API Security 101 – 6 Things You Need to Know

December 23, 2021

Matt Tesauro Distinguished Engineer

Post Featured Image

How do you secure your organization’s APIs? This is a hot topic and will become even more important as the number of APIs and API traffic continues to grow. Noname Security recently hosted a webinar on API Security. Click here for an on-demand replay. 

Here are 6 key takeaways on API security.

1. APIs are an essential part of the modern IT world.

You are well aware that APIs are a powerful and widely adopted technology integration tool. You know that APIs enable different programs to talk to each other in an efficient, developer-friendly way, even if they weren’t written in the same programming language. In most modern applications, APIs communicate using REST, webhooks, gRPC, or GraphQL. 

Historically, organizations had to decide whether to build or buy new technologies. APIs offer a third option: integrating with a partner’s technology applications. As a result, APIs are everywhere in the modern IT world. They are used in cloud migrations, micro services, partner integrations, Kubernetes, DevSecOps, DevOps, and automation. 

The volume of API traffic today is already large and will continue to grow. Akamai estimates that in 2019, APIs initiated 83% of global web traffic. Meanwhile, Google Apigee’s data shows that in 2020, API volume increased 49% compared to 2019. 

APIs have become the core for modern business.

2. To deliver APIs, API management and API gateways are needed.

Two critical elements needed to deliver APIs are:

  • API management. This includes versioning, publishing, and sharing a schema that describes the methods and data available from an API. 
  • API gateways. Most deployments have an API gateway that offers a single security control point to handle authentication, authorization, and traffic management.

API management and gateways

api management and gateways

3. APIs present several (often unique) security challenges.

Some security issues related to APIs are similar to those associated with traditional application security, while others are completely different. 

 

Challenges

Solutions

Few businesses have a good handle on their API or application inventory.   

Create an API or application inventory 

This inventory helps teams identify high-priority security risks. 

Security suffers when each app sec team member is responsible for lots of APIs or applications. API sprawl exacerbates this—a single product may be composed of hundreds or thousands of APIs. 

Identify the ratio of staff to APIs or applications

Measuring this ratio helps an organization determine if more resources are needed.
Alternatively, utilize automation to help your staff go faster.

App security teams lack good preventive controls to identify problems.  

Deploy the right tools to evaluate security across applications

A proactive approach using good tools is far preferable to being reactive.

Many API communication patterns exist. An API may be called by a web app, a command line client, cURL, a continuous integration and continuous development (CI/CD) system, or another API. 

Be prepared to handle diverse API communication patterns

Understand all of the various communication patterns that are relevant to your APIs and how to protect them.

Test tooling is only starting to mature. Although the Swagger and OpenAPI specifications have made tooling better, it’s still quite weak. 

Deploying robust tooling 

While it is early days, particularly for dynamic tooling for API testing, tooling is maturing.

 

4. Traditional application security controls offer only partial protection for APIs.

API gateways provide some visibility into security issues, since they serve as a central choke point for protection and policy enforcement. But, not all API calls go through the gateway, making organizations blind to API-to-API calls, as well as to microservice calls that don’t pass through the gateway. 

Logging and monitoring usually aren’t very effective. Organizations typically discover authentication threats in APIs only after a breach. In addition, API testing is different from application testing. 

5. API security requires common controls, in conjunction with dynamic and static testing.

To protect APIs, teams must implement several common controls. These include:

  • Encryption of network traffic
  • Authentication to identify who is calling the API
  • Authorization to determine if the caller’s request should be permitted
  • Rate limiting as a blunt filter for abuse
  • Audit logging to capture a picture of normal operations 

Dynamic and static testing are also essential, since the earlier that security vulnerabilities and misconfigurations are caught in the development cycle, the less expensive they are to fix. 

6. Organizations must address security across the API ecosystem, from code to production.

Three recommended strategies for API security are: 

  • API security posture. Assess every API, including legacy and shadow APIs, with data classification. Determine which ones are critical to the business. Based on that inventory, identify misconfigurations and vulnerabilities in the source code, network configuration, and policy. Focus security interventions on the highest-risk areas. 
  • Detection and response. Deploy behavioral-based models for runtime API threat detection. Implement automated and semi-automated blocking and remediation of threats. 
  • Continuous testing. Continuously test API endpoints to identify API risks before they emerge. Use automated and dynamic test development and incorporate that into CI/CD pipelines. 

Understanding the unique challenges associated with API security and having strategies and tools for addressing API security, including automation and continuous testing, can go a long way toward securing APIs.

Download the API Security 101 Whitepaper to learn more.

New call-to-action