APIs are the building blocks of extraordinary digital experiences, but if you’re not properly managing them, they can also be a security risk. It seems like every day, you hear about improperly-exposed APIs and major security leaks.
SALT’s 2024 State of API Security report found virtually all enterprises (95%) have experienced security problems in production APIs, with 23% having
experienced a breach. And a new Imperva security report shows that API traffic constituted over 71% of web traffic last year – providing a larger surface area for potential attacks and security risks.
So, what can you do to protect your business? Here are some things to think about regarding API security best practices, why it’s essential to prioritize your API security, and how to choose the right API security tools.
What Is API security?
API security refers to the measures and practices implemented to protect APIs from unauthorized access, data breaches, and other security threats. It involves implementing authentication, authorization, encryption, and other security mechanisms to safeguard APIs and the sensitive data they handle.
It should also include monitoring and auditing API activity to detect and respond to any potential security incidents. Here’s a quick video overview:
Because APIs serve as the interface between different software applications and systems, they can inadvertently offer up a backdoor to your most sensitive data.
To protect your APIs, you need to secure and operationalize new and existing APIs by implementing a defense-in-depth strategy, regardless of development or deployment. Take a layered approach to make sure that your APIs are secure from end to end.
Approach API security from multiple fronts
If you are building APIs – and you should be – you need API best practices to be successful. To open up your APIs to a larger ecosystem and develop partnerships, it’s time to gear up for the battle of possible breaches.
From multi-clouds to third-party platforms, there are many ways that hackers can try to get to you. So, you can’t expect to win this battle using only one strategy or only protecting one area. Your approach must be varied. And your protection should be multifaceted.
API Security Tools and Best Practices
Here are the areas of API security that you should be looking at first.
Start with authentication
One measure that is almost always needed early in the transaction flow is to authenticate. User authentication discovers the identity of the end user from a token or process flow, often alongside API key/secret validation to identify an application and device registration to identify a particular user-app-device combination.
User authentication often depends on integration with an internal or external identity store, which will vary based on the potential audience for your application, whether employees, B2B partners, or consumers. Authentication tokens themselves must then be secured to protect them from compromise or re-use.
See also: How to easily secure your APIs with API keys and OAuth
Authorization is extremely important
From there, you can authorize whether the user gets access to the API operations being called, and the data being returned. Authorization should be done at multiple levels of granularity, validating the access rights for both the user and application to a particular API, operation, and HTTP method.
The data being retrieved must also match the access rights of the authenticated user at both an object level (a patient can only get their own records) and at a field level (a customer shouldn’t see internal notes on their account).
API expert Erik Wilde shares a real-life example of how data vulnerabilities can come about in his discussion of API security best practices.
Traffic management is a must
Managing the volume and rate at which transactions come into your applications can protect against denial-of-service attacks and other issues that would impact server performance or availability and degrade the end user experience.
Rate limits should be implemented to protect against specific clients or users, as well as globally to cover the overall traffic allowed across all clients. Individual APIs or operations may need custom rate limits to account for specific business impact, ability to scale, or infrastructure/resource costs.
In a recent API security webinar, we shared how these types of measures can be essential to securing APIs. Because unfortunately, this cautionary tale shows the problem isn’t always coming from outside the enterprise.
Threat protection
It doesn’t always take a large volume of traffic to impact the security or availability of an API. It’s also important to protect against malicious messages that can leverage vulnerabilities to extract data, crash a server, or otherwise compromise the integrity of the application. Examples include SQL injection, code injection, and cross-site scripting attacks.
Recently, the email addresses of some 2.68 million users of the popular language-learning platform Duolingo were compromised (and are being sold online) after a data breach in early 2024. It’s believed the data was accessed by scraping Duolingo’s database via an improperly exposed API.
Web scraping is driven by bots/web crawlers. It works in much the same way as search engines do. But web scraping targets (and retrieves) specific data from a website. And all of this snooping (and stealing) wastes resources and creates cost overruns.
Some of these types of attacks can be protected against with blacklists or filters that get updated after novel attacks are discovered, but this type of negative security model remains vulnerable to new and unexpected exploits.
A positive security model carefully defines the expected transaction structure, content, and volume, and rejects anything that doesn’t comply with that expectation. Leveraging schema validation, network whitelists, and other positive security methods in addition to more reactive approaches makes for a more comprehensive security posture.
In conjunction with careful traffic management, you can also protect against dictionary attacks and other brute force approaches that leverage otherwise valid requests.
