An Application Programming Interface (API) is a set of defined rules that enable different applications to communicate with each other. It acts as an intermediary layer that processes data transfers between systems, letting companies open their application data and functionality to external third-party developers, business partners, and internal departments.[1]
The definitions and protocols within an API help businesses connect the many applications they use in day-to-day operations, saving employees time and breaking down silos that hinder collaboration and innovation. For developers, API documentation provides the interface for communication between applications, simplifying application integration.
APIs have changed how businesses operate. APIs allow businesses to push forward technologically with greater ease. This allows for more rapid innovation, which is, of course, what customers demand. APIs have also introduced several different challenges for security teams as well. With APIs come additional risks. These risks introduce new threats to the enterprise and the potential for serious damage.
Security professionals understand the need to secure APIs and desire to do so. Unfortunately, this is easier said than done for a variety of reasons.
While many steps can be taken, here are ten steps to help secure APIs:
- API Visibility and Discovery: It may seem obvious, though it must be known before an API can be secured. API endpoints are often created without the IT or security team’s knowledge for various reasons. When this happens, those APIs are not part of asset management and are also not properly subjected to security and compliance policies and controls. Thus, API visibility and discovery is the first step in API security.
- Schema Validation: Using invalid or improper input to either breach or abuse APIs is a popular technique for attackers. Ensuring proper API behavior based on valid input and output is an important part of an overall API security approach. Requiring that all API requests and responses comply with schema and all specs is an important step in protecting those APIs from attacks and breaches.
- Policy Enforcement: Properly defined, intelligent security policies are a great thing, but without strict enforcement, they are ineffective. Enforcing API security policies is another important step in securing APIs.
- Safeguarding Sensitive Data: Leaking sensitive data, such as Personally Identifiable Information (PII), is a significant risk resulting from poorly secured APIs. Safeguarding sensitive data involves ensuring the APIs are properly coded and secured and verifying that sensitive data is not inadvertently or improperly being transmitted or leaked from the API, which is another important step in securing APIs.
- Abuse and DoS Protection: When thinking about defending against Denial of Service (DoS) attacks, it is important to remember the application layer (layer 7 of the OSI model) and not just layers 3 and 4. Attackers are tuned into layer seven and always looking to attack, making layer seven protection against abuse and DoS an important step in securing APIs.
- Attack Protection: Protecting against tried and true and novel and new ways to compromise and exploit APIs is critical. Take the important step of leveraging signature-based, anomaly-based, and AI/ML-based techniques to protect against attacks.
- Access Control: Improper access control, including authentication and authorization, remains one of the main issues plaguing APIs. Whether due to oversights, human errors, haste, or any other reason, improperly controlling access to APIs can have devastating consequences. Authentication discovery services (allowing authentication gaps to be discovered), authentication enforcement, and API access control are all important steps in securing APIs.
- Malicious User Detection: One useful application of AI/ML is to study, analyze, and draw conclusions about the behavior of clients interacting with APIs. Detecting and mitigating those users that appear to be malicious can help protect APIs from attack, compromise, and breach as one step of an overall API security approach.
- Configuration and Management: Improper configuration and management of APIs is responsible for far more breaches than it should be. Ensuring that APIs are not misconfigured and/or mismanaged is another key step when securing APIs.
- Behavioral Analysis: Behavioral analysis of the various logs collected from endpoints and APIs of an application is another good application of AI/ML and another important step when security APIs. It is an iterative process that continues and is continuously updated, improved, and honed.
While APIs can speed along innovation, they can also introduce new threats to the enterprise. Securing APIs is a noble though complex journey. Security professionals can leverage various approaches, including the ten steps above, to help secure their APIs.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/10-steps-to-help-secure-your-apis/
Comments