In the world of cybersecurity, the spotlight often shines on protecting applications, networks, and individual accounts. Application programming interfaces (APIs), on the other hand, present their own set of challenges to secure. APIs account for a significant portion of internet traffic and handle massive amounts of information from a wide variety of programs and applications; consequently, they make for an appealing target in the eyes of cybercriminals. As Salt Security’s article on API security calls them “the building blocks of modern applications,” it is necessary for APIs to be understood and adequately protected.
What Makes API Security Special
API security is both uniquely important and uniquely difficult. Every API is different, so what works to secure one API might not secure another. Additionally, APIs are constantly changing, and the rapid pace of development often outstrips the capabilities of an enterprise’s ability to document it. Correct and current documentation is vital for API security, and letting it fall to the wayside means that even known problems cannot be resolved.
The common security solutions in place, such as API gateways and management tools, are not intended to prevent attacks on APIs. Most successful attacks on APIs are not of the sort that exploit known weaknesses; rather, attackers aim to take advantage of gaps in business logic that cannot be detected by traditional testing or scanning. Some of these attacks are attempting full account takeover, looking to gain access to account credentials and API keys, which can have a massive impact on companies and consumers.
How to Secure APIs
The nature of APIs means that securing them against attacks is a difficult undertaking. While fundamental software security principles are useful to an extent in API security, they cannot account for the specific challenges that APIs present. Fortunately, with the proper expertise and education, it is entirely feasible to handle API security just as successfully as any other kind of security. During development and testing as well as production, there are measures to be taken to ensure the best possible protection against attacks.
Development and Testing
The first step in any case is to ensure secure coding and configuring processes in building and integrating the API. While it is impossible for developers to create perfectly secure code every time, there are resources available to help guide secure API design. One major concern is to avoid excessive data exposure, making sure that the API sends only the information that is required, rather than transmitting extraneous data and allowing the client application to filter for what it needs. One of the most common types of attacks on APIs targets this excess data, often by bypassing the client application entirely.
Documentation is absolutely crucial for API security. Maintaining accurate and up-to-date documentation means that important information about how an API is built and integrated is available when needed. This includes during design reviews and security testing, when having inaccurate or outdated information might mean overlooking significant gaps in protection that would come to light if the API were documented properly. Using a machine format such as OpenAPI Specification (OAS) to document APIs means that the specs can be used for testing and protection.
In addition to documenting each API individually, it is also highly recommended to keep a careful API inventory, so that security teams have an understanding of the total attack surface. Using tools that automatically detect different API formats makes this task easier. If an API is not known to security teams, they cannot work to defend it against attacks.
Conducting design reviews is an essential part of developing any product, and APIs are no different in that respect. Evaluating an API in this way not only ensures that it effectively fulfills its intended purpose, but can also help to find and identify flaws, making it possible to ameliorate them early on so they don’t pose a problem down the line.
Design reviews should include business logic, as scanners are often not able to detect gaps that could prove to be advantageous to attackers. Security testing tools can, however, identify configuration issues and vulnerabilities. Analysis and fuzz testing can be used to find exploitable code.
Runtime Protecting - the Most Immediate Value
The work of protecting an API does not end after development and testing are complete; on the contrary, the most vital aspect of API security is runtime protection of APIs already in production. The foundation of protecting APIs at this stage are dynamic discovery and attack detection and prevention. Companies need tooling that can baseline typical user and API behavior to get the necessary context for identifying anomalies the platform can raise as potential threats.
In addition, it is necessary to be able to detect when API drift has occurred. API security tooling can analyze API behavior, compare it to the documentation available, and identify any discrepancies. With this information, the documentation can be updated to match the current behavior of the API.
Continuous authentication and authorization is another key factor in protecting APIs against attacks. Tools like Identity and Access Management (IAM), public key infrastructure, and key management can all be of use in this respect. By keeping access controls and identity stores external and avoiding using API keys for authentication, layers of security are added, making it far less likely for an attacker to successfully infiltrate and reach sensitive areas.
Finally, deploying runtime protection is an important factor in the process of securing an API. Runtime protection tools should be able to identify any potential configuration issues in the infrastructure of the API, as well as detecting abnormal behaviors like brute forcing or credential stuffing.
On the whole, API security can be a daunting topic, but these foundational guidelines should help to create a successful security strategy. Understanding the challenges inherent to API security and the importance of protecting APIs against attacks is half of the battle. Every step of the way, everybody who works on an API should have security best practices at the forefront of their mind.
About the Author:
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also a regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
