Introducing the API Security Workshop Learn More  

API Security Best Practices

Property 1=API Security Best Practices


Application programming interfaces (APIs) have long presented an attack surface for malicious actors in cyberspace. Securing APIs has grown more challenging over time, however, as the number and variety of APIs has grown in tandem with the complexity of their configurations. In response, API security best practices continue to evolve, offering everyone from DevOps teams to architects, QA and security managers a way to ensure the best possible API security posture. In this article, we will explore the three core focus areas for API security best practices: API security testing, API discovery, and runtime. 

APIs present unique security risks

APIs are in broad use. Industry research reveals that 98% of enterprise leaders believe APIs are essential to their organization’s digital transformation. Almost two-thirds of organizations rely on APIs to improve their collaboration with partners. Sixty percent share APIs among internal development teams to speed up the delivery of products and services. 

The pervasive nature of APIs creates inherent security risk. An API, after all, is a direct path into software and data. In an earlier era, an enterprise could rely on “security through obscurity,” with access to data masked by opaque, proprietary interfaces. Today’s APIs directly expose digital assets to malicious actors through standardized, open protocols. Indeed, many organizations publish their APIs, which gives hackers the address of sensitive data and a map that shows how to access it.



The importance of mitigating API risks

How bad a problem is API vulnerability? The answer depends to some extent on the nature of an organization’s APIs and what they represent. In some cases, an API might connect to a relatively unimportant data source, so securing it may not feel like a high priority. However, any intrusion into an enterprise through an API has the potential to become a serious cyber incident. Once an attacker has penetrated the infrastructure via an unprotected API, he or she can move laterally across the network and breach more sensitive data.

Alternatively, the API might provide access directly to critical data. If API usage is not throttled, an attacker may be able to use an API’s “GET” function to “get” a great deal of information on an unauthorized basis. Or, an API attacker can inject malicious code into applications or simply disrupt operations by flooding the API with requests for service—an API-based denial of service (DoS) attack.

API security best practices 

Given the importance of securing APIs, it is essential to approach API security in an organized way. The application of API security best practices is further recommended. Such practices vary greatly across enterprises, but in general they relate to three main areas of focus: testing of APIs across the software development lifecycle (SDLC), API discovery, and runtime. 

Active testing of APIs throughout the SDLC

APIs figure prominently into the software development process. Developers use APIs to connect the applications they are building with services and data sources fronted by APIs. The risk here is that the developer will inadvertently add vulnerabilities to an application by not integrating API security and testing into the SDLC. Waiting until the application is in production is too late to start looking at whether the APIs it uses are secure. By then, the application is already exposed to risk, and the costs of remediation become prohibitive.

Instead, the best practice is to make API security policies and testing part of the DevOps workflow and continuous integration/continuous deployment (CI/CD) pipeline. For example, before coding a connection to an API, the developer should be aware of security policies affecting that API, e.g., does it request data encryption or use a TLS certificate? As apps change through DevOps and CI/CD, the developer should be able to test and validate an API’s security as new code gets released. 

Success in adopting this practice is partly a matter of tooling. Developers need the right tools to make API security and testing part of the SDLC. Otherwise, it would be impractical. There may also be organizational issues to resolve. For instance, developer and testing teams, as well as operations teams, must agree that API security is a priority in the SDLC. Only by working together will they make API security a natural part of the development lifecycle.

API discovery - ensuring APIs are known and accounted for

It is only possible to secure APIs if their existence is known to relevant stakeholders. It is quite common, however, for security managers and architects to find a previously unknown API in use in their environment. “Wow, I didn’t know that API was even there!” is a more frequent utterance than many people want to admit. 

It is a best practice, therefore, to discover and inventory APIs. Specialized API discovery tooling makes this a reality. That way, “rogue APIs in the wild,” as some security practitioners call them, can be identified and addressed. From there, it is wise to classify APIs that are in use. Differentiate between APIs used internally versus externally, and so forth.

Securing APIs at Runtime

APIs have to be kept secure at runtime. The best practices for realizing this goal include monitoring APIs in production and keeping track of known vulnerabilities. Monitoring involves tracking API use in real time and flagging anomalies that would suggest an attack is underway. This might require the use of artificial intelligence (AI) and machine learning (ML). 

API security tools can also track known API vulnerability and issue alerts to admins that certain APIs need to be patched or replaced. This falls into the broader work of threat detection and response. API security should be part of these processes. 


APIs are an integral part of the enterprise software ecosystem. They are the key ingredient in digital transformation. APIs can also be a source of cybersecurity risk. Their open nature makes them a frequent target of hackers who want to access the data and applications that sit behind them. API security best practices make it possible to mitigate a great proportion of API risk. To work, these practices need to focus on the complete API picture, starting with the SDLC and continuing through API inventory tracking and monitoring of APIs at runtime. An organization that pursues these best practices is well positioned to have a strong API security posture.