6 Principles of a Holistic API Security Strategy
INTRODUCTION
There’s a very real chance that, were you to try, you could not identify every API endpoint in your environment right now. But unfortunately, you may not be able to say the same for malicious actors. If an endpoint exists, it can be used as a way in.
In addition, offering public APIs opens you up to receiving queries from a myriad of customers, partners, and apps. It also opens up your organization to compromise. There are a number of risk controls that need to be considered to protect your organization from attacks that can lead to breaches and fraud.
It’s a classic struggle. On one hand, the urge to be bold, to push the boundaries, to do what your competitors can’t is a keystone to any successful business. But on the other hand, staying secure doesn’t always play nice with the newest innovations.
1. Design an API governance strategy for each type of API in order to set the appropriate security controls.
2. Implement API security policies that can be consistently enforced wherever APIs are deployed.
3. Adapt to emerging threats, anomalous behavior, and malicious users that attempt to exploit or abuse APIs using AI to decrease the burden on security teams.
Depending on your industry, compliance standards will vary, with some requiring more stringent security than others. Regardless, it is essential that your API security posture is robust enough to face a barrage of threat vectors
API security testing is not a one-time deal. Testing before, during, and after deployment is critical. By building testing into every stage of development, you gain many more opportunities to identify weaknesses and vulnerabilities before a breach happens. And while security-specific testing tools are great, don’t forget about security use case modeling as well.
From external clients to the internal, backend infrastructure, every part of the architecture must have its own protective measures in place. |
In thinking about protection at the API layer, it’s helpful to first sort your APIs into two buckets: internal and external. Internal APIs are more straightforward to secure since the API provider can coordinate security measures with app teams. For external APIs, the risk calculus is different. That doesn’t mean you’re out of luck, though. You can (and should) still implement API-level protections that do three things:
1. Narrow the opportunity for a security breach with real-time threat intelligence and access control mechanisms such as hardened session tokens.
2. Establish baseline normal and abnormal traffic patterns.
3. Restrict API usage and provide granular control of any approved aggregators.
At the production level, the sheer volume of traffic from API sprawl necessitates the use of AI to detect anomalous behavior and malicious users.
Just like there is no one food that will keep us fully nourished, there is no one security tool that will fully protect APIs. Instead, you need to develop a strategy that employs a well-rounded ecosystem of tools as part of a holistic security architecture.
Tools you should consider include:
- An API gateway
- App security testing (SAST and DAST)
- A WAF
- Bot management
Additionally, API discovery and microsegmentation are critical ecosystem capabilities.
You’ve probably gotten the idea that API security can become complex, owing to the diversity of technologies, layers, designs, and contexts in which APIs are used. There are ways to mitigate that complexity, though.
When you approach your API security posture, first take a step back and looks at the big picture.
Security needs to run in the same continuous lifecycle of apps themselves, meaning tight integration within CI/CD pipelines, service provisioning, and event monitoring ecosystems.
Furthermore, tried and true security practices still apply—default deny architectures, strong encryption, and least privilege access.