3 API Security Practices: Understanding the Essentials
By David Bisson
Organizations are increasingly turning to APIs. A 2021 study found that 61.3% of developers, executives, and engineering managers used more APIs in 2020 than the previous year, reported DEVOPSdigest. An additional 26.2% of respondents said that their API usage was consistent across those two years. As for 2021, 71.1% of developers expected to use more APIs by the end of the year than they did in 2020, with 21.2% planning to use the same number.
These findings help to underscore the rise of an “API-first philosophy” among a growing number of organizations. On a scale of 0-10, 67% of developers ranked themselves as a “5” or higher in reference to their embrace of an API-first philosophy. As noted by VentureBeat, this methodology is associated with producing APIs more quickly, deploying them more frequently, reducing the number of errors, and speeding up recovery if and when a failure occurs.
With Business Benefits Come Security Challenges
APIs are receiving so much attention these days because of their many business benefits. Among them is improved collaboration. IBM explained that APIs enable platforms and apps to communicate with one another. As such, organizations can utilize that communication to automate their workflows, tear down informational silos, and augment collaboration at work.
In addition, APIs can create new business opportunities and serve other important internal functions. Organizations can look to APIs to forge new business partnerships and offer new services, for instance. They can also use their APIs to sell access to valuable digital assets as part of the API economy. Finally, there’s improved security insofar as “APIs create an added layer of protection between your data and a server,” in the words of IBM.
That last point might be true, but APIs can create their own security issues if not properly secured. Such a process isn’t without certain challenges. For instance, consider the fact that each application is different from the next. The data, markups, and application logic reflect the extent to which a particular developer designed a particular app, noted Dark Reading. There might be common underlying API frameworks at play, but there are still enough variations in how APIs are designed to complicate protection—especially when done at scale.
Developers don’t always write documentation for their APIs or do so carefully. Absent this visibility, organizations will struggle to use their APIs to align their security and business objectives – you can’t control what you can’t see. Controls are especially challenging for internal APIs for which security teams increasingly need to account. Security or the business can get in each other’s way, per Dark Reading. In doing so, they can prevent organizations from efficiently pursuing their goals.
How Can Organizations Get Ahead of API Security Challenges?
Acknowledging the challenges discussed above, it’s not surprising that Gartner foresees API attacks becoming the most frequent attack vector this year. Hence the need for organizations to get ahead by practicing API security essentials. First, they need a reliable way to discover their APIs. Manual processes won’t do in this respect. These types of approaches are error prone and might leave organizations exposed if they fail to uncover all APIs.
“API documentation, while a best practice in itself, might not be done consistently,” observed Salt Security. “Automated discovery of API endpoints, parameters, and data types is crucial for all organizations.”
With that said, organizations need a way to discover APIs in lower environments and not just production. They can’t stop there, however. They need to include API dependencies and/or third-party APIs. They must also be able to tag and label their APIs and microservices.
Second, organizations should consider extending identity and access management (IAM) to their APIs. In its Special Publication (SP) 800-204, the National Institute of Standards and Technology (NIST) specifically recommends that organizations define and provision access policies for APIs and their resources in an access server. With that foundation in place, it’s then possible to define and authorize access policies with a coarse level of granularity at the initial API gateway. Organizations can execute these same functions for access policies with a finer level of granularity closer to the microservices themselves.
IAM is not enough, however. Considering their 95% of API attacks are propagated by authenticated users, organizations must also deploy runtime protection to fully protect APIs.
Finally, TechBeacon notes that organizations should work to implement encryption using Transport Layer Security (TLS) to protect personally identifiable information (PII) and other data that their APIs might be handling. They can take things a step further by requiring signatures. This security measure will help to prevent unauthorized users from decrypting and viewing organizations’ protected information.
About the Author
David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora.
He also regularly produces written content for Zix and a number of other companies in the digital security space.