2. Require Authentication and Protect Access Keys
Almost all APIs should require authentication before granting users access to information or allowing them to perform transactions. While some APIs may be intended for open, public access, the vast majority should be restricted to authenticated users. The most common way to achieve this goal is the use of API keys that serve as a users’ passwords. The API key is sent with every request and is used to validate users’ identities and confirm their access authorizations.
API keys must be protected from unauthorized disclosure just as organizations protect and manage sensitive passwords. If you don’t believe it, just ask organizations that lost control of their cloud service provider’s API keys and had their accounts taken over by cryptocurrency miners. Bills for this fraudulent use can quickly run into the tens of thousands of dollars.
3. Control the Amount of User Requests
Not all API attacks have malicious intent. Sometimes a single, authorized user with ambitious plans can overwhelm an API with a flood of requests designed to retrieve large amounts of information, rapidly check changing prices or probe for available inventory. Left unchecked, these requests can exceed the available capacity of the back-end servers and render the API inaccessible to other legitimate users.
Organizations offering APIs to customers and the public should implement situation-specific rate limiting that throttles user requests to whatever level the organization deems appropriate. These limits may vary for different types of users and should account for the overall capacity of the service. Some rate limits may only go into effect during periods of high demand.
4. Conduct API Security Tests Frequently
APIs expose HTTPS endpoints to the world, and it is inevitable that adversaries will put them to the test, probing for security vulnerabilities. Security teams should include API endpoints in their application security testing efforts. This should include predeployment testing, routine automated vulnerability scans and periodic penetration tests designed to ferret out security issues before they’re discovered by an attacker.
Fortunately, many of the application security assessment tools that cybersecurity teams use to test web applications are also capable of performing API probes. It just takes some effort from the team to configure the scans up front and monitor their progress. When scans detect potential API security issues, those results should feed automatically into the organization’s vulnerability management workflow.
5. Ensure Application Inputs Are Valid
No sane developer would deploy a web application in today’s world without performing input validation. It’s now common knowledge that attackers will probe the limits of any web application and seek to use unexpected input to perform SQL injection, cross-site scripting and other web application attacks.
APIs are also vulnerable to many of the same issues, and they should also be protected with input validation routines. In the best case, developers should use an “allow list” approach that specifies exactly the type and quantity of data that is allowable for any API input variable. At a minimum, they should implement a “deny list” approach that blocks potentially malicious input.
6. Get Full Coverage with an API Gateway
Securing and monitoring APIs is difficult work. API gateways are specialized platforms that consolidate this work, allowing developers and security teams to centrally create and enforce security policies. They also relieve developers of a significant portion of the security burden by providing authentication, authorization, rate limiting and other security controls to the APIs that they service. Organizations with significant investments in customer-facing APIs should strongly consider using API gateways if they are not already doing so.
APIs are incredibly powerful tools that can help an organization advance its business goals and better integrate with customers, vendors and business partners. However, these tools also open up the organization’s technology infrastructure, requiring careful security measures to protect sensitive information and systems. Organizations using APIs should carefully assess the state of their API security controls and implement an ongoing API security program.