API sprawl from a constantly expanding fabric of endpoints and integrations makes it impractical for security teams to identify and protect critical business logic using manual methods. APIs are increasingly distributed across heterogenous infrastructures, outside the realm of centralized security controls. Additionally, because application development teams move swiftly to innovate, API calls can end up hidden deep within business logic, making them difficult to identify. 

With such speed, security is often left behind. Sometimes security is simply overlooked in the design of APIs themselves. Often security is considered, but policy becomes misconfigured due to the nuanced complexity of maintaining application deployments that span multiple clouds and architectures.

Since APIs are designed for machine-to-machine data exchange, many APIs represent a direct route to sensitive data, often without the same risk controls as input validation on user-facing web forms. Yet these endpoints are subject to the same attacks that plague web apps; namely exploits and abuse that lead to data breach and fraud.

Not only should API endpoints be evaluated with the same risk controls as web applications, additional considerations are required to mitigate unintended risk from shadow APIs and third-party integrations.

API security incidents have been the cause for some of the highest-profile data breaches, as APIs are susceptible to many of the same attacks known to target web applications, including vulnerability exploits and abuse from bots and malicious automation:

• Injection and Cross-site scripting (XSS) can lead to unauthorized access of data.
• Distributed denial-of-service (DDoS) can disrupt critical, revenue generating services.
• Credential stuffing and other automated attacks can lead to compromise, data breach, and fraud.

Applications have moved toward an increasingly distributed and decentralized model, with APIs serving as the interconnection. Mobile apps and third-party integrations that increase business value have become table stakes for successfully competing in an online world. F5 Labs research shows that the number of API security incidents is growing every year, and despite the pervasive use of APIs, the attack surface ramifications of API-first architectures are still not widely understood.

Risk increases when APIs become widely distributed without a holistic governance strategy. This risk is exacerbated by a continuous application lifecycle process where applications and APIs are constantly changing over time.

The variety of interfaces and potential risk exposure means security teams need to protect the front door as well as all windows that represent the building blocks of modern apps.

Advances in machine learning make it possible to dynamically discover API endpoints and automatically map their interdependencies, providing a practical way to analyze API communication patterns over time and identify shadow or undocumented APIs that increase risk.

Furthermore, continuous endpoint monitoring and analysis enable security baselines to be constructed autonomously, providing for real-time detection and mitigation of threats and anomalous behavior without manual oversight.

This continuous and automated protection results in highly calibrated policies that can be applied consistently across all architectures for all APIs—mitigating exploits, deterring bots and abuse that lead to fraud, and enforcing schema and access control.

Enterprises need to modernize their legacy apps, while simultaneously developing new user experiences by leveraging modern architectures and third-party integrations. A holistic governance strategy that protects APIs from the core to the cloud to the edge supports digital transformation while reducing known and unknown risks.

F5 security runs in the form factor best suited for your application architectures and operational control requirements—from self-managed solutions that provide granular control in the data center and private/public cloud, to a cloud-delivered as a Service platform that reduces complexity with integrated and easy-to-operate security, to managed services that extend your security and fraud teams with 24x7x365 SOC oversight.

Key considerations for deploying API security include:

1. Integration with existing dev processes 
   Security teams can keep pace with the application lifecycle by integrating into CI/CD pipelines and through dynamic API discovery and anomaly detection that identifies shadow APIs and mitigates unintended risk.
   
   
2. Multi-cloud and hybrid environments 
   F5 solutions streamline policy with a positive security model that prevents misconfiguration and drives consistent protections from the core to the edge using OpenAPI definitions, Swagger files, and zero-trust principles.
   
   
3. APIs for highly regulated business 
   APIs that involve the exchange of sensitive information may require additional security controls to meet compliance from local regulations and/or industry mandates.
   
   
4. API workloads in Kubernetes and Lambda 
   F5 service mesh technology helps API delivery teams deal with the challenges of visibility and security when API endpoints are deployed in a Kubernetes environment or through AWS Lambda.
   
   
5. API Gateway 
   API publication, authentication, and authorization can be coupled with robust API protections for integrated gateway functions within microservices architectures.

F5 solutions protect APIs across the entire enterprise portfolio with effective and consistent security that mitigates vulnerability exploits, bots and abuse, and risk from third-party integrations across clouds and architectures.

By continuously discovering and protecting APIs with consistent security policy, organizations can infuse a positive API security model that improves risk management while supporting digital innovation.

To learn more, contact your F5 representative, or visit F5.