APIs have certainly changed the way in which businesses operate. APIs allow businesses to push forward technologically with greater ease. This allows for more rapid innovation, which is, of course, what customers demand.
APIs have also introduced a number of different challenges for security teams as well. With APIs come additional risks. These risks introduce new threats into the enterprise and the potential for serious damage.
Most security professionals understand the need to secure APIs and have a desire to do so. Unfortunately, this is easier said than done, for a variety of reasons. Given that, what are some steps security professionals can take to better secure their APIs?
While there are many steps that can be taken, in this piece, I offer my thoughts on 10 steps to help secure APIs:
- API Visibility and Discovery: It may seem obvious, though before an API can be secured, it must be known. For any number of different reasons, API endpoints are often created without the IT or security team’s knowledge. When this happens, those APIs are not part of asset management, and they are also not properly subjected to security and compliance policies and controls. Thus, API visibility and discovery is the first step in API security.
- Schema Validation: Using invalid or improper input to either breach or abuse APIs is a popular technique of attackers. Ensuring proper API behavior based on valid input and output is an important part of an overall API security approach. Requiring that all API requests and responses comply with schema and all specs is an important step in protecting those APIs from attacks and breaches.
- Policy Enforcement: Properly defined, intelligent security policies are a great thing, but without strict enforcement, they are ineffective. Enforcing API security policies is another important step in securing APIs.
- Safeguarding Sensitive Data: Leaking of sensitive data, such as Personally Identifiable Information (PII) is a significant risk that results from poorly secured APIs. Safeguarding sensitive data involves not only ensuring the APIs are properly coded and secured, it also involves verifying that sensitive data is not inadvertently or improperly being transmitted or leaked from the API and is another important step in securing APIs.
- Abuse and DoS Protection: When thinking about defending against Denial of Service (DoS) attacks, it is important to remember the application layer (layer 7 of the OSI model), and not just layers 3 and 4. Attackers are tuned into layer 7 and always looking to attack, making layer 7 protection against abuse and DoS an important step in securing APIs.
- Attack Protection: Protecting against tried and true, as well as novel and new ways to compromise and exploit APIs is critical. Take the important step of leveraging signature-based, anomaly-based, and AI/ML based techniques to protect against a wide variety of attacks.
- Access Control: Improper access control, including authentication and authorization, remains one of the main issues plaguing APIs. Whether due to oversights, human errors, haste, or any other reason, improperly controlling access to APIs can have devastating consequences. Authentication discovery services (allowing authentication gaps to be discovered), authentication enforcement, and API access control are all an important step in securing APIs.
- Malicious User Detection: One useful application of AI/ML is to study, analyze, and draw conclusions about the behavior of clients interacting with APIs. Detecting and mitigating those users that appear to be malicious can help protect APIs from attack, compromise, and breach as one step of an overall API security approach.
- Configuration and Management: Improper configuration and management of APIs is responsible for far more breaches than it should be. Ensuring that APIs are not misconfigured and/or mismanaged is another key step when securing APIs.
- Behavioral Analysis: Behavioral analysis of the various logs collected from endpoints and APIs of an application is another good application of AI/ML and another important step when security APIs. It is an iterative process that continues over time and is continuously updated, improved, and honed.
While APIs can speed along innovation, they can also introduce new threats into the enterprise. Securing APIs is a noble, though complex journey. Security professionals can leverage a variety of approaches, including the 10 steps above to help secure their APIs.
Related: OWASP’s 2023 API Security Top 10 Refines View of API Risks
Related: OWASP Top 10 Updated With Three New Categories
