Whether you’re trying to increase revenue, reach, engagement or simply integrate systems, Application Programming Interface (API) utilisation is a must. We are in the age of big data, AI and machine learning, and there is no better way to exploit these data sources across multiple platforms and services than through the utilisation of APIs. APIs are no longer created just to meet a technical requirement, they are published with specific business goals in mind. With all of the big players out there offering a vast range of APIs, coupled with its wide spread adoption, the security implications were always going to be significant.
Back in 2017, the OWASP included insecure API’s in its Top 10 most common attack vectors for the first time and in 2018 they were proven right. In 2018, we saw the likes of Salesforce, Panera bread ,US Postal Service and Paypal-owned Venmo falling foul to API based breaches. These weren’t small breaches either, the Panera Bread breach for example exposed 37 million records, including customer names, email addresses, physical addresses and the last four digits of their credit card numbers, all in plain text.
API usage is prevalent within most organisations. Imperva published a One Poll survey of 250 IT professionals (250 employees, and/or $1 million in revenue in the US) on the state of API security early in 2018 which showed:
- - 68% of those surveyed exposed APIs to partners and the public
- - 80% didn’t know if they are using an API gateway to manage public facing APIs
- - 4% Indicated that API security is treated differently than web security
In addition, Gartner predicted that by 2022 API abuse will become the most common type of web application attack resulting in a data breach. It’s more important than ever to bolster your defence and maximise your API security.
Take control in 3 steps
Whilst it’s clear API security needs to be addressed and the security challenges aren’t drastically different from traditional application security, there are some unique aspects of APIs that need to be taken into consideration.
Below are 3 essential steps that provide a good starting point to help you on your journey to secure APIs:
1) Implement an API management platform
An API management platform or Gateway, allows for a single point of management for a defined group of APIs and simplifies the API source code, which allows for consistent policies to be built around them. A typical API gateway includes,
- - Security (authentication and authorisation)
- - Management of access quotas and throttling
- - API performance monitoring
- - Automation (Versioning)
2) Implement a Web Application Firewall (WAF) to protect your public facing APIs
Utilising a WAF such as the AWS WAF will provide you with granular control over the requests that attempt to access your APIs, give you protection against tampering, prevent misuse and exploitation, and help mitigate Layer 7 DDos attacks.
3) Discover and assess which APIs your organisation are using
You can’t secure what you don’t know about. Once discovered, categorize and adopt a continuous approach with ongoing discovery, monitoring, categorization and securing of APIs on a regular basis.
The above steps are a great starting point and should get you well on your way to a more secure API environment. However, please keep in mind API management and security is an ongoing task which needs to become part of your standard security policy and procedures.