What is API Security?
API security refers to the protection of APIs through procedures and security measures that aim to diminish and prevent security threats and attacks.
As companies undertake digital transformation, they are increasingly relying on APIs. This exponential growth of APIs has exposed many systems to data breaches, largely because the sensitive data made available by APIs is attractive to these hackers. Therefore, API security is as important as ever in order to remove vulnerabilities and security risks.
Why is API security important?
Organizations use APIs to exchange data and connect services, both for customers and to streamline internal processes. APIs are a collection of protocols and subroutines that enable applications to talk to each other and exchange information. Many APIs are made up of parts that act as functions or procedures. Developers can use APIs to make their application call on other products and systems without requiring the developer to know how those products and systems are implemented. Application Programming Interfaces (APIs) are everywhere and enable web services to be shared around the world. As a result, API security is a top priority for almost every organization.
Many APIs are used to share potentially sensitive data such as financial, health and personal information which means a broken, hacked or exposed API can cause significant damage.
In 2021, Gartner predicted that by 2022, API attacks would be the most-frequent attack vector, causing data breaches for enterprise web applications.. The growth the number of APIs, as well asthe exponential increase in API usage, has made businesses realize the importance of API security.
API management used to be something that only the "big guys" needed—but now, the need for security policies enforced by API gateways and other tools is a universal necessity. By securing the exposed layers of an API using API security solutions and API management best practices, you can mitigate attacks and protect your organization, customers, data and bottom line.
API security best practices
There is no one-size-fits all solution to API security. To implement a proper API security solution, it is important to fully understand your APIs, the third-party APIs you use and the functionality and value that your APIs add to your organization. API security will require time and resources to ensure that it is implemented and continues to be implemented correctly. It doesn't matter if your API is public facing, only shared with partners or internal. All APIs need to be securely managed in order to shield your data and other resources from attack. Everyone inside an organization—from the developer to the CEO—needs to be aware of their role in securing APIs to ensure that your API security strategy can be implemented successfully.
API security 101
Watch Software AG’s API Cybersecurity 101 video series for more information on API security best practices, API security basics, how API security works and how to equip yourself with the necessary tools to protect and defend your API systems against attacks.
How to secure APIs
There are a variety of tools you can use in order to best protect your system from an attack by API intruders.
The API gateway acts as the core to your API security—the gateway makes it easy to create, maintain, monitor and secure your APIs. An API gateway can provide protection against a variety of attacks and can offer API monitoring, logging and API rate limiting. API gateways can restrict traffic based on IP addresses and other data, handle security token validation and much more.
Web Application Firewalls
A web application firewall (WAF) stands between the public traffic and your API gateway or application. WAFs can offer additional protections against things like bots by providing malicious bot detection, the ability to identify attack signatures and additional IP intelligence. A WAF is useful because it can block bad traffic before it even reaches your gateway.
Standalone security products support a variety of features ranging in categories—such as real-time protection, static code and vulnerability scanning, built-time checking and security fuzzing.
Security in Code
Security code is a form of security that is implemented internally into the API or applications themselves. However, the resources required to ensure all the security measures are properly implemented in your API code and can be difficult to apply consistently across all of your API portfolio.
Integrating with third-party API security products
As previously mentioned, API gateways integrate and work well with all the other components to API security, such as WAFs and stand-alone API security products. When looking at your API ecosystem, it’s important that you don’t forget about API integrations and the third-party APIs that you will be integrating with. If these third-party APIs or the integrations themselves are insecure, your data, internal systems and APIs could be compromised.
The API security products that complement their API gateway security are often broken into categories based on "Shift Left, Shield Right."
“Shift Left” is shifting your security focus to the beginning of the API lifecycle process and integrating it into the design and development of an API. This approach helps protect it in every step of the API lifecycle all the way to the retirement of an API.
“Shield Right” is the emphasis on continuing to protect your APIs at runtime and beyond. Doing this will allow you to provide a defense against unknown attacks using a combination of AI/ML and defined algorithms and policies.
API security challenges
According to a Gartner CIO and Technical Executive survey, cyber and information security are at the top of the list for planned investments in 2022. This is not surprising as business leaders are feeling the pressure to put budget and resources behind cybersecurity to protect their APIs, data, customers and the reputation of their companies.
Because API security is a moving target, it’s important to know that the product or products you use stay up to date in order to protect your APIs against the latest vulnerabilities. Many business leaders find it to be a challenge to protect their APIs due to their omnipresent nature. However, reviewing the OWASP top ten API security vulnerabilities can assist you in best formulating an API security strategy.
What is the OWASP Top Ten?
OWASP, the Open Web Application Security Project, is an international non-profit organization dedicated to web application security. They are probably most well-known for their reoccurring top 10 list of web vulnerabilities. But in addition to their lists of web vulnerabilities, they also came out with a top-10 list for API security. The OWASP API Security Top 10 vulnerabilities are outlined below, including ways to protect your APIs from these vulnerabilities—all of which are important factors to consider when creating an API security strategy for your organization.
