Are Your APIs a Honeypot for Cyber Criminals?
APIs are key building blocks of modern applications. The primary drivers for rapid API adoption have been the increased need to integrate internal systems, accelerate new application development, create developer ecosystems, build a B2B partner program, and monetize APIs as a new revenue stream.
APIs are the new keys to successful digital transformation. By providing enabling support for modern architectures like microservices, APIs are driving disruptive growth in diverse industries, especially in Fintech, Payments, Healthcare, Gaming, e-Commerce, and Retail.
Why Is API Security Lagging?
While API adoption has grown rapidly, API security has taken a backseat in the rush to get products out to market quickly. API security is important because APIs increase the attack surface of enterprise applications. They provide attackers additional avenues to use in compromising these applications and data. Attackers are exploiting bad bots, security misconfigurations, API abuse and denial-of-service attacks to access and exfiltrate sensitive data, disrupt business operations, and steal intellectual property.
Widely-publicized API-related data breaches at companies like Twitter, GitHub, Venmo, Facebook, USPS, etc. clearly indicate that when it comes to API management, security is playing catch up.
State of API Security-2021
Is it Time to Reboot Your Approach to API Security & Governance?
Enterprises tend to underestimate the challenges of opening their APIs without a security strategy for API Management. Outdated and zombie APIs can be exploited for account takeover and fraudulent transactions. Shadow APIs can put your business at risk of data breaches. Do you have an accurate inventory of all your APIs and their business owners?
Traditional security approaches, like WAFs (Web application firewalls) and API gateways, do not offer an adequate level of API run-time protection. WAF deployments offer a first step towards API security by securing the deployments from OWASP Top 10 list of application vulnerabilities, such as SQL Injection attacks, Cross Site Scripting attacks, to name a few.
However, WAF deployments do a poor job of handling a different class of client-side attacks, like bot scrapers, denial-of-service attacks, authentication hijacking, and man-in-the-middle attacks.
What You Need to Do: Layered Approach to Security
No single tool can deliver a comprehensive security solution that effectively addresses all the major API attack vectors. So, your approach to API security should be layered to ensure coverage of all the functional areas, especially transport security, threat protection, authentication, access controls, data integrity and analytics.
Enterprises must focus on deploying API management solutions that offer automated enforcement of organizational security policies. You should also include robust monitoring capabilities to flag unexpected activity, such as expired or suspiciously sequenced API requests.
What Are Some Best Practices in API Development?
A. Centralized API Management
Designate a central point of contact for your API security initiatives to ensure API development is done in a consistent manner with a security first mindset. Consider the use of API management tools to develop and maintain secure APIs.
B. Accurate API Inventory
Maintaining an up-to-date API inventory and accurate API documentation are table stakes for API security. Documentation often takes a backseat due to the speed of applications development. Implementing automated documentation tools can help in minimizing gaps in API security knowledge and minimize the security risks of outdated or shadow APIs hiding in your inventory. It is also essential to constantly monitor APIs for emerging threats and deprecate (or remove) less used APIs and older API versions.
C. Implement Rate Limiting
Limit access to APIs with rate limiting on a per key basis to minimize chances of Denial-of-Service attacks and ensure scalability of APIs. Rate limiting will prevent the APIs from being overwhelmed due to too many requests coming in from a specific client.
D. API Security Testing
Poorly-developed APIs can expose the enterprise to data breaches and other security risks. A regular cadence around threat modelling, static and dynamic code analysis, and penetration testing of APIs needs to be part of your application development process.
The OWASP API Top 10 framework can provide a strong foundation for security testing of APIs. WAFs and API gateways provide run time protections but are not a substitute for insufficient testing of APIs in the development phase.
E. Developer Security Training
Left shifting of security has moved developers to the frontlines of application security. Thus, API-specific security training for developers is critical.
Raise the bar by shifting security left and build a secure-by-design mindset in your development teams with developer centric API security training. OWASP Top 10 for APIs is a good baseline for API security training. This will also reduce the pressure on overworked security teams for remediation work.
Looking for comprehensive API security training for your developers? Our hands-on interactive security training platform offers full coverage of the OWASP API Security Top 10.
Spend less time fixing and more time innovating. Check out the platform here.