Connect with us

Hi, what are you looking for?


Application Security

10 Steps to Help Secure Your APIs

Securing APIs is a noble, though complex journey. Security teams can leverage these 10 steps to help secure their APIs.

API Security

APIs have certainly changed the way in which businesses operate. APIs allow businesses to push forward technologically with greater ease. This allows for more rapid innovation, which is, of course, what customers demand.

APIs have also introduced a number of different challenges for security teams as well. With APIs come additional risks. These risks introduce new threats into the enterprise and the potential for serious damage.

Most security professionals understand the need to secure APIs and have a desire to do so.  Unfortunately, this is easier said than done, for a variety of reasons. Given that, what are some steps security professionals can take to better secure their APIs?

While there are many steps that can be taken, in this piece, I offer my thoughts on 10 steps to help secure APIs:

  1. API Visibility and Discovery: It may seem obvious, though before an API can be secured, it must be known.  For any number of different reasons, API endpoints are often created without the IT or security team’s knowledge.  When this happens, those APIs are not part of asset management, and they are also not properly subjected to security and compliance policies and controls.  Thus, API visibility and discovery is the first step in API security.
  2. Schema Validation: Using invalid or improper input to either breach or abuse APIs is a popular technique of attackers.  Ensuring proper API behavior based on valid input and output is an important part of an overall API security approach.  Requiring that all API requests and responses comply with schema and all specs is an important step in protecting those APIs from attacks and breaches.
  3. Policy Enforcement: Properly defined, intelligent security policies are a great thing, but without strict enforcement, they are ineffective.  Enforcing API security policies is another important step in securing APIs.
  4. Safeguarding Sensitive Data: Leaking of sensitive data, such as Personally Identifiable Information (PII) is a significant risk that results from poorly secured APIs.  Safeguarding sensitive data involves not only ensuring the APIs are properly coded and secured, it also involves verifying that sensitive data is not inadvertently or improperly being transmitted or leaked from the API and is another important step in securing APIs.
  5. Abuse and DoS Protection: When thinking about defending against Denial of Service (DoS) attacks, it is important to remember the application layer (layer 7 of the OSI model), and not just layers 3 and 4.  Attackers are tuned into layer 7 and always looking to attack, making layer 7 protection against abuse and DoS an important step in securing APIs.
  6. Attack Protection: Protecting against tried and true, as well as novel and new ways to compromise and exploit APIs is critical.  Take the important step of leveraging signature-based, anomaly-based, and AI/ML based techniques to protect against a wide variety of attacks.
  7. Access Control: Improper access control, including authentication and authorization, remains one of the main issues plaguing APIs.  Whether due to oversights, human errors, haste, or any other reason, improperly controlling access to APIs can have devastating consequences.  Authentication discovery services (allowing authentication gaps to be discovered), authentication enforcement, and API access control are all an important step in securing APIs.
  8. Malicious User Detection: One useful application of AI/ML is to study, analyze, and draw conclusions about the behavior of clients interacting with APIs.  Detecting and mitigating those users that appear to be malicious can help protect APIs from attack, compromise, and breach as one step of an overall API security approach.
  9. Configuration and Management: Improper configuration and management of APIs is responsible for far more breaches than it should be.  Ensuring that APIs are not misconfigured and/or mismanaged is another key step when securing APIs.
  10. Behavioral Analysis: Behavioral analysis of the various logs collected from endpoints and APIs of an application is another good application of AI/ML and another important step when security APIs.  It is an iterative process that continues over time and is continuously updated, improved, and honed.

While APIs can speed along innovation, they can also introduce new threats into the enterprise. Securing APIs is a noble, though complex journey.  Security professionals can leverage a variety of approaches, including the 10 steps above to help secure their APIs.

Related: OWASP’s 2023 API Security Top 10 Refines View of API Risks

RelatedOWASP Top 10 Updated With Three New Categories

RelatedFinal Version of 2017 OWASP Top 10 Released

Advertisement. Scroll to continue reading.

RelatedOWASP Proposes New Vulnerabilities for 2017 Top 10

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Security and Fraud Architect at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.