APIs have emerged as an essential technology for enterprises to accelerate their digital modernization initiatives. However, APIs can be a double-edged sword: enabling software development efficiency while simultaneously enhancing the potential for security vulnerabilities.
APIs often expose sensitive data, even if they are not intended for external consumption or are not externally documented. The ease of use often built into externally facing APIs, aided by API documentation, can be a highly inviting attack surface.
The security world is rapidly evolving on how to protect APIs, and new strategies are needed to fend off attackers.
On our latest episode of API Intersection, we talked in-depth with Isabelle Mauny, CTO/founder of 42Crunch, about API security strengths, weaknesses, and what you can do to improve your API security system. Here are Isabelle’s 5 best practices for strengthening API security.
1. Maximize Automated Tools
“Let’s say you have 100 APIs, and every day you have at least one change to make in every single API. So, for me, there’s only one salvation, which is to automate as much as possible,” Isabelle Mauny said.
Today APIs are ubiquitous, with the average enterprise having a catalog of hundreds or thousands of APIs. This rapid scale of adopting APIs, aided by more modern approaches like RESTful APIs, comes with its own set of management and security challenges.
Employing automated tools can help you manage APIs at scale, instead of trying to do things manually. You can use automated tools at every level of the API building process—testing, development, deployment, and, importantly, security. Isabelle says the larger an organization, the more important automation becomes.
You can also use software component analysis tools (SCAs) to automatically examine your code for known security vulnerabilities. If you’re importing open-source libraries or relying on third-party software components to build your APIs, such tools can help you identify issues with your code quickly and easily.
Trying to manually look for security weaknesses in your APIs is taxing and may not reveal all of them.
2. Shift-Left Strategy
Isabelle says that the shift left strategy involves “starting worrying about security as early as possible in the life cycle.”
This can reduce the costs of rectifying mistakes later in the development life cycle and create a robust security culture in your organization.
By adopting a DevSecOps (DevOps + Security) approach, where you aim to fix issues early in the development process, particularly from the design stage, you can significantly increase your organization’s security posture.
Enforcing API security should not be an afterthought. By embracing conventional API description standards like the OpenAPI Initiative, you can get everyone in your organization to speak the same language. This harmonization makes implementing shift-left techniques effortless.
3. Practice API Governance
“You cannot secure what you don’t know about,” Isabelle said.
Governance is critical in ensuring the security of APIs. It assists you in overseeing what’s happening with your APIs.
Building an API governance program helps you gain visibility into your APIs. Reviewing proposed API designs for adherence to standards around security avoids finding problems just before deploying to production. Areas like auth patterns (use of OAuth, JWT are common examples) and use of HTTPS are areas that can be detected at design-time in an automated fashion.
Additionally, operational analysis & monitoring can play an important role. By scrutinizing the activities and usage patterns of your APIs, you can discover their security anomalies, such as an abnormal number of requests, obsolete endpoints that have not been deprecated, or excessive error activities.
With sufficient visibility into your APIs, you can detect threats early enough and prevent them from bringing your services to their knees.
4. Cultivate Teamwork
“We’re not going to do any good security if we don’t have those two groups to really collaborate,” Isabelle shared, emphasizing that teamwork is vital for good API security.
There is often a battle between the security team and the development team in most organizations. On the one hand, the security team is often under pressure to seal loopholes and deliver secure applications. On the other hand, the development team is often compelled to build quality and feature-rich applications, usually within tight deadlines.
If no proper planning is done, these two demands could bring conflicts and make the teams push in different directions.
For your API security endeavors to be successful, you should empower the development team and the security team to work together for the mutual good of the organization and desist from finger-pointing.
5. Don’t Neglect the Basics
It’s essential not to forget the API security basics—such as adding access control, avoiding sequential identities, desisting from exposing sensitive information on URLs, enforcing rate limiting, and using log monitoring.
You should also pay attention to the OWASP Top 10 API Security List, which identifies the security risks and vulnerabilities specific to APIs. It tackles issues like authentication, authorization, and data access.
Isabelle emphasizes that it’s important to test both the happy paths and the bad paths of your API. Limiting yourself to the happy paths may hide some weakness in your API design, which attackers can discover by bombarding it with extraneous information.
Overall, Mitigate Security Risks to Scale API Effectiveness
With the right policies and practices, it’s possible to mitigate API security risks and make the most of this powerful integration technology.
Developing APIs with security in mind, from design to production, is critical for ensuring the exposed assets, which are at the heart of the business itself, are protected from malicious exfiltration.
We hope that the above best practices will help you in building secure and performant APIs.
Subscribe to our podcast for more insights and tips on how to scale your API strategy, or if you have a suggestion for something you’d like to learn more about on an upcoming blog or podcast, submit it here.