APIs are everywhere. In the modern age of web, cloud, AI and interconnected containerised componentry, enterprise software is typified by its use of Application Programming Interfaces (APIs). Written to a defined syntax, structure and shape, APIs are often referred to as the ‘glue’ that bonds one of more applications, smaller application elements or services, wider application network channels, or indeed higher level operating systems. The goal of an API is to hide internal details of how a given application (the server) works, allowing developers to change the application without breaking any external integrations, provided that APIs don’t change. With so many connection points now being created, how do we secure APIs on an enterprise-wide basis?
Like many technologies, APIs are most valued when we use them without thinking about it. Selecting PayPal as a payment method when you’re shopping online? An API enables the online store to access the data it needs to complete the transaction. Checking the weather forecast with an app? APIs bring you the data – if not the sunshine. At their simplest, APIs are described as a waiter taking orders from a table to the kitchen, and returning with the meal.
How do we secure APIs?
One man that knows more about enterprise-wide API security is Vivek Gaur, vice president for network engineering at Colt Technology Services. Explaining that APIs are composed of groups of methods and associated protocols for the applications to interact, Gaur reminds us that these methods and protocols are documented in three ways:
- The API definition
- The API specification
- The API documentation.
“The API definition provides a machine-readable view on how the API functions and how it is organised. The API definition becomes effectively a contract between API server and API client. Technologies like OpenAPI can be used to define the API and also to generate code to ensure the API server and API client are fully compliant to the API definition,” explained Gaur.
Similarly, the API specification provides human-friendly documentation describing how the API works, how it is organised and what to expect from it. Technologies – again, such as OpenAPI, can also be used to generate this documentation directly from the API Definition.
The API documentation
The API documentation provides a manual for users or developers on how to use the API with/within their applications. Describing common use cases can help users and developers quickly understand why the API is structured the way it is.API usage continues to rise: a report from Salt Labs found the average number of APIs per user rose 82% between July 2021 and 22. But with increased usage comes a wider attack surface. Any vulnerabilities in security will pose a risk to an API’s safety. The 2022 Salt Labs report revealed an increase of 681% in API security incidents between 2021 and 2022. The Q1 2023 update to the Salt Labs report found 94% of survey respondents experienced security problems in production APIs in the past year; 31% experienced a sensitive data exposure and 17% a data breach resulting from API security gaps. Almost one in two (48%) named API security as a C-Level discussion. At the same time, fewer than 50% of businesses have API security testing tools in place. High-profile API security breaches include attacks on Dropbox and Twitter APIs.
“Most modern APIs are built on the same foundational technologies that serve content on the Internet. As a result, the barrier to entry for building and deploying APIs is lower than it has ever been, but this also means that a security-first mindset has quickly become a non-negotiable,” noted Colt’s Gaur. “So how can enterprises harness the innovative, transformative impact of APIs, and balance this against security threats? There are eight key ways a business can secure APIs, to protect your users against risk.”
Implement baseline security
Gaur says we need to use an authentication and authorisation framework for the API. Open, public-access APIs should only be deployed when the risk of exposure is very low. When using API keys, firms should ensure they are adequately protected and use safe storage methods, preferably out of the application tree. Also, implement encryption for all requests and responses through TLS (HTTPS).
Secondly, says Gaur, “Take a proactive approach to monitoring: it’s prudent to take a proactive approach to monitoring to optimise performance and ensure a consistent user experience; to identify and rectify issues and crucially, to identify anomalous behaviours.”
Counting through then, the third piece of advice here is to always control and limit the load on the API. The Colt VP says this means we need to introduce a limit of requests and control the structure, size and data types of the payload. This will pre-empt some common attacks like SQL injection or Dynamic Denial of Service. External DDoS detection and mitigation systems will also prevent these attacks.
Validate API data
“All data exchanged in an API shall follow the API specification for structure and data type. It is best practice to validate the data and not to assume it will reach the server according to the specification,” advised Gaur. “IT departments should also look to leverage API gateways. These are platforms that provide API management and security tools out of the box. These allow developers to implement API security controls without a significant investment. When the amount of business APIs grows, API gateways are useful to keep track and manage all APIs.”
With three more cornerstones to share here, Gaur says that we should always look to share the minimum required data in the API. By removing any information that is not meant to be shared or that does not need to be shared, the chances of exposing secret data or internal system data through the API are minimised. Sharing only what’s required minimises the chances for the API to be exploited.
Test, prepare, respond
We should also test API security periodically. Attacks constantly morph and new vulnerabilities appear with time. Testing the API security periodically with the latest security updates will allow the detection of potential problems before attackers do.
“As the number of APIs and their usage continues to grow into 2024 and beyond, vulnerabilities will be identified and exposed with potentially devastating effect. Taking a proactive, robust, holistic approach to API security will become increasingly important and will help your business ensure that you harness their vast potential, powerfully, effectively and safely,” concluded Colt’s Gaur.
Finally (for now, because you know this list can only expand in future) Gaur says we should be prepared to respond to vulnerabilities. Before deploying an API, he says we should ensure that a plan is in place to rapidly investigate and resolve any vulnerabilities that are found in the production environment, including a well-thought-out communication plan. Part of this process might be to temporarily take the API offline until the vulnerability is resolved to minimise exposure.
18 hours ago