API1:2019 Broken Object Level Authorization
When an attacker substitutes the ID in an API call with a different one and is able to get access to data, this is called broken object level authorization (BOLA). An example of this is replacing /api/bank/account/123 with /api/bank/account/124. All resources need to run authorization checks before providing access. Using an API gateway can provide a highly granular level-of-access control necessary to prevent access control issues.
API2:2019 Broken User Authentication
APIs that are not using secure authentication are at risk of attackers compromising their system using broken user authentication. An API gateway provides numerous authentication schemes that allow you to mitigate the risk to your APIs.
- Outbound Authentication for Transport and Messages
- Custom Assertions
API3:2019 Excessive Data Exposure
An API will often publish more data than is displayed through the UI client. It is important to sanitize and filter the data that is exposed through the API as this can be viewed using other methods. An API gateway can apply data transformation and data masking features to your APIs.
API4:2019 Lack of Resources & Rate Limiting
Without proper limits on access to resources, an attacker can easily overload your API system. Using features like rate limiting, throttling and other threat protection policies in an API gateway, you can block DoS attempts, limit large payloads, stop SQL injection, monitor traffic and stop other attacks that can affect your APIs and other resources.
API5:2019 Broken Function Level Authorization
Similar to broken object-level authorization (BOLA), API endpoints used for admin purposes need to use secure authorization policies. An attacker may be able to guess an admin endpoint, and an API cannot rely on a client implementing authorization. Securing admin endpoints and resources with an API management solution will shield your API resources from this exploit.
API6:2019 Mass Assignment
In an effort to transform and bind data from clients, a mass assignment vulnerability can sometimes creep in. This happens when an API allows data from the client to save properties that the user should not have permission to update. A best practice for avoiding this is to only use whitelists—and not blacklists. Using policy enforcement in an API management solution to specifically define the properties that can be updated is one way to protect your API and data from this security threat.
API7:2019 Security Misconfiguration
Security misconfiguration is probably one of the most common issues leading to security exploits. While human error is tough to protect against, an API gateway can shift some of that responsibility to shared and global security policy definitions which can be applied to large collections of APIs—thus avoiding this security issue.
API attacks can come in the form of malicious code that a client might try to trick an API into executing. APIs often have to interpret unknown data, and vulnerability can be exploited if the API blindly executes that code. It is important to never trust the API client, even internal consumers. By defining data types in schemas and validating all requests through threat protection policies defined by your API gateway, you can prevent SQL injections and other injection attacks.
API9:2019 Improper Asset Management
Production APIs are not the only surface area you need to be protecting. There are several types of APIs that you might be running that could provide an attacker access to valuable data on your system. Some of these you probably know very well:
- Public APIs (or external APIs)
- Internal APIs
- Partner APIs
- Third-Party APIs
- Composite APIs
Some of the other types of APIs you might not be as familiar with:
- Beta APIs: Non-production versions of APIs such as alpha, beta, testing, staging and others. Because they’re not public, they may not be required to have secure interfaces yet. That doesn’t mean they can’t be accessed.
- Shadow APIs: Internal or public APIs that you create and use but try to keep off the radar. Nothing is ever “off the radar” for hackers. In fact, you can assume that they are already inside your firewall, awaiting an opportunity to break into your systems and data.
- Zombie APIs: APIs that work and are in use but have not been updated and are probably using outdated security. Recent security vulnerabilities in log4j highlight the risk of unmaintained code and the impact it can have.
- Frankenstein APIs: Unofficial APIs hacked together to scrape systems that don't provide real APIs. Hacking together solutions that skip the essential step of implementing appropriate security puts your solutions and potentially your business at risk.
API10:2019 Insufficient Logging & Monitoring
Most breach studies show that the time it takes to detect a breach is over 200 days, and breaches are typically detected by external parties rather than by internal processes or through monitoring. Without proper logging and monitoring, attacks on your APIs and data can go unnoticed. Implementing traffic monitoring policies via your API gateway can monitor run-time performance conditions, enforce limits for service invocations and send alerts when conditions are violated. It’s also important to ensure that your logs are sanitized of sensitive information and are formatted in a way that other logging and API security tools can consume and process them.
Improve your API security today
As one of the leading providers of API management and integration solutions in the world, Software AG understands the importance of implementing a high-quality API security strategy.
Software AG’s webMethods provides an API security solution that can integrate with other API security products to align with your organization’s cybersecurity strategy. The holistic approach to API management provided by webMethods makes it the ideal API security solution—no matter what other products you might be using.
Software AG’s API security solution
An effective API security solution begins with a properly configured API gateway. The webMethods API management platform provides a robust solution for securely managing your API portfolio by:
- Using rate limiting to protect API resources
- Defining access control over APIs through use of gateway policies
- Monitoring your APIs with advanced analytics enforcing authorization through OAuth and other methods
- Protecting against DDoS and other attacks
- Ensuring privacy and integrity using modern cryptography encryption standards