What Is API Security?

API Security is about protecting your APIs using vulnerability testing, security policies, security best practices and more. It doesn't matter if your API is public facing, only shared with partners or internal. All APIs need to be securely managed in order to shield your data and other resources from attack. Everyone from the developer to the CEO needs to be aware of their role in securing APIs to ensure that your API security strategy can be implemented successfully.

What is an API?

Application Programming Interfaces (APIs) are everywhere, and API security is a top priority for almost every organization. APIs are how non-human systems (or applications) talk to each other. The most common API clients are mobile apps, but the list includes things everyone uses in everyday life, including cameras, phones, computers, thermostats, refrigerators, cars and more!

For as long as there have been APIs, there have been individuals and groups that have tried to exploit them. API security has been around a long time, but it has really taken the spotlight in the past couple of years. A few years ago, Gartner had predicted that by 2022 API abuses will move from infrequent to the most-frequent attack vector. The growth in not only the number of APIs but the exponential increase in API usage has made the reality of this prediction even more impactful on businesses around the world. According to a more recent Gartner CIO and Technical Executive survey, cyber and information security are at the top of the list for planned investments in 2022. This is not surprising as business leaders are feeling the pressure to put budget and resources behind cybersecurity to protect their APIs, data, customers and the reputation of their companies. 

Why is API security important?

The exponential growth of APIs and API usage has unintentionally exposed many systems to hackers and data breaches. API management used to be something that only the "big guys" needed, but now the need for security policies enforced by API gateways and other tools has become a universal necessity. By securing the exposed layers of an API using API security solutions and API management best practices, you can mitigate attacks and protect your organization, customers, data and bottom line. One thing you might have heard of and need to pay attention to is OWASP.

What is the OWASP Top Ten?

OWASP, the Open Web Application Security Project, is an international non-profit organization dedicated to web application security. What they are probably most well-known for is their reoccurring top 10 list of web vulnerabilities. But in addition to their lists of web vulnerabilities, they also came out with a top-10 list for API security. These are important factors to consider when creating an API security strategy for your organization.

The latest OWASP API Security Top 10 list includes:

This is when an attacker substitutes the ID in an API call with a different one and are able to get access to data that they should have access to. An example of this is replacing /api/bank/account/123 with /api/bank/account/124. All resources need to run authorization checks before providing access. Using an API gateway (such as webMethods API Gateway) can provide a highly granular level-of-access control necessary to prevent access control issues. webMethods also allows you to control access to resources and methods via scope level policy definitions.

APIs that are not using secure authentication are at risk of attackers compromising their system using this exploit. An API gateway provides numerous authentication schemes that allow you to mitigate the risk to your APIs.

  • OpenID
  • Kerberos
  • JWT
  • SAML
  • Outbound Authentication for Transport and Messages
  • Custom Assertions 
Often an API will publish more data than is displayed through the UI client. It is important to sanitize and filter the data that is exposed through the API as this can be viewed using other methods. An API gateway can apply data transformation and data masking features to your APIs.
Without proper limits on access to resources, an attacker can easily overload your API system. Using features like rate limiting, throttling, and other threat protection policies in an API gateway (such as webMethods API Gateway), you can block DoS attempts, limit large payloads, stop SQL injection, monitor traffic, and stop other attacks that can affect your APIs and other resources.
Similar to broken object-level authorization (BOLA), API endpoints used for admin purposes need to use secure authorization policies. An attacker may be able to guess an admin endpoint, and an API cannot rely on a client implementing authorization. Securing admin endpoints and resources with an API management solution (such as webMethods API Management) will shield your API resources from this exploit.
In an effort to transform and bind data from clients, sometimes a mass assignment vulnerability can creep in. This happens when an API allows data from the client to save properties the user should not have permission to update. A best practice for avoiding this is to only use whitelists and not blacklists. Using policy enforcement in an API management solution such as webMethods to specifically define the properties that can be updated is one way to protect your API and data from this security threat.
Security misconfiguration is probably one of the most common issues leading to security exploits. While human error is tough to protect against, an API Gateway can shift some of that responsibility to shared and global security policy definitions which can be applied to large collections of APIs - thus avoiding this security issue.
API attacks can come in the form of malicious code a client might try to trick an API into executing. APIs often have to interpret unknown data, and vulnerability can be exploited if the API blindly executes that code. It is important to never trust the API client, even internal consumers. By defining data types in schemas and validating all requests through threat protection policies defined by your API Gateway, you can prevent SQL injections and other injection attacks. 

Production APIs are not the only surface area you need to be protecting. There are several types of APIs that you might be running that could provide an attacker access to valuable data on your system.

Some of these you probably know very well:

  • Public APIs (or external APIs)
  • Internal APIs
  • Partner APIs
  • Third-Party APIs
  • Composite APIs

Some of the other types of APIs you might not be as familiar with:

  • Beta APIs: Non-production versions of APIs such as alpha, beta, testing, staging and others. Because they’re not public, they may not be required to have secure interfaces yet. That doesn’t mean they can’t be accessed.
  • Shadow APIs: Those internal or public APIs that you created and use but try to keep off the radar. Nothing is ever “off the radar” for hackers. In fact, you can assume they are already inside your firewall, awaiting an opportunity to break into your systems and data.
  • Zombie APIs: APIs that work and are in use but have not been updated and are probably using outdated security.  Recent security vulnerabilities in log4j highlight the risk of unmaintained code and the impact it can have.
  • Frankenstein APIs: Unofficial APIs hacked together to scrape systems that don't provide real APIs. Hacking together solutions that skip the essential step of implementing appropriate security puts your solutions and potentially your business at risk.

All APIs need to be managed and secured to ensure that your data, customers and company are protected. webMethods API Gateway helps manage exposed APIs and is integrated with webMethods API Portal to provide complete instructions for API consumers.

Most breach studies show that the time to detect a breach is over 200 days, typically detected by external parties rather than by internal processes or through monitoring. Without proper logging and monitoring, attacks on your APIs and data can go unnoticed. Implementing traffic monitoring policies via your API gateway can monitor run-time performance conditions, enforce limits for service invocations and send alerts when conditions are violated. Also ensure, if necessary, that your logs are sanitized of sensitive information and are formatted in a way that other logging and API security tools can consume and process them.

Software AG's API security solution

An effective API security solution begins with a properly configured API gateway. The webMethods API management platform provides a robust solution for securely managing your API portfolio by:

  • Using rate limiting to protect API resources
  • Defining access control over APIs through use of gateway policies
  • Monitoring your APIs with advanced analytics enforcing authorization though OAuth and other methods
  • Protecting against DDoS and other attacks
  • Ensuring privacy and integrity using modern cryptography encryption standards

Learn more about how Software AG secures your APIs and Integrations here. (Link to a different Software AG resource page)

You can also learn more about API Security with our video series on YouTube. 

Integrating with third-party API security products

Often, organizations already have or are looking into API security products to complement the API security provided by their API gateway. These products are often broken into categories based on "Shift Left, Shield Right."

"Shift Left" is shifting your security focus to the beginning of the API lifecycle process and to integrate it into the design and development of an API, which works to help protect it in every other step of the API lifecycle all the way to the retirement of an API.

"Shield Right" is talking about the emphasis on continuing to protect your APIs at runtime and beyond. Doing this will allow you to provide a defense against unknown attacks using a combination of AI/ML and defined algorithms and policies.

Software AG webMethods provides an API security solution that can integrate with other API Security products to align with the cybersecurity strategy for your organization. The holistic approach to API management provided by webMethods makes it the ideal API security solution, no matter what other products you might be using.