“Governance, testing, and monitoring—that’s where the core advice is when it comes to API security, thinking about those three elements.” –Founder of APISec University & Head of Growth at APISec, Dan Barahona.
As APIs become more ubiquitous, they are increasingly targeted by hackers, so getting your API security right is a necessity. This week on API Intersection, we thought, what better way to celebrate Security September than to bring on the API security expert himself, Dan Barahona?
As Founder of APIsec University and Head of Growth at APIsec, Dan Barahona comes to the table with over 20 years of experience in cybersecurity. He created APISec University to raise awareness and educate about API risks and security, and many of their courses are open to the public. In fact, I just did an entire course on API Documentation Best Practices and how it relates to security, which I highly recommend you all check out.
We discussed how organizations face various challenges in managing and securing APIs, such as API sprawl and a need for more visibility about their APIs. Here are a few quick wins to get you on the right track to proper API security. Most importantly, ensure you have proactive API security practices and address security concerns early in the development process.
The Enablement Mindset
Before diving into the three central pillars of API security, let’s ensure we all have the right mindset and approach. And it starts with making sure your teams are A) talking to one another and B) feeling empowered to infuse security early on in the API design process.
“Security teams have to be talking to the product teams, right? And that has to be a collaboration. You’d think teams are doing this, but most aren’t to their full capacity yet,” shares Dan.
Dan stresses the importance of an enablement mindset, where security teams should work alongside developers to provide tools and processes that benefit both security and development. Please don’t leave your developers in the dark, but rather engage them in how to incorporate security early on into their API development. Essentially, the further left you can push security during the design phase, the better for everyone involved.
It’s not just your devs and security team that should be collaborating closely, though; it’s also your product managers. Ensure your product manager is aligned with the security team’s needs early on and that they can frequently communicate that with the development team.
Three Pillars of API Security
Once you have the approach right, you can dive into the three major pillars of API security. The main components to keep in mind are governance, testing, and monitoring.
Governance
Governance in API security begins with ensuring secure API development practices. This includes defining standards and best practices for designing, developing, and deploying APIs. One of your best resources to standardize and enforce proper governance is via comprehensive documentation.
Trust me, having well-defined docs helps developers understand how APIs should be used, including authentication requirements, versioning, and more. And if you want to learn more about documentation’s role in governance and security, here’s another plug for that free best practices course on APISec University.
Another weapon in your governance repository can be a security-style guide. Your API teams may already use style guides to automate the enforcement of data formats or endpoint naming conventions. With a well-chosen set of enforceable security rules, you can use the same tools to fortify your defenses against data theft and resource exploits dramatically.
Note that your governance should also address authorization control and ensure that access to APIs is limited to authorized entities and that authorization is enforced consistently, which is crucial for security.
Testing
It’s essential to realize that APIs are programmatic interfaces, and testing them differs significantly from testing regular user interfaces (i.e., traditional point-and-click testing is inadequate for APIs due to the vast number of possible permutations).
Instead, enforcing automated and programmatic testing is the way to go. While we also touched on the importance of shifting testing to the left in the design process, this is just another friendly reminder that waiting until APIs are in production to test for security issues is not the way to go about it. For more on testing tips, check out this blog we did previously that covered the topic.
Monitoring
Most importantly, when it comes to monitoring, continuous monitoring is vital. Organizations should not rely solely on periodic security testing but rather monitor APIs continuously to detect and address security issues promptly. Monitoring can help prevent unauthorized access to sensitive data or functionalities within APIs immediately, so be sure not to miss this step!
You can also use gateways to perform monitoring tasks, such as setting IP whitelisting and monitoring for high-volume activities. Oftentimes, gateways can play a role in enhancing the security of API endpoints. For more on gateways, here’s how to select a great one.
Bonus Tip: Automation Is Your Friend
Automation infused into your security testing and monitoring can smooth out manual work and issues. Tools that can help with automation include Spectral (our open-source option), Swaggerhub, and, of course, Stoplight for design-time security checks.
Overall, our discussion underscores the need for organizations to prioritize API security and implement comprehensive testing and governance measures to protect against evolving threats and vulnerabilities. And in the end, this is a great place to start to get security right.
For more resources, I definitely recommend checking out APISec University. We also welcomed Dan on our recent security panel webinar, in which he and other API security experts weighed in on best practices. Check out those takeaways as well if you want to brush up on API security. For more industry insights, check out the API Intersection podcast, and thanks for coming on the show, Dan!