There’s a very real chance that, were you to try, you could not identify every API endpoint in your environment right now. But unfortunately, you may not be able to say the same for malicious actors. If an endpoint exists, it can be used as a way in.
In addition, offering public APIs opens you up to receiving queries from a myriad of customers, partners, and apps. It also opens your organization to compromise. There are a number of risk controls that need to be considered to protect your organization from attacks that can lead to breaches and downtime.
It’s a classic struggle. On one hand, the urge to be bold, to push the boundaries, to do what your competitors can’t, is a cornerstone to any successful business. But on the other hand, staying secure doesn’t always play nice with the newest innovations.
The key to striking the balance is threefold:
Depending on your industry, compliance standards will vary, with some requiring more stringent security than others. Regardless, it is essential that your API security posture is robust enough to face a barrage of threat vectors.
API security testing is not a one-time deal. Testing before, during, and after deployment is critical. By building testing into every stage of development, you gain many more opportunities to identify weaknesses and vulnerabilities before a breach happens. And while security-specific testing tools are great, don’t forget about security use case modeling as well.
Security needs to run in the same continuous lifecycle of apps themselves, meaning tight integration within CI/CD pipelines, service provisioning, and event monitoring ecosystems.
From external clients to the internal, backend infrastructure, every part of the architecture must have its own protective measures.
Furthermore, tried and true security practices still apply—default deny architectures, strong encryption, and least privilege access.
In thinking about protection at the API layer, it’s helpful to first sort your APIs into two categories: internal and external. Internal APIs are more straightforward to secure since the API provider can coordinate security measures with app teams. For external APIs, the risk calculus is different. You can (and should) implement API-level protections that do three things:
At the production level, the sheer volume of traffic from API sprawl necessitates the use of AI to detect anomalous behavior and malicious users.
Just like there is no one food that will keep us fully nourished, there is no one security tool that will fully protect APIs. Instead, you need to develop a strategy that employs a well-rounded ecosystem of tools as part of a holistic security architecture.
Tools you should consider include:
API gateways provide robust inventory and management capabilities but only provide basic security such as rate limiting that will not deter sophisticated attackers. Additionally, API proliferation is leading to tool sprawl—including API gateway sprawl.
App security testing is always critical but shift- left methodologies for robust application security during development need to be augmented with shield- right practices—namely securing API endpoints in production.
Web application firewalls provide a critical stopgap to mitigate application vulnerability exploits but typically lack the dynamic discovery capabilities necessary to continuously detect “rogue” (shadow/zombie) APIs.
Bot management for APIs cannot rely on commonly used security controls such as multi-factor authentication (MFA) and CAPTCHA, as API traffic is typically machine-to-machine and there is no direct human interaction except within user interfaces into API-based systems.
Traditional DDoS mitigation focuses on network and volumetric attacks, whereas APIs can be subject to targeted layer 7 attacks that abuse critical business logic. The end result is the same—performance degradation and potentially, downtime. But dynamic API discovery, schema enforcement, access control, and automated protections based on machine learning have emerged as critical ecosystem capabilities for defending APIs.
API proliferation is driving untenable architectural sprawl across hybrid and multi-cloud environments. Again, API sprawl has led to API gateway sprawl as many security tools cannot provide consistent security across multiple architectures such as data center, private/public cloud, and the edge. Visibility and control of API traffic across the entire digital ecosystem is imperative for mitigating the next critical vulnerability, and for preventing misconfiguration that can occur when endpoints are distributed across different cloud providers.
APIs are everywhere—in the data center, across clouds, at the edge—and are interconnected behind web apps, mobile apps, and associated third-party integrations.
APIs need to be protected wherever they live, and security should never sleep. Instead, ensure that your strategy includes solutions that continuously defend critical business logic behind APIs and consistently secure your API-connected digital fabric—so you can streamline operations and innovate with confidence.