API Security Checklist

Securing application programming interfaces (APIs) is a challenging workload. They literally contain instructions on how to access them and get the data sitting behind. This is a hacker’s dream. There’s no “security through obscurity.” In addition, APIs almost always bring together disparate groups in the organization. These groups may not be able to easily coordinate security, even if they wanted to. The number of APIs simply “out in the wild” further complicates security.

Some API security stakeholders believe that countermeasures like API gateways and web application firewalls (WAFs) will protect them. This is not entirely true. APIs present unique challenges that can be missed by traditional application security methods. With that said, a great deal of risk exposure remains even when these technologies are in use. So if you have an application security checklist you’ve been using, changes are it hasn’t been too effective.

For these reasons, we developed a more rigorous and methodical approach to securing APIs. We call it the API Security Checklist. More than just a collection of web API security best practices, the checklist is based on the API lifecycle, starting with planning and proceeding through development, testing, operation and protection. Essentially it’s a guide for creating a secure SDLC management process. At each stage, four recommended controls enable a robust API security posture. The control focus and lifecycle stages of this secure SDLC management process can be represented in the following chart:

Plan

API security begins well before anyone starts writing code. At the planning stage, it is essential to think through governance issues like roles, responsibilities, and policies. Planning is the best time to determine security metrics, too, along with lifecycle management processes.

API planning security checklist:

• Governance, roles, and responsibilities—Have you clearly defined roles and responsibilities for securing your API estate? This includes both execution-level responsibilities for developers and security engineers, as well as management oversight responsibilities that deal with risk decisions and policy oversight.
• Policies, standards, and specifications—Have you developed a library of policies, standards and API specifications which outline the minimum required expectations for your APIs’ secure design, development, testing and operations?
• Security metrics—Have you set up a defined series of API security risk metrics so you can measure and manage API-related risks? Your stakeholders can use these API risk metrics as a feedback loop for ongoing API security risk management continuous improvement.
• Lifecycle management—Is your organization managing APIs as software assets with defined ownership throughout their useful life cycle? It is a best practice to pay particular focus to initial deployment, ongoing change management, and asset decommissioning.

Develop

In development, the policies established in the planning stage come to life. Developers are responsible for creating secure APIs, working in partnership with other stakeholder groups.

API development security checklist:

• Training—Have you trained your API developers and other personnel with API management responsibilities (e.g., gateway, security operations) on aspects of API security relevant for their roles?
• Developer environment (e.g., IDE, Repos)—Is your API source code developed and managed in approved, managed source code repositories? Are developers utilizing managed or approved developer environments?
• Documentation—Are your APIs accurately documented and evaluated for compliance against specifications/standards? Is your API documentation updated when API schemas are changed? Is the documentation available for independent review and testing/verification?
• Defect tracking and resolution—Are security-related code defects or vulnerabilities prioritized and tracked for resolution?

Test

Once APIs are developed, they must undergo a thorough cycle of testing. Similar to an application security testing checklist, the following outlines security controls to implement in your API testing program.

API security testing checklist:

• Source code testing—Are you putting your API source code through static application security testing (SAST) and dynamic application security testing (DAST) before promoting them to production?
• Penetration testing—Are your API endpoints penetration tested prior to migration to production under conditions replicating production-environment API management, network, and policy variables, where possible?
• Compliance review—Are your APIs evaluated for compliance to standards and specifications prior to migration to production (e.g., GDPR, PCI compliance)? This process should include compliance with architectural/network placement and configuration (e.g., WAF protection, network placement).
• Change and release management—Do you deploy or change APIs in accordance with a well-defined software or IT change policy? Changes should ideally be accurately reflected in software asset inventory.

Operate

API security should remain in force as APIs go into production. Indeed, this is where APIs tend to get lost and wind up as points of vulnerability.

API operation security checklist:

• API Inventory—Are you maintaining an accurate, current inventory of all API endpoints, including API documentation?
• Inventory of sensitive data—Does your organization maintain an accurate, current inventory or mapping of the sensitive data handled by API endpoints? More importantly, do you know which users are accessing sensitive data? Access management is a critical component of both security and compliance.
• Identification of vulnerabilities—Are you identifying vulnerabilities and areas of API risk exposure in your production environment?
• Configuration management—Do you identify vulnerabilities and exposure of network, gateway, and firewall components that broker and protect API traffic?

Protect

API protections must remain in place throughout the API lifecycle. This workload covers log and traffic collection, threat detection, alerts and more.

API protection checklist:

• Log or traffic collection —Are you logging API activity and storing the data to support operational and security inspection?
• Threat detection and alerting—Are you analyzing API activity in order to detect anomalous activity? Your process should include associated alerting/flagging of anomalous or misuse events to applicable security and operational teams.
• Sensitive data movement—Are you monitoring the movement of sensitive data contained within API traffic? This process should include analyzing data streams to detect unauthorized or anomalous use, with alerting/flagging of sensitive data movement to applicable security and operations teams.
• Blocking and remediation—Are you blocking and remediating the unauthorized movement of sensitive data via API, or other suspected misuses of APIs?

These are suggested controls. It’s a lot to take in, and in reality not every organization will not be adequately covering all 20 of these as well as they might want to. However, the checklist is a valuable way to establish best practices and identity areas for improvement in API security. It provides a helpful baseline for a well-run API security operation.