What is API Security?

An application programming interface, or API, is a critical innovation in a world driven by apps. APIs enable applications to communicate and share data while providing protocols, routines, and tools for software developers. They forge connections between applications, platforms and services such as databases, games, social networks, and devices. Internet of Things (IoT) devices and applications also use APIs to collect data, and sometimes even to control other devices.

Considering how essential they've become across the private and public sectors, APIs also present a rapidly expanding attack surface. And the reality is, they are often misunderstood and frequently overlooked by application security managers and software developers.

Exposed, faulty, broken, or hacked APIs are at the heart of many major data breaches. These attacks expose sensitive financial, medical, and personal data, leaving organizations on the hook. Even worse, many organizations essentially choose to run at a high risk, managing their APIs using the public cloud. This provides an ideal opportunity for attackers and points to the need for more consistent protection of API infrastructures. 

With this in mind, the idea behind API security is to protect information transmitted by APIs. It involves having a deep understanding of the unique security risks and vulnerabilities APIs present. This includes exploring the impact of a successful attack. Once security teams understand this, they can create strategies for reducing those risks and generate solutions for incident response.

Why is API security important?

There are many reasons why API security should be taken seriously and it starts with the fact that APIs are often used to access data from other companies and organizations. Which means APIs are a lucrative target for hackers to exploit due to the volume of sensitive information that traverse APIs.

Cybercriminals are well aware that insecure web APIs are easy to hack and gain entry into. This reality has CISOs and others in leadership concerned as hackers can potentially abuse specific API resources and access corporate networks. Some of the most common attacks include man-in-the-middle (MITM), distributed denial-of-service (DDoS), injection, or broken access controls.

Therefore, the importance of securing your APIs can't be understated as there are very serious API security risks. It ensures that the data is safe and secure, which helps in preventing identity theft and other cyber crimes. That's why its so imperative to follow the latest industry API security best practices to avoid a security incident.

Understanding API vulnerabilities

An API vulnerability is when an attacker can gain access to an API that has been left exposed to the internet. Or when they're able to modify data in the API without being authorized. Both the client side API calls and the the data/functionality returned from the API endpoints are vulnerable to exploit. Some of the most common API security incidents stem from the failure to define access control rules or monitor outgoing API traffic.

Sensitive data risks

With that said, API design requires careful consideration of how data is stored, managed, accessed and transmitted. As APIs can handle sensitive data, it is important that the API design reflects the need for protection of this data. Failure to do so can result in a number of critical issues. Things like API key and credentials leaks, API code and schema exposure, and API infrastructure misconfigurations.

The most common API vulnerabilities are caused by flawed authentication methods or inadequate protection for sensitive data. For that reason, regulatory compliance is another concern for organizations. Especially for those whose APIs regularly handle personally identifiable information (PII), like credit cards, social security numbers, addresses, etc.

OWASP API Security Top 10

When you consider the types of sensitive data APIs interact with, addressing these threats becomes mission critical. But where do you start? The Open Web Application Security Project (OWASP) is a world renowned foundation that has documented the top API security risks. Known simply as the OWASP API Security Top 10, you can explore the API vulnerabilities that are most pressing. 

Application security vs API Security

Quite frankly, cybersecurity professionals and developers need to accept that application security and API security are two different disciplines. This is the most obvious reason traditional AppSec tools fall short in protecting APIs. The primary difference is that application security protects the app itself, whereas API security protects the APIs that are used to connect to other systems.

Application security is the measure of how secure an application is from attacks. It includes the security of data, network and hardware. API security, on the other hand, is about securing APIs from vulnerabilities and malicious attacks. API security focuses more on keeping attackers out. Either by creating secure designs for APIs, enforcing strong authentication and using encryption to protect data in transit.

API security controls are distributed between the delivery technology stack that includes API management, API gateways, and web application firewalls (WAFs). While there are other components in the stack, these are most notably relied upon for enforcing security policy and controls. Before we dive into why these tools are inferior, let's quickly discuss what they are and how they operate.

API management and API gateways

API management and API gateways play a very important role ensuring the delivery of APIs. Both are tightly linked together but shouldn't in anyway be confused with one another.

API management refers to the policies and processes involved in designing, publishing, and analyzing APIs. It also consists of monitoring usage and ensuring API availability. An API management system consists of four key components, such as: API Design, API Gateway, API Analytics, and an API Portal.

An API gateway on the other hand, is essentially a proxy with policy enforcement for API resources. It facilitates incoming traffic and enforces access controls. An API gateway operates in the data plane whereas an API management system operates at the control plane.

As the name suggests, API gateways serve as an access control point in front of an API endpoint. The API gateway provides core functionality to ensure the API is available to its intended consumers. The API gateway also is a control point for the API management policies such as access controls and usage (e.g. rate limiting and quotas).

Routing traffic through an API Gateway is a best practice, especially for open APIs exposed to the internet. However not all APIs sit behind a gateway. These APIs do not benefit from the controls and visibility provided by gateway and management functions.

Web application firewalls (WAFs)

Designed for web applications, WAFs have become part of the core stack for application and API protection. WAFs are proxy-based tools that inspect incoming http(s) web and API requests for attack or unwanted traffic. Like API gateways, a web application firewall can only apply policy to traffic that passes through it – which again, not all traffic will.

WAF capabilities vary, however the basic function is to provide an application layer filter for web and API traffic. This filter looks for malicious and unwanted content within incoming requests (headers and payloads). It is also used to ensure that only approved actions can be performed (by policy). 

WAFs are utilized to provide basic protections for applications and APIs. They are fairly proficient at detecting known attacks (with signatures) and malicious scripts. Premium WAFs block automated scanners and bots, and provide broader coverage of the OWASP Top 10 for web apps. But these benefits only apply if the API is routed through it. You need purpose-built discovery tools that also provide visibility into legacy, shadow, and zombie APIs.

