Application program interface (API) breaches have accelerated in the recent pandemic. APIs create a broad attack surface: business logic flaws, insecure API endpoints, poor authentication and lack of encryption, and the stakes are high because of the direct access they provide to application and data.
API abuse and excessive API calls can overwhelm application resources, leading to app downtime — which means lost productivity and revenue.
Your APIs are More Vulnerable Than You Think
Flawed API security has led to the exposure of personal information of citizens around the world, disrupted power distribution and hospital operations and even jeopardized the security of the US food supply chain. This level of data exposure is a serious problem for organizations as it damages reputations.
Most of these cases involved APIs that companies knew about. However, there is a new and emerging category of risk: shadow, unknown and forgotten APIs. Shadow APIs are typically outside the control of IT. They may have been created, developed and used by lines of business groups directly. There may also be APIs that are not documented or forgotten or current applications where the developers have not fully declared their APIs to the security team.
While attacks against APIs are many and varied (OWASP has compiled a top 10 specific for APIs), some of the most common include authentication and authorization attacks, injection attacks, DDoS attacks and parameter tampering.
Four Best Practices to Secure Your APIs
Trying to secure every entry point into every application might seem daunting, but there are four basic principles you can follow that will make the task a little easier.
1. Discover all APIs
As mentioned above, if you don't know what APIs you have, you cannot control what data is exposed or whether your systems are compromised. Identify the communication methods they employ (GET, POST, etc.), their activity (number of requests over time) and any authentication failures.
You have to understand all your APIs, document them and employ a strict governance model to ensure they comply with your corporate security standards. While this is straightforward for APIs in use, it can prove a difficult task for those dormant and undocumented. Ultimately though, these hidden APIs are most dangerous, and you have to find them before hackers do.
2. Enforce API Access Control
Access control has two parts: authentication and authorization. Authentication proves that the client accessing the API is really who it says it is, and authorization is verifying that the client has the right to access the data it is asking for. Traditionally, basic credential checks may have been used to authenticate clients. Still, in this world of hacked passwords and token abuse, it is best to utilize cryptographically secure mechanisms (OpenID and OAuth, for example) to establish, identify, define and enforce granular authorization policies for each API.
In addition, make sure that you have not stored your API keys in public cloud storage like Amazon S3 or in code repositories such as GitHub that are available to everyone. Code reviews are also needed to ensure that there are no hard-coded API keys in applications.
Lastly, you should always enforce strong encryption for API communications to prevent data exposure in transit.
You may have established these procedures for your three-tier apps already, but as you migrate your application to more modern, cloud-native architectures, it's vital to ensure the same levels of security (authentication, authorization encryption and visibility) for all your intra-microservices API communications. Again, cryptographically secure mechanisms, like mutual TLS, should be used throughout for service mesh deployment models.
3. Protect APIs From Abuse
Excessive requests to an API can represent two threats. Either someone is trying to steal your data or someone is trying to bring your services down, both of which are very serious for your business. The good news is that it's easy to mitigate these threats by simply defining the number of transactions or requests a client can make per second. It is best practice to implement a rate limit strategy for all your APIs. Not only will this prevent deliberate API abuse, but it will also mitigate the accidental flood of requests from any misbehaving or misconfigured apps that can slow your application to a crawl.
4. Continually Monitor for Insight
Ongoing monitoring of your APIs is a must for security. Changes in API activity can reflect alterations to business practice or indicate an attack. You should examine API usage — both the number of calls and data transferred — and performance (including latency) and errors. Additionally, cross-referencing the origin of API calls with geo-location can reveal unwanted requests. Look closely at authentication success and, more importantly, failure rates. Changes in these are good indicators that something is amiss and needs investigating. Know the baseline traffic for your APIs and use it to detect deviations.
Security is a Journey, Not a Destination
While APIs are crucial to your business's agility, they represent a very clear attack surface with direct access to valuable data, so protecting them is critical.
API protection can be deployed in various ways, but the simplest method is to enable it on your existing application delivery controller (ADC). Tools like Citrix® ADC™, for instance, can be used to see all your API traffic and offer API security functionality integrated alongside other comprehensive security capabilities, like WAF and bot management.
Security is not a destination but a continual journey. Companies that follow the four best practices outlined above can create a clear path to better API security and organizational success.