There’s no denying that with the proliferation and mass production of APIs, related security breaches are also on the rise. The need for a solid API security strategy is more pressing than ever.
Our recent webinar panel on Security Best Practices featured experts from around the globe weighing in on how to best level up your API Security measures. Experts agreed that a different approach to API security is needed to keep up with the pace of API development.
Stoplight CTO and host Jason Harmon led a discussion with APISec’s Dan Barahona, 42 Crunch’s Isabelle Mauny, and Curity’s Travis Spencer to better understand where developers can and should invest in security best practices.
1. Shift Left:
Start integrating security practices early in the software development life cycle. The panelists discussed avoiding the temptation to leave security as an afterthought. Involve security teams in the development process from the beginning. Without a design in place and a process for assessing adherence to them, endpoints can more easily be exploited by hackers.
“All of these shifts left things we’re talking about; it matters. Security must start earlier in the process. That’s an essential,” Travis Spencer, CEO of Curity and webinar panelist.
As a design-first API leader, security is always at the forefront for us here at Stoplight, and it was also top of mind for our security panelists. Using a Design-First approach and implementing a security mindset at the design stage can help fortify your APIs. Educate your developers about API security best practices and engage them in the process of preventing vulnerabilities before they can be exploited.
Two other key aspects of shifting left on security were espoused by the experts:
Utilize design-time tools to define the API contract and validate it against security requirements. This ensures that security is built into the API design from the start. Finally, threat modeling is essential for understanding the risks and implications of API development, and it should be integrated into the API design process as well. Check out our other recent webinar for more on security trends and shifting left.
2. Implement More Comprehensive API Security Testing and Verification:
Testing matters; consider automated testing tools or API-specific testing technologies to identify vulnerabilities and security issues early on. One key theme our experts touched on was the importance of not trusting any data that comes through APIs and treating all APIs as potentially problematic. They stress the significance of verifying and validating every caller, whether it’s a human or a machine, using tokens and trusted keys.
“There are like a million ways that your system can be attacked, and you need to make sure that you cover all of them. Security is everyone’s problem, you know, it’s not just the responsibility of the security guy at the end of the workflow,” shares Isabelle Mauny, CTO/Co-Founder of 42 Crunch and webinar panelist.
It’s also worth noting that public APIs, especially, can pose a threat when – by definition – they are exposed on the internet. Realize that if your API is exposed, it should be considered public, and security measures must be taken accordingly.
3. Think of Security as a Continuous Process:
Incorporate security as a continuous part of the development process. Regularly review and validate APIs for security vulnerabilities and ensure that security testing is done on every release. Note that broken authentication and broken authorization are the most common issues leading to API breaches, so focusing on these aspects is especially critical for API security.
4. Promote a Cultural Change in How Your Dev Team Thinks About Security:
Adopting a culture of security is crucial for successful API development, and it requires a shift in mindset and organization-wide buy-in. Encourage your developers and your API team to think of security not as a hindrance but as a collaborative effort to make developers’ lives better. Encourage collaboration between security teams and development groups to foster better security practices and keep your security folks in the loop.
Remember, security is something you do, not something you are. Definitely embrace the value of shifting your mindset to think of security as a product feature, but also understand that just a mindset isn’t enough.
Our panelists emphasized the need for collaboration between security teams and application developers because understanding the APIs and involving developers in security initiatives is crucial for identifying and fixing vulnerabilities, logic flaws, and authorization issues.
5. Designate Security Champions and Embed Security Expertise:
Appoint security champions who are embedded within development teams to promote security awareness, facilitate knowledge sharing, and encourage best security practices. These folks don’t have to be on the security team, but they should be keeping security top of mind in all phases of API development.
If you are unsure what to designate as your ‘security champion,’ consider the API product managers. This role often plays a crucial role in bridging the gap between security and development teams and should be responsible for owning the APIs and ensuring security requirements are met. This role can also help you to treat your APIs as products, which will also help to minimize security issues later down the line.
6. Good Governance is a Must:
Establish strong API governance to define standards, policies, and procedures for API development, management, and security. Enforcing governance best practices throughout the API design lifecycle helps maintain consistency and ensures that APIs adhere to security best practices because they’re standardized.
A good governance program includes incorporating a style guide of some sort to standardize your API creation and keep your APIs consistent. It also means having good discoverability and visibility of the APIs you already have to understand better where security may be at risk.
“Having an inventory of all your APIs, understanding what they do, how they behave, who can access them, and under what conditions they can access them is really key. And the thing is, you need to have that security layer. But, you can’t do that unless you know what you have and then can put what you need in place,” shares Dan Barahona, founder of APIsec University and webinar panelist.
7. It’s all a Continuous Learning Opportunity:
There will always be more you can do for your security measures, but start small and learn from the initial security implementations. Our panelists have dealt with companies from small startups to Fortune 500s, but the most important thing to realize is that at every stage, you can do a little to improve your security practices. And as always, continuously improve security practices based on customer feedback, experiences, and lessons learned during the security integration process.
By following these best practices, security experts can help ensure that API security becomes an integral part of the development process and that APIs are built with robust security measures in place to protect against potential threats and vulnerabilities. In the end, focus on making security a net positive for developers by providing tools and processes to improve their experience and overall contribute to a more secure API ecosystem.
In addition to the best practices discussed here, the experts also recommended considering the OAuth framework and the FAPI (Financial-grade API) standard, which may provide opportunities for further exploration.
For more resources on API security, check out the following resources:
