• Add Milestone, Label, Linked Pull Request and Repository as fields to the view
• Hide the Assignees field

• Requirements

Group by Sprint

Video about Publish posted on dropbox

Add the following columns:

• Linked Assessment (field type = text)
• Due Date (field type = date)
• Sprint (field type = single select; add all 8 of the sprints as options with sprint start and end date)
• Effort (in Hours) (field type = number)

• All CMPG 323 classes
• All CMPG 323 training time required to upskill and complete projects
• All estimated tasks required to complete all CMPG 323 projects
• All CMPG 323 project submissions (with deadlines attached to milestones)
• All tasks associated to completing the CMPG 323 Portfolio of Evidence (POE)

Group by Status

API Development - Security

Project 2 - secure your API

5. REST security fundamental

HTTP( Basic Web Security )

1. Basic Authentication

• Internet standard
• Supported by all major browsers

2. Digest Authentication

-The password is not sent clear to the server.

• application of **MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. **
• Nonce -

3. Configured on the IIS web server (platform dependent)

• Can be both used by REST and SOAP
• Provides point-to-point security between the two endpoints.

HTTPS( Transport Security )

REST security cheat sheet [1]

• Mutually authenticated client-side certificates

• https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

• Non-public REST services must perform access control at each API endpoint

• User authentication should be centralized in a Identity Provider(IdP)

• JSON Web Tokens (JWT)

  as the format for security tokens

  • JWT are JSON data structures containing a set of claims that can be used for access control decisions.

• API Keys

  • Public REST services without access control run the risk of being farmed leading to excessive bills for bandwidth or compute cycles
  • API keys can reduce the impact of denial-of-service attacks.

• Restrict HTTP methods

  • Apply an allow list of permitted HTTP Methods e.g. GET, POST, PUT
  • Reject all requests not matching the allow list with HTTP response code 405 Method not allowed.
  • Make sure the caller is authorized to use the incoming HTTP method on the resource collection, action, and record

Session Management and Authentication

• OAuth2
  • First, OAuth 2.0 is NOT an authentication protocol.
  • It is an delegated authorization framework, which many modern authentication protocols are built on.
• OpenID (federated authentication) - one entity trusts another entity with user management.
• An ID token's password

Resources list

[1] - https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
[2]