Skip to content

Security Best Practices

Implement enterprise-grade security in 15 minutes - OWASP-compliant from day 1

🚀 Run security audit now

Quick Security Audit

Estimated time: 5 minutes What you'll verify: Your AnkaSecure deployment follows security best practices

# Download security audit script
curl -sSL https://ankatech.co/security-audit.sh | bash -s -- \
  --endpoint https://api.ankatech.co \
  --token $TOKEN

Expected output: 

[✓] JWT validation (iss, aud, exp, nbf)          PASS
[✓] HTTPS enforced (TLS 1.3)                     PASS
[✓] Security headers (5/5 OWASP required)        PASS
[✓] Rate limiting enabled                        PASS
[✓] Strong algorithms (ML-KEM, AES-256)          PASS
[✓] Key rotation policy (annual or better)       PASS
[✓] Audit logging enabled                        PASS

Overall: 7/7 security controls ✅ OWASP COMPLIANT

Detailed OWASP compliance

Top 10 Security Best Practices

1. Use Quantum-Resistant Algorithms

Why: Protect against future quantum threats

How: 

# Use ML-KEM by default (not RSA)
curl -X POST https://api.ankatech.co/keys \
  -d '{"algorithm":"ML_KEM_1024"}'  # ✅ Quantum-resistant

# NOT:
curl -X POST https://api.ankatech.co/keys \
  -d '{"algorithm":"RSA_4096"}'  # ❌ Vulnerable to quantum

When: For data retention > 10 years (overlaps quantum timeline)

2. Enable Automatic Key Rotation

Why: Limit exposure if key compromised

How: 

# Set annual rotation policy
curl -X PATCH https://api.ankatech.co/keys/KEY_ID/rotation-policy \
  -d '{
    "policy": "ANNUAL",
    "autoRotate": true,
    "notifyBefore": "30_DAYS"
  }'

Best practice: Rotate encryption keys annually, signing keys every 2 years

3. Use Composite Keys for High-Value Data

Why: Defense-in-depth (1000× more secure)

How: 

# For financial, healthcare, classified data
curl -X POST https://api.ankatech.co/keys/composite \
  -d '{
    "classicalAlgorithm":"RSA_4096",
    "pqcAlgorithm":"ML_KEM_1024",
    "mode":"HYBRID_KEM_COMBINE"
  }'

When: Data sensitivity = Confidential, Secret, or Top Secret

4. Implement Least Privilege Access

Why: Minimize blast radius if credentials compromised

How: 

# Grant minimum permissions needed
curl -X POST https://api.ankatech.co/users/developer/permissions \
  -d '{
    "permissions": ["ENCRYPT", "DECRYPT"],  # NOT "ADMIN"
    "keyIds": ["app-key-001"],  # Specific keys only
    "expiresIn": "8_HOURS"  # Time-limited
  }'

Rule: Developers get encrypt/decrypt only (NOT key management)

5. Enable Audit Logging

Why: Compliance (PCI DSS, HIPAA, SOX) + incident investigation

How: 

# Verify audit logging enabled
curl https://api.ankatech.co/audit-logs/config \
  -H "Authorization: Bearer $TOKEN"

Expected: 

{
  "enabled": true,
  "retention": "365_DAYS",  # 1 year minimum
  "logOperations": ["ENCRYPT", "DECRYPT", "KEY_ACCESS", "KEY_ROTATION"]
}

Best practice: Retain logs 1-7 years (depending on regulation)

6. Protect API Keys

Why: Compromised API key = full access to your data

How:

DO: - ✅ Store in environment variables (not source code) - ✅ Rotate every 90 days - ✅ Use different keys per environment (dev/staging/prod) - ✅ Limit scope (read-only vs read-write)

DON'T: - ❌ Commit to Git (even private repos) - ❌ Share between team members (personal keys) - ❌ Use same key everywhere (blast radius) - ❌ Never rotate (stale keys = risk)

# Generate scoped API key
curl -X POST https://api.ankatech.co/api-keys \
  -d '{
    "name": "production-app",
    "permissions": ["ENCRYPT", "DECRYPT"],
    "expiresIn": "90_DAYS"
  }'

7. Use HSM for Production Keys

Why: Keys protected by hardware (tamper-resistant)

How: 

# Generate key with HSM protection
curl -X POST https://api.ankatech.co/keys \
  -d '{
    "algorithm": "ML_KEM_1024",
    "hsmRequired": true,  # Enforce HSM
    "purpose": "PRODUCTION"
  }'

HSM options: - Development: SoftHSM (included, software emulation) - Production: Luna, nShield (FIPS 140-2 Level 3)

Trade-off: HSM adds latency (+2-5ms) but increases security significantly

8. Implement Rate Limiting

Why: Prevent brute-force attacks, DoS

How: Built-in (automatic per tenant) 

# Check rate limit status
curl https://api.ankatech.co/rate-limits \
  -H "Authorization: Bearer $TOKEN"

Response: 

{
  "limit": "1000 requests/minute",
  "remaining": 847,
  "resetAt": "2026-01-07T13:00:00Z"
}

Custom limits (Enterprise tier): 

curl -X PATCH https://api.ankatech.co/tenants/TENANT_ID/rate-limits \
  -d '{"limit":"10000_PER_MINUTE"}'

9. Monitor for Anomalies

Why: Detect attacks, unauthorized access

How: 

# Query unusual activity
curl https://api.ankatech.co/analytics/anomalies?days=7 \
  -H "Authorization: Bearer $TOKEN"

Anomalies detected: - ⚠️ Spike in failed decryptions (possible brute-force) - ⚠️ Access from new IP/country (possible account compromise) - ⚠️ Bulk key deletion (possible insider threat)

Alert: Email notification + webhook (integrate with SIEM)

