Best Practices to Protect Your APIs
By PJ Bradley
Application programming interfaces, or APIs, are a staple of the internet today. An API facilitates communication between an application and an external program to ease the exchange of information, including website log-in procedures and online payment processing. They are also useful for collaboration and integration within and between organizations who need to consolidate information. Because APIs are versatile and constantly changing, they are uniquely difficult to secure, and industry professionals must keep up with and adapt to the challenges that API security presents.
API security is vital to the protection of consumer and business data, as an API can handle an abundance of information from a variety of sources. They can be vulnerable to attacks due to gaps in business logic, allowing bad actors to take advantage and leak data, deploy malware, or otherwise sabotage the consumers or businesses whose data is processed by that API. As the attack surface has rapidly increased in recent years, so has the number of API attacks. One recent report shows that “95% of companies have had an API security incident in the last 12 months”.
Best practices during development and testing
Protecting APIs starts during the development phase. Something that may seem small at the time could lead to catastrophic consequences down the line. Secure coding and configuration practices are crucial to establish a good foundation for a secure interface. There are resources available to aid in this endeavor, such as the OWASP Application Security Verification Standard (ASVS). It is also important to conduct design reviews that include business logic in order to identify and ameliorate as many potential problems as possible before production.
Another significant factor in creating a secure API is documentation. Documenting an API can allow people to understand the construction of the software as well as how it is integrated with other programs. The documentation of an API is important for carrying out design reviews and security testing. It is recommended to use a machine format to document an API to make testing and protection easier. Keeping an API inventory is also important, as it provides a full picture of the potential attack surface that needs to be secured.
In developing an API, it is best not to expose more data than necessary. Many APIs share excessive amounts of data and let the client program filter for the information that it requires, but this leaves sensitive data open to attacks unnecessarily. In an API attack, such as the 2018 T-Mobile data breach, any excess data being shared between client and server programs is just as vulnerable as the necessary data that is exchanged.
Finally, it is crucial when performing security testing to use methods that are effective for APIs specifically. As many of the issues with API security are problems with business logic, automated testing and scanners may not catch the gaps that need to be fixed. Instead, API testing should consist of analysis and fuzz testing in runtime.
Best practices during production
As with development and testing, much of the work of securing an API in production consists of making sure that everything is monitored and documented. Logging and monitoring provide a view of how an API behaves regularly so that attacks and other issues can be detected more easily. This includes identifying when an API changes its behavior and updating documentation to match, ensuring that the API is functioning as documented. Runtime protection should be able to identify misconfigurations in the infrastructure, as well as catch any abnormal behavior that could indicate an attack on the API, such as attempts at credential stuffing or brute forcing.
It also helps to use mediation tools and network security controls to bolster API security.
Encrypting data sent by APIs and using rate limiting both help to protect against certain forms of attack. Mediation tools such as API gateways can also provide an added layer of security by increasing the number of necessary steps taken in order to access private data.
Perhaps most importantly is consistent, frequent, and thorough authorization and authentication. Ensuring that access controls and identity stores are external to the API and using tools such as public key infrastructure and secrets management can protect against potential attacks and data breaches. An API that employs a variety of different tactics to this end will be more likely to stop bad actors from gaining access.
API security is becoming a pressing issue in the cybersecurity industry, with big name companies joining the struggle by introducing their own API security initiatives and raising awareness of the importance of API security. While APIs and cybercriminals alike are constantly evolving, professionals are working to counteract and circumvent the issues that can lead to API breaches and attacks. Some of the most vital tips to secure APIs come down to simply monitoring and documenting API software and behavior to make it possible to identify abnormalities and weaknesses. While there are many issues that can potentially surface during development and testing or production, there are also tactics to combat those issues, and employing these tactics is the best way to protect an API from attacks.
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest.
Most of PJ’s free time is spent reading and writing. PJ is also a regular writer at Bora.