Top 3 API Security Best Practices

Enhance your defenses as you evolve your digital fabric


For organizations that want to thrive in the new digital economy, the status quo simply won’t cut it. Traditional security controls are static and inflexible. They were designed in the days of client/server communication with predictable user journeys and traffic flows, well before APIs became ubiquitous and the cornerstone for today’s digital experiences.

While efforts to modernize security by infusing zero trust, least-privilege access, and authentication/authorization principles have borne fruit, the game has changed. The players in the application game that cheer you on by transacting across your digital properties are no longer users in the traditional sense. Increasingly, those “users” are business logic calls from APIs, which may be from partners or ecosystem integrations as much as they are from customers or prospects. The importance of APIs also means they are a much bigger target for attackers.

Organizations that want to survive must secure their APIs and mitigate unintended and unforeseen risk in a distributed and ever-changing digital fabric—one that spans the data center, private/public clouds, and the edge. Organizations that want to thrive should concentrate their strategic efforts in a few key areas to create a predictable, scalable, and self-defending API security platform that protects digital touchpoints across hybrid and multi-cloud environments.

Traditional versus Modern Security

Traditional security controls are widely deployed—used by organizations worldwide to protect business secrets and customer data. Companies employ traffic inspection to help ensure privacy and prevent data theft by restricting access to sensitive information. Security controls such as rate limiting in API gateways help mitigate denial of service (DoS) attacks. And web scraping controls in web application firewalls (WAFs) prevent compromise of sensitive information such as pricing. In addition, organizations often use a combination of security tools, such as static code analysis and dynamic application security testing to address many common risks, such as those in the OWASP Top 10.

Yet, in today’s digital world, traditional security measures aren’t enough. That’s why so many organizations are embracing modern security controls including authentication (AuthN), authorization (AuthZ), and dynamic traffic inspection for their distributed applications.

Organizations use multi-factor authentication, public key certificates, biometrics, and other methods to confirm the identity of people and devices and to make sure only legitimate users and trusted machines can access their data. Authorization is simply a matter of granting appropriate permissions to authenticated users, ensuring they can access all the files and data they need to do their work while preventing them from seeing other information they should not be privy to. Traffic inspection enables companies to minimize risks by examining application traffic across their security inspection chains and identifying unusual activity and potential threats as well as supplying any insights needed for accounting or incident response.

While these controls are widely deployed and well understood by security and risk teams, implementing them across a plethora of digital touch points—from the data center core to the customer edge—is a critical challenge. 

The Evolution to Adaptive Security

Security is increasingly focused on identity and verification. Organizations use methods like zero trust and least-privilege access to increase the rigor of their security, trusting neither users nor devices by default and limiting their access to the bare minimum of information they need, in many cases through predetermined use case modeling. Companies also use methods such as behavioral analytics to detect suspicious behavior that may indicate potential threats from malicious users, and risk-based controls to step up the authentication process, making it more stringent as the perceived threat level increases.

Figure 1: The Internet of Things connects the world around us and powers our modern way of life.

However, organizations today operate complex, interconnected architectures, which complicates their ability to enforce security policy such as AuthN and AuthZ consistently. IT is overwhelmed with tool sprawl and the challenge of managing heterogeneous environments, and “users” are likely to be APIs, services, or machines rather than human beings. The growing complexity and interconnection of architecture requires a paradigm shift in risk management. What’s needed is cross-platform visibility coupled with artificial intelligence (AI) and machine learning (ML) so that organizations can correlate data insights at scale and quickly remediate emerging threats—capabilities now possible in Web App and API Protection as-a-Service (WAAPaaS) platforms.

Figure 2: WAFs are a strategic security control that has evolved over time. 

security performance icon

“#1 reason for selecting security-as-a-service is speed”1

Adaptive Identity-Based Security

A core set of cross-platform application services coupled with a positive operating model are critical for any security platform, especially when protecting APIs. Those core application services may include zero trust and risk-based management as well as microsegmentation, which isolates services, and access to them within the data center or cloud environment. Native defense-in-depth, another core tenant, provides multiple layers of security controls throughout a platform to create resilience in case one security control fails to deter a motivated attacker. 

Strong namespace isolation segregates resources for greater security, and secrets management consistently enforces security policies for machine-to-machine communication that is increasingly common in modern architectures.


Figure 3: Identity Authority for AuthN and AuthZ as part of cross-platform application services.

A positive security operating model allows organizations to integrate security within CI/CD pipelines, dynamically discover new API endpoints, enforce API schema and access controls, as well as automatically protect critical business logic with AI/ML-based anomaly detection. This allows consistent enforcement of policy throughout the application lifecycle, reduces risk and unintended misconfiguration in highly decentralized and interconnected architecture, and neutralizes malicious users.

A platform that can scale to deliver these services consistently, regardless of where the underlying infrastructure and APIs reside—and automate operations such as false positive analysis and risk assessment/triage—will allow security teams to focus their efforts on strategic risk management instead of the day-to-day tactical challenges of maintaining security policies across environments and managing a deluge of security alerts that may not correlate to any action or require incident response.

Figure 4: A positive security operating model enables automated protection and adaptive defenses.


“Identity management technologies—including the use of authentication and authorization for API security—are still seen as the most valuable approaches to securing applications.”1

Top 3 API Security Best Practices

For organizations to thrive in the new digital economy, their security and risk teams should concentrate their strategic efforts in three areas to help create a predictable, scalable, and self-defending API security platform:

1. Identity-Based Security

Evolve to adaptive identity-based security.

2. Cross-Platform Services

Deploy cross-platform application services for consistency, observability, and actionable insights.

3. Automated Protection

Leverage AI/ML for continuous automated protection.

Discover More


API Security Best Practices: Key Considerations for API Protection

Successful API security requires vigilance on multiple fronts.

Get the eBook ›

State of Application Strategy


State of Application Strategy

Learn how companies are making their digital businesses more responsive and better suited to serve their customers, partners, and employees—now and in the future.

Read the report ›

F5 Distributed Cloud Demo Experience


F5 Distributed Cloud Demo Experience

See F5 Distributed Cloud in action.

See how it works ›

The Eight Components Of API Security FORRESTER REPORT


The Eight Components Of API Security

Explore how to implement a holistic API security program.

Get the report ›