactions between iot devices, mobile apps, and clouds on smart home platforms. In: 28th {USENIX} Security Symposium ({USENIX} Security 19), pp. 1133\u20131150 (2019)"}],"container-title":["Communications in Computer and Information Science","Cyber Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-16-9229-1_11","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,24]],"date-time":"2023-01-24T01:14:22Z","timestamp":1674522862000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-16-9229-1_11"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9789811692284","9789811692291"],"references-count":17,"URL":"https:\/\/doi.org\/10.1007\/978-981-16-9229-1_11","relation":{},"ISSN":["1865-0929","1865-0937"],"issn-type":[{"value":"1865-0929","type":"print"},{"value":"1865-0937","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"21 January 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CNCERT","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China Cyber Security Annual Conference","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Beijing","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 July 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 July 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"cncert2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/conf.cert.org.cn","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}