What is API Security?
APIs represent a foundational element of innovation in a world driven by apps. APIs act as software intermediaries, enabling applications to communicate and share data while providing protocols, routines, and tools for software developers. Web APIs forge connections between applications and platforms and services such as databases, games, social networks, and devices. Internet of Things (IoT) devices and applications also use APIs to collect data, and sometimes even to control other devices.
Considering how integral they've become across the private and public sectors, APIs also present a rapidly expanding attack surface. And the reality is, they are often misunderstood and frequently overlooked by application security managers and software developers.
Exposed, faulty, broken, or hacked APIs are at the heart of many major data breaches. These attacks expose sensitive financial, medical, and personal data for public consumption, leaving organizations on the hook. Even worse, many organizations essentially run voluntarily at high risk, managing their APIs using the public cloud. This provides an ideal opportunity for attackers and points to the need for more consistent protection of API infrastructures.
With this in mind, API security focuses on addressing the possible consequences of direct interactions between the API and malicious hackers. It involves having a deep understanding of the unique security risks and vulnerabilities APIs present. Once understood, it also involves creating strategies for mitigating those risks and vulnerabilities, and generating solutions that address both prongs of the task.
Traditional Application Security Controls
API security controls are distributed between the delivery technology stack that includes API management, API gateways, web application firewalls (WAFs). While there are other components in the stack, these are the ones that are most notably relied upon for enforcing security policy and controls.
API Management and Gateways
API management and API gateways play a very important role ensuring the delivery of APIs. Each plays a defined role and are tightly linked together with the API management operating at the control plane (management and policy) and the API gateway in the data plane (proxy with policy enforcement). The primary functions of API management and gateways are to publish APIs, ensure API availability, monitor usage, and enforce access controls. API management is usually delivered as a portal service where developers and API managers can check in their APIs when they are ready to be in production. API management is used to manage and monitor the operations of the API.
As the name suggests, API gateways serve as an access control point in front of an API endpoint. The API gateway provides core functionality to ensure the API is available to its intended consumers. The API gateway also is a control point for the API management policies such as access controls and usage (e.g. rate limiting and quotas). Routing traffic through an API Gateway is a best practice, especially for open APIs (exposed to the internet), however not all APIs sit behind a gateway. These APIs do not benefit from the controls and visibility provided by gateway and management functions.
Web Application Firewalls (WAFs)
Designed for web applications, WAFs have become part of the core stack for application and API protection. WAFs are proxy-based tools that inspect incoming http(s) web and API requests for attack or unwanted traffic. WAF capabilities vary, however the basic function is to provide an application layer filter for web and API traffic. This filter looks for malicious/unwanted content within incoming requests (headers and payloads) and is also used to ensure that only approved actions can be performed (by policy).
WAFs are utilized to provide rudimentary protections for applications and APIs. They are fairly proficient at detecting known attacks (with signatures) and malicious scripts. Premium WAFs add in anti-automation capabilities broader coverage of the OWASP Top 10 for web apps. Like API gateways, a WAF can only apply policy to traffic that passes through it.
API Security Gaps
Unfortunately, traditional application security controls offer only partial protection for APIs. Both API gateways and WAFs are important components of the API delivery stack but neither are designed to provide the security controls and observability required to adequately protect APIs. Many organizations have a false sense of security thinking that API gateways and WAFs alone will keep them protected. Here are examples of why that thinking is shortsighted:
Both API gateways and WAFs can only observe API traffic that is routed through them. Gartner predicts that 50% of enterprise APIs will be “unmanaged” by 2025 which means that observability will be limited at best. While some unmanaged APIs are deployed intentionally, others may be unknown “shadow” or “zombie” APIs that could be putting the organization at risk. Even if all APIs are routed through gateways and WAFs, most enterprise organizations will only have fragmented views of their API estate that could span across multiple teams or business units.
Simply knowing the number of APIs within the organization is not very useful for security and IT teams. An accurate inventory needs to include contextual API data that includes data types handled, authentication controls, configurations, traffic mappings, routing details, exposure to the internet, and all other relevant meta-data. Neither API gateways nor WAFs can provide an aggregated and current inventory of the full API estate.
API Security Posture Analysis
Without full context-aware visibility the API estate the combination API gateways and WAFs simply cannot provide detailed analysis of the API posture. Posture analysis helps IT teams to efficiently identify and resolve misconfigurations that could result in security risk or compliance violations. Misconfigurations, for example could include inadequate authentication, unnecessary exposure (to the internet), lack of rate limiting or encryption just to name a few.
API Runtime Security Controls
The combination of gateways and WAFs provides basic API security controls, gateways can enforce rate limiting and authentication controls, WAFs apply signature-based attack detection and appropriate user-based session behavior. These controls are very much needed, however are not enough to adequately protect the business from API specific attacks and abuse. For example, broken object level authorization (BOLA) attacks look like “ordinary” API traffic to gateways and WAFs enabling them to pass through these controls undetected. Gateways and WAFs lack contextual awareness between API requests and responses. This gap can leave vulnerable not only to BOLA exploits, but other attacks and business logic abuse that simply cannot be easily identified using standard gateway and WAF controls.
Addressing Security across the API Ecosystem
Securing APIs is complex and requires an approach that encompasses all aspects of the API from its development, deployment configuration, and run-time operations. Three recommended strategies include:
- API security posture. Assess every API, including legacy and shadow APIs, with data classification. Determine which ones are critical to the business. Based on that inventory, identify misconfigurations and vulnerabilities in the source code, network configuration, and policy. Focus security interventions on the highest-risk areas.
- Detection and response. Deploy behavioral-based models for runtime API threat detection. Implement automated and semi-automated for blocking and remediation of threats.
- Continuous testing. Continuously test API endpoints to identify API risks before they emerge. Supplement DevOps DAST, SAST, SCA and other existing tools with APIspecific testing that can be automated and incorporated into CI/CD pipelines.