Do you need to reconsider your API security strategy? Here are 5 questions to ask yourself.
Privacy and integrity
It is absolutely critical to make sure that transactions are flowing from end-to-end, device-to-server, without being intercepted or tampered with. Privacy must be ensured by protocol-level encryption throughout, and some use cases will require additional message- or field-level encryption.
Digital signatures can be leveraged for messages, fields, or authentication/authorization tokens to ensure that all parties involved in the transaction are legitimate and that transactions haven’t been modified to accomplish malicious goals.
Why you need an API gateway
While all these capabilities are important for securing your APIs, how you implement them is just as important. They rely on complex, ever-changing standards and specifications that are difficult to get exactly right, and they need to be quickly scalable across all your APIs.
These security policies should be configured, not coded, leveraging a specialized solution that conforms to the specifications but simplifies the developer experience.
An API gateway offers just that: point and click policy authoring deployed to a robust, scalable enforcement point. It’s flexible enough to address your most sophisticated use cases, while removing the risk that an improperly coded security standard will introduce a vulnerability to your application.
As standards change or new vulnerabilities are discovered, you can rely on proven experts to keep the solution up-to-date and to align the gateway infrastructure/policy deployment with your modern development and deployment practices.
See also: You know where your laptops and software licenses are. What about your APIs?
Threat analytics
Even with all these security mechanisms in place, it’s still difficult to protect an application if end-user credentials or devices are compromised, or if there is an internal threat.
In these circumstances, threat analytics can be a valuable addition to the stack, leveraging long-running patterns to identify anomalies in traffic volumes or schedules, user/role behavior, or multi-API call chains that might represent malicious activity.
Threat analytics solutions identify these anomalies for additional research and potential mitigations, and they integrate cleanly with API gateway infrastructure. It’s a great way to find out where you might be vulnerable, rather than learning from a mistake (after an attack has occurred).
Take a “Zero Trust” approach
A zero-trust posture starts with the assumption that a breach has potentially already happened and that all requests can be hostile, and then leverages the above processes and tools to ensure that data and application assets are still protected. It grants “least access” privileges by default, with additional access granted only for specific need, to specific users/applications/devices, and constantly verified.
Authentication, authorization, and other security policies must be rigorous, context-based, and continually monitored. More than just an API security tool, an API gateway can be a key component in adopting a zero-trust model for your business.
Application security teams should empower the zero-trust approach to enhance threat prevention across all major API security risks equally. These include:
- Broken object level
- User- and function-level authorization
- Excessive data exposure
- Lack of resource
- Security misconfiguration
- Insufficient logging and monitoring.
Hackers will have a harder time breaking into your internet properties as a result. And as Erik Wilde says, security requires a combination of technology and processes.
How an API marketplace can help enforce and automate API security
A comprehensive API security posture involves more than just securing the interfaces and provisioning access. It also includes managing the lifecycle of all your APIs and other application assets, to ensure you have visibility and control over your entire digital portfolio.
Axway’s Amplify Enterprise Marketplace discovers APIs deployed on and managed by many diverse API platforms, including cloud gateways from AWS and Azure; it also discovers unmanaged APIs from code repositories and other registries.
Because it is built on our universal/federated API management solution, Amplify Marketplace makes it possible to discover secured and unsecured APIs across multiple deployments and vendors. Non-obtrusive agents allow you to automate discovery and monitoring of new APIs, too.
Marketplace is also a powerful tool to help your enterprise govern, productize, and monetize APIs. But when it comes to securing APIs, the following features are especially valuable:
- Discover unmanaged APIs and automate identification of non-compliance services
- Select and promote only approved, curated assets for inclusion in Marketplace
- Leverage prebuilt security policies or customize your own to protect your business
Amplify Platform aggregates different asset types – REST, SOAP, GraphQL, gRPC, events, and more – in a unified view, and empowers providers to manage the API lifecycle and provide a rich consumer experience. You gain accurate insights into your digital assets around compliance, subscription, usage, performance, and more; additional governance can then be applied in the API gateway to complete the picture.
An API management platform does more than secure your APIs or enforce security policies. You can manage the entire API lifecycle, maximize reuse, drive API consumption, increase organizational efficiencies, and monetize your assets. It’s time to start delivering secure business outcomes with your APIs.
Discover how Amplify Enterprise Marketplace helps unify cross-team API governance and security.
Follow us on social