These gaps illustrate that while both gateways and WAFs are vital to the API management layer, neither are equipped to provide the visibility required to adequately protect APIs against data breaches. Organizations must understand that API security platforms are the only satisfactory means to address these vulnerabilities.

Key API security capabilities

Now that you've learned about the need for more security controls, it's likely that you're wondering "what does API security entail?" Well, a complete API security infrastructure comprises four key pillars. Each pillar contains specific security capabilities and goals in mind. These capabilities help organizations authenticate API traffic and monitor for any unusual network traffic or patterns of use. They also help protect against breaches, hackers, and other malicious activities. Let's review the pillars and what each entails below:

API Discovery

API discovery is a process of identifying every API you have and creating an accurate inventory of them. The objective here is to improve API visibility. As stated in the previous section, both API gateways and WAFs can only observe API traffic that is routed through them. Yes, that means you have more than just the REST APIs you're aware of. In fact, Gartner predicts that 50% of enterprise APIs will be “unmanaged” by 2025 which means that visibility will be limited at best.

And while some unmanaged APIs are deployed on purpose, others may be unknown. The industry term for them are “shadow” or “zombie” APIs. These legacy and dormant APIs could be putting the organization at risk. Even if all APIs are routed through gateways and WAFs, most organizations will still struggle with visibility. API sprawl can span across multiple teams and business units, leaving security teams with a fragmented view of API usage. This makes API discovery an invaluable tool for security teams.

API Posture Management

API posture management helps IT teams to quickly identify and resolve misconfigurations that could lead to a breach or compliance violations. Misconfigurations include: weak authentication, unknown exposure to the internet, and lack of rate limiting or encryption just to name a few.

Posture management also inspects contextual API data to find compliance risks. Contextual API data includes the types of data your APIs handle, like PII, credit card information, SSNs, etc. It also includes authentication controls, security configurations, traffic and routing details, as well as exposure to the internet. It's important to note here that the combination API gateways and WAFs alone cannot provide detailed analysis of the API posture.

API Runtime Protection

Gateways and WAFs provide basic API security controls. Gateways can enforce rate limiting and authentication, while WAFs apply signature-based attack detection and appropriate user-based session behavior. These controls are very much needed but are not enough to protect the business from API specific attacks and abuse.

For example, broken object level authorization (BOLA) attacks look like normal API traffic to gateways and WAFs. And because they look normal, attacks are able to bypass these controls. Gateways and WAFs lack contextual awareness between API requests and responses. This this lack of contextual awareness can also leave you vulnerable other attacks and business logic abuse.

API Security Testing

API security testing is a crucial part of your API security strategy. It helps API developers uncover vulnerabilities, design flaws, and misconfigurations in the code before the APIs are released. To maximize their security testing efforts, many organizations have chosen to pursue a shift left strategy. Shift left is a popular practice where teams start their testing as early as possible. This ensures that any bugs are found and fixed early on, preventing them from being released to production.

It's important to keep in mind that testing APIs means different things to different people. Or more specifically, API security testing is different from application security testing. It is also different from general functionality testing during API development, though API security testing should ideally be equally prioritized. Sometimes however, the two forms of testing overlap. For example, determining whether an API is returning the correct data is both functional and security related.

API security for SOAP, REST, and GraphQL

To keep them secure, it's important to understand the difference between the types of APIs you have. We'll review the three most prominent in use today – REST, SOAP, and GraphQL.

REST API security

REST APIs are the most popular type of API and use HTTP methods to communicate between client and server. HTTP verbs like GET, POST, PUT, and DELETE are applied in order to manipulate data. A REST API is built on the principles of the REST architecture. However they go a step further by enforcing a strict separation between the client and server. They are simple and easy to use, but they lack security features. Which means developers should pay extra attention to REST API security.

SOAP API security

SOAP, or Simple Object Access Protocol, is an XML-based protocol for exchanging messages between applications over HTTP. SOAP APIs are usually used to integrate legacy systems with newer ones, but are more difficult to use than REST APIs. It's also important to note that SOAP APIs offer more security features despite being released two years prior to REST. When it comes to SOAP API security and protecting SOAP messaging, the web services security, or WS-Security specification, enforces the authentication for SOAP APIs.

SOAP is typically used by web services that need more security because it provides features like authentication and encryption. In comparison, with a REST API, authentication can be done through URL parameters or headers only.

GraphQL API security

GraphQL is a data query language developed by Facebook in 2012 and open-sourced in 2015. GraphQL APIs allow clients to specify what data they need from the server rather than fetching all available data from it. GraphQL is gaining popularity because it is easier to use than a SOAP or REST API, yet it offers more security features.

Addressing security across the API ecosystem

Everyone wants secure APIs. But the process is complex and requires an approach that considers all aspects of the API. From its development, deployment configuration, and run-time operations. Though there are a number of API security best practices, they generally fall into one of the following three areas:

API security posture

Assess every API, including legacy and shadow APIs, and uncover the types of data they encounter. Based on that inventory, identify misconfigurations and vulnerabilities in the source code, network configuration, and policy. Focus security interventions on the highest-risk areas.

Detection and response

Deploy behavioral AI models for real time API threat detection. Integrate with with existing IT workflows to automate incident response and block serious threats.

Continuous testing

Continuously test API endpoints to identify API risks before they emerge. Supplement DevOps DAST, SAST, SCA and other existing tools with API security testing that can be automated and integrated into CI/CD pipelines. Adequate testing will help you discover design flaws and prevent attacks like SQL injections.

If you're looking for more detailed guidance, we recommend taking a look at our API security checklist here. It provides a detailed framework of API security requirements you need to protect your environment.