<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

3 Steps to Secure your Enterprise API’s…

Topics: Web Security, Firewall, API, API Security, Web Application, Applications, Web Application Firewall

Posted: 25 April 2019

3 Steps to Secure your Enterprise API’s…

Whether you’re trying to increase revenue, reach, engagement or simply integrate systems, Application Programming Interface (API) utilisation is a must. We are in the age of big data, AI and machine learning, and there is no better way to exploit these data sources across multiple platforms and services than through the utilisation of APIs. APIs are no longer created just to meet a technical requirement, they are published with specific business goals in mind. With all of the big players out there offering a vast range of APIs, coupled with its wide spread adoption, the security implications were always going to be significant.

Inbound threat...

Back in 2017
, the OWASP included insecure API’s in its Top 10 most common attack vectors for the first time and in 2018 they were proven right. In 2018, we saw the likes of Salesforce, Panera bread ,US Postal Service and Paypal-owned Venmo falling foul to API based breaches. These weren’t small breaches either, the Panera Bread breach for example exposed 37 million records, including customer names, email addresses, physical addresses and the last four digits of their credit card numbers, all in plain text.

API usage is prevalent within most organisations. Imperva published a One Poll survey of 250 IT professionals (250 employees, and/or $1 million in revenue in the US) on the state of API security early in 2018 which showed:

  • - 68% of those surveyed exposed APIs to partners and the public
  • - 80% didn’t know if they are using an API gateway to manage public facing APIs
  • - 4% Indicated that API security is treated differently than web security

In addition, Gartner predicted that by 2022 API abuse will become the most common type of web application attack resulting in a data breach. It’s more important than ever to bolster your defence and maximise your API security.

Take control in 3 steps

Whilst it’s clear API security needs to be addressed and the security
challenges aren’t drastically different from traditional application security, there are some unique aspects of APIs that need to be taken into consideration.

Below are 3 essential steps that provide a good starting point to help you on your journey to secure APIs:

1) Implement an API management platform

API management platform or Gateway, allows for a single point of management for a defined group of APIs and simplifies the API source code, which allows for consistent policies to be built around them. A typical API gateway includes,

  • - Security (authentication and authorisation)
  • - Management of access quotas and throttling
  • - API performance monitoring
  • - Automation (Versioning)

2) Implement a Web Application Firewall (WAF) to protect your public facing APIs

Utilising a WAF such as the AWS WAF will provide you with granular control over the requests that attempt to access your APIs, give you protection against tampering, prevent misuse and exploitation, and help mitigate Layer 7 DDos attacks.


3) Discover and assess which APIs your organisation are using

You can’t secure what you don’t know about. Once discovered, categorize and adopt a continuous approach with ongoing discovery, monitoring, categorization and securing of APIs on a regular basis.

The above steps are a great starting point and should get you well on your way to a more secure API environment. However, please keep in mind API management and security is an ongoing task which needs to become part of your standard security policy and procedures.

Creating a Safe Environment for Under-protected API's

Dion Phillips Senior Technical Consultant, Infinigate UK
Posted by: Dion Phillips
Senior Technical Consultant, Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts