Security

6 Steps to Improved API Security

Application programming interfaces are critical to businesses. Tech leaders must do more to protect them.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Application programming interfaces are the magic that makes the modern internet possible. They enable developers to easily connect to cloud-based and on-premises services from different vendors and offer their own customers the ability to programmatically interact with products and services.

As the glue that holds together modern technology environments, APIs are critical for thousands of businesses. They also raise potential security concerns, requiring attention from developers and cybersecurity professionals to ensure that they operate in a safe and secure manner.

In a recent survey of API developers and security professionals across industries, 91 percent of respondents admitted they had suffered an API security incident within the past year. That’s a shocking statistic that underscores the importance of securing these critical gateways to sensitive information and systems. Here are some steps teams can take today to begin shoring up their API security.

1. Put Strong Encryption in Place

Most API traffic travels over the open internet using the same HTTP protocol that supports web traffic. These days, no security-minded organization would run a website handling sensitive information without implementing the encrypted HTTPS protocol. The same should be true for APIs.

However, organizations can’t stop at simply verifying that API URLs begin with HTTPS. They should double-check to make sure that the API endpoint supports only the secure transport layer security versions 1.2 and 1.3. Endpoints should explicitly block older versions of TLS as well as the insecure SSL protocol to prevent attackers from eavesdropping on sensitive API communications.

REGISTER: Learn more about defending your dynamic infrastructure in the weekly CDW Tech Talk series. Click the banner below to register.

2. Require Authentication and Protect Access Keys

Almost all APIs should require authentication before granting users access to information or allowing them to perform transactions. While some APIs may be intended for open, public access, the vast majority should be restricted to authenticated users. The most common way to achieve this goal is the use of API keys that serve as a users’ passwords. The API key is sent with every request and is used to validate users’ identities and confirm their access authorizations.

API keys must be protected from unauthorized disclosure just as organizations protect and manage sensitive passwords. If you don’t believe it, just ask organizations that lost control of their cloud service provider’s API keys and had their accounts taken over by cryptocurrency miners. Bills for this fraudulent use can quickly run into the tens of thousands of dollars.

3. Control the Amount of User Requests

Not all API attacks have malicious intent. Sometimes a single, authorized user with ambitious plans can overwhelm an API with a flood of requests designed to retrieve large amounts of information, rapidly check changing prices or probe for available inventory. Left unchecked, these requests can exceed the available capacity of the back-end servers and render the API inaccessible to other legitimate users.

Organizations offering APIs to customers and the public should implement situation-specific rate limiting that throttles user requests to whatever level the organization deems appropriate. These limits may vary for different types of users and should account for the overall capacity of the service. Some rate limits may only go into effect during periods of high demand.

4. Conduct API Security Tests Frequently

APIs expose HTTPS endpoints to the world, and it is inevitable that adversaries will put them to the test, probing for security vulnerabilities. Security teams should include API endpoints in their application security testing efforts. This should include predeployment testing, routine automated vulnerability scans and periodic penetration tests designed to ferret out security issues before they’re discovered by an attacker.

WATCH: How to build a security framework to defend in the future of work.

Fortunately, many of the application security assessment tools that cybersecurity teams use to test web applications are also capable of performing API probes. It just takes some effort from the team to configure the scans up front and monitor their progress. When scans detect potential API security issues, those results should feed automatically into the organization’s vulnerability management workflow.

5. Ensure Application Inputs Are Valid

No sane developer would deploy a web application in today’s world without performing input validation. It’s now common knowledge that attackers will probe the limits of any web application and seek to use unexpected input to perform SQL injection, cross-site scripting and other web application attacks.

APIs are also vulnerable to many of the same issues, and they should also be protected with input validation routines. In the best case, developers should use an “allow list” approach that specifies exactly the type and quantity of data that is allowable for any API input variable. At a minimum, they should implement a “deny list” approach that blocks potentially malicious input.

6. Get Full Coverage with an API Gateway

Securing and monitoring APIs is difficult work. API gateways are specialized platforms that consolidate this work, allowing developers and security teams to centrally create and enforce security policies. They also relieve developers of a significant portion of the security burden by providing authentication, authorization, rate limiting and other security controls to the APIs that they service. Organizations with significant investments in customer-facing APIs should strongly consider using API gateways if they are not already doing so.

APIs are incredibly powerful tools that can help an organization advance its business goals and better integrate with customers, vendors and business partners. However, these tools also open up the organization’s technology infrastructure, requiring careful security measures to protect sensitive information and systems. Organizations using APIs should carefully assess the state of their API security controls and implement an ongoing API security program.

Dan Page/Theispot