10. Test Your Security Posture

Why: Validate security controls, find gaps

How: 

# Run penetration test (simulated attacks)
curl -sSL https://ankatech.co/pentest-script.sh | bash -s -- \
  --target https://api.ankatech.co \
  --token $TEST_TOKEN

Tests: - ✅ JWT validation (try expired/invalid tokens) - ✅ Authorization (try accessing other tenants) - ✅ Rate limiting (try 10,000 requests/sec) - ✅ Input validation (try malformed requests)

Recommendation: Run quarterly (or before major deployments)

OWASP Top 10 for APIs (2023)

How AnkaSecure Protects You

OWASP Risk AnkaSecure Protection Status
API1: Broken Object Level Authorization Multi-tenant isolation, RBAC ✅ Protected
API2: Broken Authentication JWT validation (4 claims), mTLS ✅ Protected
API3: Broken Object Property Level Authorization Input validation, schema enforcement ✅ Protected
API4: Unrestricted Resource Consumption Rate limiting (per-tenant) ✅ Protected
API5: Broken Function Level Authorization Role-based access control ✅ Protected
API6: Unrestricted Access to Sensitive Business Flows Audit logging, anomaly detection ✅ Protected
API7: Server Side Request Forgery Input sanitization, URL validation ✅ Protected
API8: Security Misconfiguration Secure defaults, hardened config ✅ Protected
API9: Improper Inventory Management API versioning, deprecation notices ✅ Protected
API10: Unsafe Consumption of APIs TLS 1.3, certificate validation ✅ Protected

Overall: ✅ 100% OWASP API Security compliance

Detailed OWASP compliance

Common Security Mistakes

Mistake 1: Using RSA for New Deployments

Wrong: 

# Deploying new system in 2026 with RSA ❌
curl -X POST https://api.ankatech.co/keys \
  -d '{"algorithm":"RSA_4096"}'

Why wrong: Quantum-vulnerable, will need migration in 2-3 years

Correct: 

# Use ML-KEM from day 1 ✅
curl -X POST https://api.ankatech.co/keys \
  -d '{"algorithm":"ML_KEM_1024"}'

Benefit: Future-proof, no migration needed

Mistake 2: Sharing API Keys Between Environments

Wrong: 

# Using same API key for dev, staging, prod ❌
DEV_KEY=abc123
STAGING_KEY=abc123  # Same key!
PROD_KEY=abc123     # Same key!

Why wrong: Dev compromise = production compromise

Correct: 

# Separate keys per environment ✅
DEV_KEY=dev-abc123
STAGING_KEY=staging-xyz789
PROD_KEY=prod-secret-key-456

Plus: Different permissions per environment (dev = read-only prod keys)

Mistake 3: Never Rotating Keys

Wrong: 

# Generated key in 2020, still using in 2026 ❌
curl https://api.ankatech.co/keys/ancient-key-2020
# Response: "lastRotated": "2020-01-01" (6 years ago!)

Why wrong: Long-lived keys = more exposure (if compromised)

Correct: 

# Automatic annual rotation ✅
curl -X PATCH https://api.ankatech.co/keys/KEY_ID/rotation-policy \
  -d '{"policy":"ANNUAL","autoRotate":true}'

Best practice: Rotate annually (or quarterly for high-security)

Mistake 4: Ignoring Audit Logs

Wrong: Generate logs but never review them ❌

Correct: Monitor for suspicious patterns ✅ 

# Daily check for anomalies
curl https://api.ankatech.co/audit-logs/summary?days=1 \
  | jq '.anomalies'

Alert on: - Failed decryptions (possible attack) - New IP addresses (account compromise?) - Bulk operations (data exfiltration?)

Mistake 5: Using Weak Passwords for PKCS#12

Wrong: 

# Export key with weak password ❌
openssl pkcs12 -export -inkey key.pem -password pass:password

Correct: 

# Use strong password (20+ chars, random) ✅
openssl pkcs12 -export -inkey key.pem -password pass:$(openssl rand -base64 32)

Best practice: Generate random passwords, store in password manager

Security Checklist

Pre-Production Checklist

Before going live:

  • [ ] Algorithms: Using ML-KEM (not RSA) for new data
  • [ ] Keys: HSM-protected for production
  • [ ] Rotation: Automatic policy enabled (annual minimum)
  • [ ] Access: Least privilege (developers != admins)
  • [ ] Audit: Logging enabled (1-year retention)
  • [ ] Monitoring: Anomaly detection configured
  • [ ] Backup: Keys backed up (secure storage)
  • [ ] DR: Disaster recovery tested (can restore keys)
  • [ ] Compliance: FIPS/NIST/industry requirements met
  • [ ] Testing: Penetration test completed (no critical findings)

📥 Download checklist (PDF, printable)

Ongoing Security Practices

Monthly: - [ ] Review audit logs (anomalies, failed attempts) - [ ] Check key expiration (rotate keys < 30 days to expiry) - [ ] Update dependencies (SDK, libraries)

Quarterly: - [ ] Security scan (vulnerability assessment) - [ ] Access review (remove inactive users) - [ ] Compliance audit (FIPS, NIST, industry standards)

Annually: - [ ] Penetration test (third-party) - [ ] Disaster recovery drill (test backups) - [ ] Policy review (update as threats evolve)

What's Next?

Improve your security: - 🚀 Run audit (5-minute check) - 📥 Download best practices guide (PDF, 30 pages) - 📊 Security scorecard (grade your posture) - 📧 Request security review (free 30-min assessment)

Related security topics: - OWASP compliance - REST API security - Composite keys - Defense-in-depth - Compliance overview - Standards alignment

Have questions? Email [email protected]

Last updated: 2026-01-07 | Based on OWASP Top 10 (2023) and NIST guidelines