What is the true definition of API security? This is an important question for IT security leaders to ponder, because of the explosion in API usage in recent years, but if you ask 10 tech stakeholders, you’ll receive 10 different answers.
No matter the size of your organization’s technology footprint or your industry, chances are your IT includes dozens of APIs or more. Those APIs can be exploited, potentially resulting in data breaches, theft, fraud, and business disruption.
Since there are so many uses for APIs today in web application development and beyond, running down every possible API vulnerability and the appropriate response is an involved process. Using an API security checklist is a great way to make sure everything is in order, with all potential risk factors accounted for and safeguards in place.
API security: More necessary than ever
Before committing to running down a full API security checklist, it may be necessary to remember why APIs are worthy of security attention and focus. In short, it’s because application programming interfaces have become the tool of choice for data interchange between applications.
Of the over 21 billion application requests made over six months, more than 14 billion were API-based, accounting for over two-thirds of the total. During the second half of 2021, these many APIs were a large-scale attack surface for hackers, with exposure of sensitive data through APIs rising 87%.
Companies are employing APIs to build essential capabilities, from e-commerce software to user authentication portals and all manner of web applications. Nearly any piece of software on a company’s website will include some API-based functionality in its code.
To get a sense of all that could go wrong with API usage, you can review the Open Web Application Security Project’s top vulnerability list. The current OWASP API Security Top 10 includes such risks as broken access control features, failures of cryptography, insecure design decisions and misconfigured security features. Any one of those could produce undue security risk, meaning companies must take the time to review the security of all their systems.
Why follow an API security checklist?
Taking stock of the current API security posture is an essential step for any organization today. This is best accomplished with a formalized API security checklist, to ensure every possible vulnerability is covered by an appropriate response.
A checklist based on API security best practice specifications will include the multiple related areas that make up comprehensive API security. This means strong visibility into all of a company’s APIs, as well as an understanding of the potential security risk factors associated with those APIs and threat mitigation options. There should also be considerations made around ongoing design and development processes, to make sure security is included as part of the business’s DevOps workflow, to prevent new threats from going live. Additional considerations around how to proactively protect existing APIs from attacks should be accounted for – even a perfectly coded API can be attacked.
By the time a company is done studying and complying with an API security checklist, that organization should have API security processes embedded into its existing security and application development processes. This is a way to prepare the organization for the future as well as eliminate any existing vulnerabilities.
Such a forward-looking approach is an important consideration because API usage is on an upward trajectory. New APIs and interactions are always emerging, and attackers are developing new threat types at a rapid pace. In this challenging environment, it’s important to stay one step ahead of the next generation of risks.
Legacy API security methods have often focused on web application firewalls (WAF) and API gateways. These methods primarily work against known threats and brute-force attacks rather than novel, zero-day risks or more subtle threats that infiltrate systems with legitimate-seeming traffic. A complete API security checklist will prepare businesses to take on a more diverse roster of threat types.
Running down the API security checklist
Rather than simply discussing an API security checklist in abstract terms, it can be instructive to see what types of threats and responses are actually included in such a document. Such a list should go beyond API security testing and include potential countermeasures for all kinds of threats, both currently known and as-yet-unknown.
The Cequence API Security checklist is designed to provide a comprehensive overview of API protection, including building defense mechanisms into workflows to keep organizations safe in the years to come. The list is broken down into several distinct categories, as follows:
Continuous API Discovery and Runtime Inventory
Businesses need automated ways to determine which APIs they’re using, what sensitive data is moving into and out of these interfaces and whether there are any changes to the ecosystem. A company’s API footprint can be larger than even its own developers realize, which is why these visibility and discovery tools are so vital — IT security teams can’t protect what they can’t see.
Shadow APIs, not documented in the company’s specifications, may be lurking within the business’s application ecosystem, and these need to be visible, as do APIs based on common specifications such as OpenAPI. The tools used to provide API visibility should be vendor-agnostic and integrate with all existing infrastructure tools, including every API gateway, proxy and controller.
API Risk Assessment
Once an organization has better visibility into its API footprint, the next step in API security testing is to provide a risk assessment for all of the discovered APIs. By rating each instance on a scale from 1-10, it’s possible to prioritize API security needs and develop effective countermeasures in the case of a major vulnerability. By using a visual dashboard, IT security teams can filter out the APIs potentially endangering sensitive data, using poor authentication practices, or are not conforming with the defined specification and take action.
Continuous, real-time threat assessment is important because both the risk environment and API footprint will evolve over time. An API endpoint may deviate from published specifications, introducing new risk. Since every company is different, risk assessment rules should be customizable.
API Risk Remediation and Threat Mitigation
Each step of the API security checklist builds on those that came before. Once teams understand their API footprints and have analyzed the risk of their APIs, they can use automated tools to flag top priorities and respond. Real-time reports on API usage can reveal potentially malicious traffic, based on known threat patterns, and begin automated corrective action, enabling fast responses.
There are a few potential response types to malicious API traffic. Security personnel can block, log, deceive or rate-limit attackers’ access. As with risk assessment, threat mitigation tools should be customizable to ensure a given company can fend off threats without impeding legitimate traffic.
Design and Architecture
API security solutions should always be built on an architecture that makes sense for an organization’s needs. Considering the diverse types of uses companies have found for API-based development, that may mean a cloud-based software-as-a-service deployment or an on-premises deployment in a data center. There is also an important role for hybrid deployments, with data collection features on premises for security and compliance, and the control plane in the cloud.
The API security tool should not analyze too much sensitive data — only what is needed to perform its role. This is an important consideration to make sure the security approach complies with laws such as the General Data Protection Regulation and does not become a privacy liability.
A comprehensive API security deployment will integrate with network infrastructure of all kinds to make sure there is visibility into all types of API traffic, both inline and out of band. Integration with external content delivery networks allows organizations to analyze still more information.
Both internal and external APIs need to be part of API security efforts because either could provide the attack surface a bad actor needs to compromise sensitive data. Through integrations with gateways, proxies, load lancers, controllers and more, it’s possible to cast such a wide net.
API development workflows need to be part of the API security solution to minimize the risk that a new vulnerability is put into production. This is why the API security checklist concludes with integration into DevOps workflows and existing security tools.
With these integrations in place, developers will be able to make API security visibility and risk mitigation a part of their continuous integration and deployment workflows. Since the features are highly automated and efficient, the result is more secure application development without slowing down workflows.
Take action on your API security posture
Regardless of size or industry, your organization can likely benefit from the kind of comprehensive API security refresh that comes from using a detailed API security checklist. With API usage only expanding, including for the transfer of sensitive information, it’s important to take action as quickly as possible.
Your API security action should not just cover one area, such as discovery and visibility — you should take an end-to-end approach that leaves your organization with comprehensive protection of all APIs, internal and external, real-time awareness of emerging threats and smooth integration with your development processes.
Download this free API security checklist to ensure you are choosing the API security solution that best fits your requirements.